On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy
<abokovoy(a)redhat.com> wrote:
On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote:
>
>
> Mainly looking for input on where to file a bug I think I found in
> p11-kit-trust.so but potentially caused by the FreeIPA client install
> process on Ubuntu.
>
> I have been trying to figure out a way of getting Ubuntu to load the
> system wide certs like CentOS/Fedora does. Alexander helped me
> troubleshoot my issues on CentOS/Fedora and those system work out of
> the box (after I fixed my mistake
>
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg0790...).
> However, on Ubuntu you have to take it a slight step further by using
> the p11-kit-trust.so manually it seems.
>
> I found this link
>
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285
> that has a bug report that states you can just symlink the
> p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
>
https://superuser.com/a/1312419/411058and it would “just work”.
>
> Unfortunately, I was having trouble figuring out how to get it to work.
> I spent a couple days or so troubleshooting and trying to figure out
> why it wasn’t working. Once I would do the symlink to the
> p11-kit-trust.so, no certificates _at all_ would load in any browser
> (chome/firefox). If I removed the symlink and put the libnssckbi.so
> file the browsers would go back to loading the static system wide certs
> (obviously the certs I included wouldn’t work). Eventually I ran across
> this documentation from p11-kit to find out how to debug p11-kit.
>
https://p11-glue.github.io/p11-glue/trust-module.html
>
> I ran
>
> P11_KIT_DEBUG=all firefox
>
> With that log output I finally found something to point me in the
> correct direction. Based on this log it seems like p11-kit is having
> issues parsing the ca-certificates.crt file.
>
> $ P11_KIT_DEBUG=all firefox
> (p11-kit:10001) p11_library_init_impl: initializing library
> (p11-kit:10001) uninit_common: uninitializing library
> (p11-kit:10057) p11_library_init_impl: initializing library
> (p11-kit:10057) uninit_common: uninitializing library
> (p11-kit:10001) p11_library_init_impl: initializing library
> (p11-kit:10001) sys_C_Initialize: in
> (p11-kit:10001) sys_C_Initialize: doing initialization
> (p11-kit:10001) create_tokens_inlock: using paths:
/etc/ssl/certs/ca-certificates.crt
> (p11-kit:10001) p11_token_new: token: System Trust:
/etc/ssl/certs/ca-certificates.crt
> (p11-kit:10001) sys_C_Initialize: out: 0x0
> (p11-kit:10001) sys_C_GetInfo: in
> (p11-kit:10001) sys_C_GetInfo: out: 0x0
> (p11-kit:10001) sys_C_GetSlotList: in
> (p11-kit:10001) sys_C_GetSlotList: out: 0x0
> (p11-kit:10001) sys_C_GetSlotList: in
> (p11-kit:10001) sys_C_GetSlotList: out: 0x0
> (p11-kit:10001) sys_C_GetSlotInfo: in
> (p11-kit:10001) sys_C_GetSlotInfo: out: 0x0
> (p11-kit:10001) sys_C_GetTokenInfo: in
> (p11-kit:10001) sys_C_GetTokenInfo: out: 0x0
> (p11-kit:10001) sys_C_GetMechanismList: in
> (p11-kit:10001) sys_C_GetMechanismList: out: 0x0
> (p11-kit:10001) sys_C_GetMechanismList: in
> (p11-kit:10001) sys_C_GetMechanismList: out: 0x0
> (p11-kit:10001) sys_C_OpenSession: in
> (p11-kit:10001) sys_C_OpenSession: session: 17
> (p11-kit:10001) sys_C_OpenSession: out: 0x0
> (p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS =
CKO_NSS_BUILTIN_ROOT_LIST } ]
> (p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before p11-kit
section header
> (p11-kit:10001) loader_load_file: failed to parse:
/etc/ssl/certs/ca-certificates.crt
> (p11-kit:10001) sys_C_FindObjectsInit: out: 0x0
> (p11-kit:10001) sys_C_FindObjects: in: 17, 1
> (p11-kit:10001) sys_C_FindObjects: out: 0x11, 1
> (p11-kit:10001) sys_C_FindObjectsFinal: in
> (p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0
>
>
> I looked at the ca-certificates.crt file
>
> Nothing looked abnormal until I saw this…
>
> ----previous part of ca-certificates.crt----
>
>
> # This file was created by IPA. Do not edit.
>
> [p11-kit-object-v1]
> class: certificate
> certificate-type: x-509
> certificate-category: authority
> label: <removed>
> subject: ": <removed>"
> issuer: ": <removed>"
> serial-number: “<removed>"
> x-public-key-info: ": <removed>"
> trusted: true
> ------BEGIN CERTIFICATE------
> …..
> ----rest of ca-certificates.crt ----
>
> Once I removed the section above the “…BEGIN CERTIFICATE…” and after
> the prior “----END CERTIFICATE----“ everything started working
> properly. I put it back and things broke again.
>
> So this indicates that p11-kit-trust.so isn’t parsing the
> ca-certificate.crt file due to the information that the FreeIPA client
> install put into the file.
>
> I am using the latest version that comes with Ubuntu 18.04 of
> p11-kit-trust (0.23).
>
> So my question is, should this be a bug report to Ubuntu’s
> implementation of the FreeIPA client install that adds the certificate
> information or should I file a bug report against the p11-kit module to
> have them fix the parsing issue?
>
> Any thoughts/suggestions?
ca-certificates(8) in Debian does not support p11-kit format. However, Debian adaptation
of FreeIPA does not override
insert_ca_certs_into_systemwide_ca_store() method and thus a default one
is used. It is a bug in FreeIPA, please open an issue for FreeIPA.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland