On Oct 28, 2019, at 9:24 AM, Alexander Bokovoy <abokovoy(a)redhat.com&gt; wrote: On ma, 28 loka 2019, Kevin Vasko via FreeIPA-users wrote: > > > Mainly looking for input on where to file a bug I think I found in > p11-kit-trust.so but potentially caused by the FreeIPA client install > process on Ubuntu. > > I have been trying to figure out a way of getting Ubuntu to load the > system wide certs like CentOS/Fedora does. Alexander helped me > troubleshoot my issues on CentOS/Fedora and those system work out of > the box (after I fixed my mistake > https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg0790...). > However, on Ubuntu you have to take it a slight step further by using > the p11-kit-trust.so manually it seems. > > I found this link > https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285 > that has a bug report that states you can just symlink the > p11-kit-trust.so to the /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so > https://superuser.com/a/1312419/411058and it would “just work”. > > Unfortunately, I was having trouble figuring out how to get it to work. > I spent a couple days or so troubleshooting and trying to figure out > why it wasn’t working. Once I would do the symlink to the > p11-kit-trust.so, no certificates _at all_ would load in any browser > (chome/firefox). If I removed the symlink and put the libnssckbi.so > file the browsers would go back to loading the static system wide certs > (obviously the certs I included wouldn’t work). Eventually I ran across > this documentation from p11-kit to find out how to debug p11-kit. > https://p11-glue.github.io/p11-glue/trust-module.html > > I ran > > P11_KIT_DEBUG=all firefox > > With that log output I finally found something to point me in the > correct direction. Based on this log it seems like p11-kit is having > issues parsing the ca-certificates.crt file. > > $ P11_KIT_DEBUG=all firefox > (p11-kit:10001) p11_library_init_impl: initializing library > (p11-kit:10001) uninit_common: uninitializing library > (p11-kit:10057) p11_library_init_impl: initializing library > (p11-kit:10057) uninit_common: uninitializing library > (p11-kit:10001) p11_library_init_impl: initializing library > (p11-kit:10001) sys_C_Initialize: in > (p11-kit:10001) sys_C_Initialize: doing initialization > (p11-kit:10001) create_tokens_inlock: using paths: /etc/ssl/certs/ca-certificates.crt > (p11-kit:10001) p11_token_new: token: System Trust: /etc/ssl/certs/ca-certificates.crt > (p11-kit:10001) sys_C_Initialize: out: 0x0 > (p11-kit:10001) sys_C_GetInfo: in > (p11-kit:10001) sys_C_GetInfo: out: 0x0 > (p11-kit:10001) sys_C_GetSlotList: in > (p11-kit:10001) sys_C_GetSlotList: out: 0x0 > (p11-kit:10001) sys_C_GetSlotList: in > (p11-kit:10001) sys_C_GetSlotList: out: 0x0 > (p11-kit:10001) sys_C_GetSlotInfo: in > (p11-kit:10001) sys_C_GetSlotInfo: out: 0x0 > (p11-kit:10001) sys_C_GetTokenInfo: in > (p11-kit:10001) sys_C_GetTokenInfo: out: 0x0 > (p11-kit:10001) sys_C_GetMechanismList: in > (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 > (p11-kit:10001) sys_C_GetMechanismList: in > (p11-kit:10001) sys_C_GetMechanismList: out: 0x0 > (p11-kit:10001) sys_C_OpenSession: in > (p11-kit:10001) sys_C_OpenSession: session: 17 > (p11-kit:10001) sys_C_OpenSession: out: 0x0 > (p11-kit:10001) sys_C_FindObjectsInit: in: 17, (1) [ { CKA_CLASS = CKO_NSS_BUILTIN_ROOT_LIST } ] > (p11-kit:10001) message: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header > (p11-kit:10001) loader_load_file: failed to parse: /etc/ssl/certs/ca-certificates.crt > (p11-kit:10001) sys_C_FindObjectsInit: out: 0x0 > (p11-kit:10001) sys_C_FindObjects: in: 17, 1 > (p11-kit:10001) sys_C_FindObjects: out: 0x11, 1 > (p11-kit:10001) sys_C_FindObjectsFinal: in > (p11-kit:10001) sys_C_FindObjectsFinal: out: 0x0 > > > I looked at the ca-certificates.crt file > > Nothing looked abnormal until I saw this… > > ----previous part of ca-certificates.crt---- > > > # This file was created by IPA. Do not edit. > > [p11-kit-object-v1] > class: certificate > certificate-type: x-509 > certificate-category: authority > label: <removed> > subject: ": <removed>" > issuer: ": <removed>" > serial-number: “<removed>" > x-public-key-info: ": <removed>" > trusted: true > ------BEGIN CERTIFICATE------ > ….. > ----rest of ca-certificates.crt ---- > > Once I removed the section above the “…BEGIN CERTIFICATE…” and after > the prior “----END CERTIFICATE----“ everything started working > properly. I put it back and things broke again. > > So this indicates that p11-kit-trust.so isn’t parsing the > ca-certificate.crt file due to the information that the FreeIPA client > install put into the file. > > I am using the latest version that comes with Ubuntu 18.04 of > p11-kit-trust (0.23). > > So my question is, should this be a bug report to Ubuntu’s > implementation of the FreeIPA client install that adds the certificate > information or should I file a bug report against the p11-kit module to > have them fix the parsing issue? > > Any thoughts/suggestions? ca-certificates(8) in Debian does not support p11-kit format. However, Debian adaptation of FreeIPA does not override insert_ca_certs_into_systemwide_ca_store() method and thus a default one is used. It is a bug in FreeIPA, please open an issue for FreeIPA. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland