Running FreeIPA 4.7.1, on CentOS 8, I configured IPA-server to use smartcard login follwoing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
I configured a CentOS 8 machine to use smartcard-login. After configuring the IPA-client, running the scripts produced by ipa-advise will show an error: ./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt ~ ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error.". Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful
Logging in a Yubikey 5 works fine. The error is caused by this line:
echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so
Now, what going on here and can this error really be ignored? Is it worth to create a Bugzilla?
Same error also aoocurs on a fresh RHEL 8.1 machine.
Winfried
On Wed, Dec 11, 2019 at 12:53:46PM +0100, Winfried de Heiden via FreeIPA-users wrote:
Running FreeIPA 4.7.1, on CentOS 8, I configured IPA-server to use smartcard login follwoing https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
I configured a CentOS 8 machine to use smartcard-login. After configuring the IPA-client, running the scripts produced by ipa-advise will show an error: ./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt ~ ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error.". Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful
Logging in a Yubikey 5 works fine. The error is caused by this line:
echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so
Now, what going on here and can this error really be ignored? Is it worth to create a Bugzilla?
Same error also aoocurs on a fresh RHEL 8.1 machine.
Hi,
I think this message can be ignored, the full message is:
# echo "" | modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue:
WARNING: Manually adding a module while p11-kit is enabled could cause duplicate module registration in your security database. It is suggested to configure the module through p11-kit configuration file instead.
Type 'q <enter>' to abort, or <enter> to continue: ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error.".
So it basically says that the PKCS#11 module should be configured via p11-kit and OpenSC be default is.
/etc/pki/nssdb isn't that important for Smartcard authentication on RHEL8 anymore, it is mainly used by gdm to detect is a Smartcard was inserted or removed.
HTH
bye, Sumit
Winfried
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org