pam_pkcs11 - Peer's certificate issuer has been marked as not trusted by the user

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












Whenever I try to use PAM with a smart card via pam_pkcs11.so I get the following error:



DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user


I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem file under /etc/pam_pkcs11/cacerts/. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem.



I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link which produces a X5f12asd.0 symlink to my X_CA_Class_B_03.pem file.



All this appears fine, so now to the configuration.



/etc/pam_pkcs11/pam_pkcs11.conf



pam_pkcs11 
nullok = true;
debug = ture;

use_first_pass = false;

use_athok = false;

use_pkcs11_module = externalModule;

pkcs11_module externalModule
module = /opt/extlib/libp11.so;
description = "My SmartCard lib";

slot = 2;

ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;

cert_policy = ca, crl_off;
crl_policy = none; # Just for the sake of it


user_mappers = ldap;

mapper ldap
debug = true;
module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";

ldaphost = "10.0.0.3";

ldapport = ;

URI = "";

scope = 2;
binddn = "dn=admin,dc=server,dc=world";
paswd = "superSecretPasswort_nonotreally";

base = "dc=server,dc=world";

attribute = "userCertificate";
filter = "(&(objectClass=posixAccount)(uid=%s))"

ssl = off




/etc/pam.d/sudo



auth required pam_pkcs11.so debug


I've set up a user matching the username against the certificates Subject x5000UniqueID and SerialNumber fields.

I use this in combination with the correct pin and sudo to test the certificate setup:



su testclient
sudo ls


This generates the following output:



DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0

DEBUG:pkcs11_lib.c:231: dllName= <null>

DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug = 1
DEBUG:ldap_mapper.c:1168: ignorecase = 0
DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport = 0
DEBUG:ldap_mapper.c:1171: ldapURI =
DEBUG:ldap_mapper.c:1172: scope = 2
DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on = 0
DEBUG:ldap_mapper.c:1185: tls_randfile =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers =
DEBUG:ldap_mapper.c:1190: tls_cert =
DEBUG:ldap_mapper.c:1191: tls_key =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap


Now this is a lot of information, what it boils down to is basically this (from my understanding):



DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.


Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/ and creating the correct symlink?



(on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)



Where am I going wrong with this?










share|improve this question

























    up vote
    0
    down vote

    favorite
    1












    Whenever I try to use PAM with a smart card via pam_pkcs11.so I get the following error:



    DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user


    I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem file under /etc/pam_pkcs11/cacerts/. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem.



    I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link which produces a X5f12asd.0 symlink to my X_CA_Class_B_03.pem file.



    All this appears fine, so now to the configuration.



    /etc/pam_pkcs11/pam_pkcs11.conf



    pam_pkcs11 
    nullok = true;
    debug = ture;

    use_first_pass = false;

    use_athok = false;

    use_pkcs11_module = externalModule;

    pkcs11_module externalModule
    module = /opt/extlib/libp11.so;
    description = "My SmartCard lib";

    slot = 2;

    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;

    cert_policy = ca, crl_off;
    crl_policy = none; # Just for the sake of it


    user_mappers = ldap;

    mapper ldap
    debug = true;
    module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";

    ldaphost = "10.0.0.3";

    ldapport = ;

    URI = "";

    scope = 2;
    binddn = "dn=admin,dc=server,dc=world";
    paswd = "superSecretPasswort_nonotreally";

    base = "dc=server,dc=world";

    attribute = "userCertificate";
    filter = "(&(objectClass=posixAccount)(uid=%s))"

    ssl = off




    /etc/pam.d/sudo



    auth required pam_pkcs11.so debug


    I've set up a user matching the username against the certificates Subject x5000UniqueID and SerialNumber fields.

    I use this in combination with the correct pin and sudo to test the certificate setup:



    su testclient
    sudo ls


    This generates the following output:



    DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
    DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
    DEBUG:pkcs11_lib.c:187: Initializing NSS ...
    DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
    DEBUG:pkcs11_lib.c:215: ... NSS Complete
    DEBUG:pam_pkcs11.c:308: username = [testclient]
    DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
    DEBUG:pkcs11_lib.c:227: Looking up module in list
    DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0

    DEBUG:pkcs11_lib.c:231: dllName= <null>

    DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
    DEBUG:pkcs11_lib.c:291: load module complete
    DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
    Smart card found.
    Welcome Smart Card!
    Smart card PIN: ##########
    DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
    DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
    DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
    DEBUG:ldap_mapper.c:1164: test ssltls = off
    DEBUG:ldap_mapper.c:1166: LDAP mapper started.
    DEBUG:ldap_mapper.c:1167: debug = 1
    DEBUG:ldap_mapper.c:1168: ignorecase = 0
    DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
    DEBUG:ldap_mapper.c:1170: ldapport = 0
    DEBUG:ldap_mapper.c:1171: ldapURI =
    DEBUG:ldap_mapper.c:1172: scope = 2
    DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
    DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
    DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
    DEBUG:ldap_mapper.c:1176: attribute = userCertificate
    DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
    DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
    DEBUG:ldap_mapper.c:1182: searchtimeout = 20
    DEBUG:ldap_mapper.c:1183: ssl_on = 0
    DEBUG:ldap_mapper.c:1185: tls_randfile =
    DEBUG:ldap_mapper.c:1186: tls_cacertfile=
    DEBUG:ldap_mapper.c:1187: tls_cacertdir =
    DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
    DEBUG:ldap_mapper.c:1189: tls_ciphers =
    DEBUG:ldap_mapper.c:1190: tls_cert =
    DEBUG:ldap_mapper.c:1191: tls_key =
    DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
    DEBUG:pam_pkcs11.c:551: verifying the certificate #1
    verifying certificate
    DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
    DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
    ERROR:pam_pkcs11.c:585: verify_certificate() failed:
    ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
    Error 2336: No matching certificate found
    DEBUG:mapper_mgr.c:213: unloading mapper module list
    DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
    DEBUG:mapper_mgr.c:145: unloading module ldap


    Now this is a lot of information, what it boils down to is basically this (from my understanding):



    DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.


    Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/ and creating the correct symlink?



    (on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)



    Where am I going wrong with this?










    share|improve this question























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      Whenever I try to use PAM with a smart card via pam_pkcs11.so I get the following error:



      DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user


      I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem file under /etc/pam_pkcs11/cacerts/. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem.



      I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link which produces a X5f12asd.0 symlink to my X_CA_Class_B_03.pem file.



      All this appears fine, so now to the configuration.



      /etc/pam_pkcs11/pam_pkcs11.conf



      pam_pkcs11 
      nullok = true;
      debug = ture;

      use_first_pass = false;

      use_athok = false;

      use_pkcs11_module = externalModule;

      pkcs11_module externalModule
      module = /opt/extlib/libp11.so;
      description = "My SmartCard lib";

      slot = 2;

      ca_dir = /etc/pam_pkcs11/cacerts;
      crl_dir = /etc/pam_pkcs11/crls;

      cert_policy = ca, crl_off;
      crl_policy = none; # Just for the sake of it


      user_mappers = ldap;

      mapper ldap
      debug = true;
      module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";

      ldaphost = "10.0.0.3";

      ldapport = ;

      URI = "";

      scope = 2;
      binddn = "dn=admin,dc=server,dc=world";
      paswd = "superSecretPasswort_nonotreally";

      base = "dc=server,dc=world";

      attribute = "userCertificate";
      filter = "(&(objectClass=posixAccount)(uid=%s))"

      ssl = off




      /etc/pam.d/sudo



      auth required pam_pkcs11.so debug


      I've set up a user matching the username against the certificates Subject x5000UniqueID and SerialNumber fields.

      I use this in combination with the correct pin and sudo to test the certificate setup:



      su testclient
      sudo ls


      This generates the following output:



      DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
      DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
      DEBUG:pkcs11_lib.c:187: Initializing NSS ...
      DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
      DEBUG:pkcs11_lib.c:215: ... NSS Complete
      DEBUG:pam_pkcs11.c:308: username = [testclient]
      DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
      DEBUG:pkcs11_lib.c:227: Looking up module in list
      DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0

      DEBUG:pkcs11_lib.c:231: dllName= <null>

      DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
      DEBUG:pkcs11_lib.c:291: load module complete
      DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
      Smart card found.
      Welcome Smart Card!
      Smart card PIN: ##########
      DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
      DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
      DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
      DEBUG:ldap_mapper.c:1164: test ssltls = off
      DEBUG:ldap_mapper.c:1166: LDAP mapper started.
      DEBUG:ldap_mapper.c:1167: debug = 1
      DEBUG:ldap_mapper.c:1168: ignorecase = 0
      DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
      DEBUG:ldap_mapper.c:1170: ldapport = 0
      DEBUG:ldap_mapper.c:1171: ldapURI =
      DEBUG:ldap_mapper.c:1172: scope = 2
      DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
      DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
      DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
      DEBUG:ldap_mapper.c:1176: attribute = userCertificate
      DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
      DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
      DEBUG:ldap_mapper.c:1182: searchtimeout = 20
      DEBUG:ldap_mapper.c:1183: ssl_on = 0
      DEBUG:ldap_mapper.c:1185: tls_randfile =
      DEBUG:ldap_mapper.c:1186: tls_cacertfile=
      DEBUG:ldap_mapper.c:1187: tls_cacertdir =
      DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
      DEBUG:ldap_mapper.c:1189: tls_ciphers =
      DEBUG:ldap_mapper.c:1190: tls_cert =
      DEBUG:ldap_mapper.c:1191: tls_key =
      DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
      DEBUG:pam_pkcs11.c:551: verifying the certificate #1
      verifying certificate
      DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
      DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
      ERROR:pam_pkcs11.c:585: verify_certificate() failed:
      ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
      Error 2336: No matching certificate found
      DEBUG:mapper_mgr.c:213: unloading mapper module list
      DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
      DEBUG:mapper_mgr.c:145: unloading module ldap


      Now this is a lot of information, what it boils down to is basically this (from my understanding):



      DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.


      Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/ and creating the correct symlink?



      (on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)



      Where am I going wrong with this?










      share|improve this question













      Whenever I try to use PAM with a smart card via pam_pkcs11.so I get the following error:



      DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user


      I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem file under /etc/pam_pkcs11/cacerts/. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem.



      I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link which produces a X5f12asd.0 symlink to my X_CA_Class_B_03.pem file.



      All this appears fine, so now to the configuration.



      /etc/pam_pkcs11/pam_pkcs11.conf



      pam_pkcs11 
      nullok = true;
      debug = ture;

      use_first_pass = false;

      use_athok = false;

      use_pkcs11_module = externalModule;

      pkcs11_module externalModule
      module = /opt/extlib/libp11.so;
      description = "My SmartCard lib";

      slot = 2;

      ca_dir = /etc/pam_pkcs11/cacerts;
      crl_dir = /etc/pam_pkcs11/crls;

      cert_policy = ca, crl_off;
      crl_policy = none; # Just for the sake of it


      user_mappers = ldap;

      mapper ldap
      debug = true;
      module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";

      ldaphost = "10.0.0.3";

      ldapport = ;

      URI = "";

      scope = 2;
      binddn = "dn=admin,dc=server,dc=world";
      paswd = "superSecretPasswort_nonotreally";

      base = "dc=server,dc=world";

      attribute = "userCertificate";
      filter = "(&(objectClass=posixAccount)(uid=%s))"

      ssl = off




      /etc/pam.d/sudo



      auth required pam_pkcs11.so debug


      I've set up a user matching the username against the certificates Subject x5000UniqueID and SerialNumber fields.

      I use this in combination with the correct pin and sudo to test the certificate setup:



      su testclient
      sudo ls


      This generates the following output:



      DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
      DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
      DEBUG:pkcs11_lib.c:187: Initializing NSS ...
      DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
      DEBUG:pkcs11_lib.c:215: ... NSS Complete
      DEBUG:pam_pkcs11.c:308: username = [testclient]
      DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
      DEBUG:pkcs11_lib.c:227: Looking up module in list
      DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0

      DEBUG:pkcs11_lib.c:231: dllName= <null>

      DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
      DEBUG:pkcs11_lib.c:291: load module complete
      DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
      Smart card found.
      Welcome Smart Card!
      Smart card PIN: ##########
      DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
      DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
      DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
      DEBUG:ldap_mapper.c:1164: test ssltls = off
      DEBUG:ldap_mapper.c:1166: LDAP mapper started.
      DEBUG:ldap_mapper.c:1167: debug = 1
      DEBUG:ldap_mapper.c:1168: ignorecase = 0
      DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
      DEBUG:ldap_mapper.c:1170: ldapport = 0
      DEBUG:ldap_mapper.c:1171: ldapURI =
      DEBUG:ldap_mapper.c:1172: scope = 2
      DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
      DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
      DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
      DEBUG:ldap_mapper.c:1176: attribute = userCertificate
      DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
      DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
      DEBUG:ldap_mapper.c:1182: searchtimeout = 20
      DEBUG:ldap_mapper.c:1183: ssl_on = 0
      DEBUG:ldap_mapper.c:1185: tls_randfile =
      DEBUG:ldap_mapper.c:1186: tls_cacertfile=
      DEBUG:ldap_mapper.c:1187: tls_cacertdir =
      DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
      DEBUG:ldap_mapper.c:1189: tls_ciphers =
      DEBUG:ldap_mapper.c:1190: tls_cert =
      DEBUG:ldap_mapper.c:1191: tls_key =
      DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
      DEBUG:pam_pkcs11.c:551: verifying the certificate #1
      verifying certificate
      DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
      DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
      ERROR:pam_pkcs11.c:585: verify_certificate() failed:
      ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
      Error 2336: No matching certificate found
      DEBUG:mapper_mgr.c:213: unloading mapper module list
      DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
      DEBUG:mapper_mgr.c:145: unloading module ldap


      Now this is a lot of information, what it boils down to is basically this (from my understanding):



      DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.


      Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/ and creating the correct symlink?



      (on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)



      Where am I going wrong with this?







      linux pam openldap smartcard






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 13 '16 at 15:13









      Torxed

      1,15241534




      1,15241534




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          You need to add certificate via certutil to database located in your case at /etc/pam_pkcs11/nssdb as well as making hashes at /etc/pam_pkcs11/cacerts



          certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt






          share|improve this answer




















          • I know it's a year after, but I came across this issue today :)
            – week
            Sep 24 '17 at 17:40










          • Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
            – Torxed
            Sep 24 '17 at 19:01










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255114%2fpam-pkcs11-peers-certificate-issuer-has-been-marked-as-not-trusted-by-the-use%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          You need to add certificate via certutil to database located in your case at /etc/pam_pkcs11/nssdb as well as making hashes at /etc/pam_pkcs11/cacerts



          certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt






          share|improve this answer




















          • I know it's a year after, but I came across this issue today :)
            – week
            Sep 24 '17 at 17:40










          • Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
            – Torxed
            Sep 24 '17 at 19:01














          up vote
          0
          down vote













          You need to add certificate via certutil to database located in your case at /etc/pam_pkcs11/nssdb as well as making hashes at /etc/pam_pkcs11/cacerts



          certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt






          share|improve this answer




















          • I know it's a year after, but I came across this issue today :)
            – week
            Sep 24 '17 at 17:40










          • Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
            – Torxed
            Sep 24 '17 at 19:01












          up vote
          0
          down vote










          up vote
          0
          down vote









          You need to add certificate via certutil to database located in your case at /etc/pam_pkcs11/nssdb as well as making hashes at /etc/pam_pkcs11/cacerts



          certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt






          share|improve this answer












          You need to add certificate via certutil to database located in your case at /etc/pam_pkcs11/nssdb as well as making hashes at /etc/pam_pkcs11/cacerts



          certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Sep 24 '17 at 17:36









          week

          1953




          1953











          • I know it's a year after, but I came across this issue today :)
            – week
            Sep 24 '17 at 17:40










          • Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
            – Torxed
            Sep 24 '17 at 19:01
















          • I know it's a year after, but I came across this issue today :)
            – week
            Sep 24 '17 at 17:40










          • Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
            – Torxed
            Sep 24 '17 at 19:01















          I know it's a year after, but I came across this issue today :)
          – week
          Sep 24 '17 at 17:40




          I know it's a year after, but I came across this issue today :)
          – week
          Sep 24 '17 at 17:40












          Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
          – Torxed
          Sep 24 '17 at 19:01




          Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
          – Torxed
          Sep 24 '17 at 19:01

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255114%2fpam-pkcs11-peers-certificate-issuer-has-been-marked-as-not-trusted-by-the-use%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?