pam_pkcs11 - Peer's certificate issuer has been marked as not trusted by the user
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Whenever I try to use PAM with a smart card via pam_pkcs11.so
I get the following error:
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user
I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem
file under /etc/pam_pkcs11/cacerts/
. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem
.
I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link
which produces a X5f12asd.0
symlink to my X_CA_Class_B_03.pem
file.
All this appears fine, so now to the configuration.
/etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11
nullok = true;
debug = ture;
use_first_pass = false;
use_athok = false;
use_pkcs11_module = externalModule;
pkcs11_module externalModule
module = /opt/extlib/libp11.so;
description = "My SmartCard lib";
slot = 2;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca, crl_off;
crl_policy = none; # Just for the sake of it
user_mappers = ldap;
mapper ldap
debug = true;
module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
ldaphost = "10.0.0.3";
ldapport = ;
URI = "";
scope = 2;
binddn = "dn=admin,dc=server,dc=world";
paswd = "superSecretPasswort_nonotreally";
base = "dc=server,dc=world";
attribute = "userCertificate";
filter = "(&(objectClass=posixAccount)(uid=%s))"
ssl = off
/etc/pam.d/sudo
auth required pam_pkcs11.so debug
I've set up a user matching the username against the certificates Subject x5000UniqueID
and SerialNumber
fields.
I use this in combination with the correct pin and sudo to test the certificate setup:
su testclient
sudo ls
This generates the following output:
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0
DEBUG:pkcs11_lib.c:231: dllName= <null>
DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug = 1
DEBUG:ldap_mapper.c:1168: ignorecase = 0
DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport = 0
DEBUG:ldap_mapper.c:1171: ldapURI =
DEBUG:ldap_mapper.c:1172: scope = 2
DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on = 0
DEBUG:ldap_mapper.c:1185: tls_randfile =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers =
DEBUG:ldap_mapper.c:1190: tls_cert =
DEBUG:ldap_mapper.c:1191: tls_key =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
Now this is a lot of information, what it boils down to is basically this (from my understanding):
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/
and creating the correct symlink?
(on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)
Where am I going wrong with this?
linux pam openldap smartcard
add a comment |Â
up vote
0
down vote
favorite
Whenever I try to use PAM with a smart card via pam_pkcs11.so
I get the following error:
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user
I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem
file under /etc/pam_pkcs11/cacerts/
. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem
.
I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link
which produces a X5f12asd.0
symlink to my X_CA_Class_B_03.pem
file.
All this appears fine, so now to the configuration.
/etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11
nullok = true;
debug = ture;
use_first_pass = false;
use_athok = false;
use_pkcs11_module = externalModule;
pkcs11_module externalModule
module = /opt/extlib/libp11.so;
description = "My SmartCard lib";
slot = 2;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca, crl_off;
crl_policy = none; # Just for the sake of it
user_mappers = ldap;
mapper ldap
debug = true;
module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
ldaphost = "10.0.0.3";
ldapport = ;
URI = "";
scope = 2;
binddn = "dn=admin,dc=server,dc=world";
paswd = "superSecretPasswort_nonotreally";
base = "dc=server,dc=world";
attribute = "userCertificate";
filter = "(&(objectClass=posixAccount)(uid=%s))"
ssl = off
/etc/pam.d/sudo
auth required pam_pkcs11.so debug
I've set up a user matching the username against the certificates Subject x5000UniqueID
and SerialNumber
fields.
I use this in combination with the correct pin and sudo to test the certificate setup:
su testclient
sudo ls
This generates the following output:
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0
DEBUG:pkcs11_lib.c:231: dllName= <null>
DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug = 1
DEBUG:ldap_mapper.c:1168: ignorecase = 0
DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport = 0
DEBUG:ldap_mapper.c:1171: ldapURI =
DEBUG:ldap_mapper.c:1172: scope = 2
DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on = 0
DEBUG:ldap_mapper.c:1185: tls_randfile =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers =
DEBUG:ldap_mapper.c:1190: tls_cert =
DEBUG:ldap_mapper.c:1191: tls_key =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
Now this is a lot of information, what it boils down to is basically this (from my understanding):
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/
and creating the correct symlink?
(on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)
Where am I going wrong with this?
linux pam openldap smartcard
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Whenever I try to use PAM with a smart card via pam_pkcs11.so
I get the following error:
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user
I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem
file under /etc/pam_pkcs11/cacerts/
. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem
.
I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link
which produces a X5f12asd.0
symlink to my X_CA_Class_B_03.pem
file.
All this appears fine, so now to the configuration.
/etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11
nullok = true;
debug = ture;
use_first_pass = false;
use_athok = false;
use_pkcs11_module = externalModule;
pkcs11_module externalModule
module = /opt/extlib/libp11.so;
description = "My SmartCard lib";
slot = 2;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca, crl_off;
crl_policy = none; # Just for the sake of it
user_mappers = ldap;
mapper ldap
debug = true;
module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
ldaphost = "10.0.0.3";
ldapport = ;
URI = "";
scope = 2;
binddn = "dn=admin,dc=server,dc=world";
paswd = "superSecretPasswort_nonotreally";
base = "dc=server,dc=world";
attribute = "userCertificate";
filter = "(&(objectClass=posixAccount)(uid=%s))"
ssl = off
/etc/pam.d/sudo
auth required pam_pkcs11.so debug
I've set up a user matching the username against the certificates Subject x5000UniqueID
and SerialNumber
fields.
I use this in combination with the correct pin and sudo to test the certificate setup:
su testclient
sudo ls
This generates the following output:
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0
DEBUG:pkcs11_lib.c:231: dllName= <null>
DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug = 1
DEBUG:ldap_mapper.c:1168: ignorecase = 0
DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport = 0
DEBUG:ldap_mapper.c:1171: ldapURI =
DEBUG:ldap_mapper.c:1172: scope = 2
DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on = 0
DEBUG:ldap_mapper.c:1185: tls_randfile =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers =
DEBUG:ldap_mapper.c:1190: tls_cert =
DEBUG:ldap_mapper.c:1191: tls_key =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
Now this is a lot of information, what it boils down to is basically this (from my understanding):
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/
and creating the correct symlink?
(on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)
Where am I going wrong with this?
linux pam openldap smartcard
Whenever I try to use PAM with a smart card via pam_pkcs11.so
I get the following error:
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user
I'm not sure why I'm getting this error since I've extracted the CA's public cert from the keycard, placed it as a (verified format) .pem
file under /etc/pam_pkcs11/cacerts/
. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem
.
I've also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link
which produces a X5f12asd.0
symlink to my X_CA_Class_B_03.pem
file.
All this appears fine, so now to the configuration.
/etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11
nullok = true;
debug = ture;
use_first_pass = false;
use_athok = false;
use_pkcs11_module = externalModule;
pkcs11_module externalModule
module = /opt/extlib/libp11.so;
description = "My SmartCard lib";
slot = 2;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca, crl_off;
crl_policy = none; # Just for the sake of it
user_mappers = ldap;
mapper ldap
debug = true;
module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";
ldaphost = "10.0.0.3";
ldapport = ;
URI = "";
scope = 2;
binddn = "dn=admin,dc=server,dc=world";
paswd = "superSecretPasswort_nonotreally";
base = "dc=server,dc=world";
attribute = "userCertificate";
filter = "(&(objectClass=posixAccount)(uid=%s))"
ssl = off
/etc/pam.d/sudo
auth required pam_pkcs11.so debug
I've set up a user matching the username against the certificates Subject x5000UniqueID
and SerialNumber
fields.
I use this in combination with the correct pin and sudo to test the certificate setup:
su testclient
sudo ls
This generates the following output:
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0
DEBUG:pkcs11_lib.c:231: dllName= <null>
DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug = 1
DEBUG:ldap_mapper.c:1168: ignorecase = 0
DEBUG:ldap_mapper.c:1169: ldaphost = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport = 0
DEBUG:ldap_mapper.c:1171: ldapURI =
DEBUG:ldap_mapper.c:1172: scope = 2
DEBUG:ldap_mapper.c:1173: binddn = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on = 0
DEBUG:ldap_mapper.c:1185: tls_randfile =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers =
DEBUG:ldap_mapper.c:1190: tls_cert =
DEBUG:ldap_mapper.c:1191: tls_key =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap
Now this is a lot of information, what it boils down to is basically this (from my understanding):
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
Shouldn't this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/
and creating the correct symlink?
(on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)
Where am I going wrong with this?
linux pam openldap smartcard
linux pam openldap smartcard
asked Jan 13 '16 at 15:13
Torxed
1,15241534
1,15241534
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
You need to add certificate via certutil
to database located in your case at /etc/pam_pkcs11/nssdb
as well as making hashes at /etc/pam_pkcs11/cacerts
certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You need to add certificate via certutil
to database located in your case at /etc/pam_pkcs11/nssdb
as well as making hashes at /etc/pam_pkcs11/cacerts
certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
add a comment |Â
up vote
0
down vote
You need to add certificate via certutil
to database located in your case at /etc/pam_pkcs11/nssdb
as well as making hashes at /etc/pam_pkcs11/cacerts
certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You need to add certificate via certutil
to database located in your case at /etc/pam_pkcs11/nssdb
as well as making hashes at /etc/pam_pkcs11/cacerts
certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt
You need to add certificate via certutil
to database located in your case at /etc/pam_pkcs11/nssdb
as well as making hashes at /etc/pam_pkcs11/cacerts
certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt
answered Sep 24 '17 at 17:36
week
1953
1953
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
add a comment |Â
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
I know it's a year after, but I came across this issue today :)
â week
Sep 24 '17 at 17:40
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
Never thought this would be answered, I'll verify as soon as possible and mark this as solved! :) Awesome job answering this in case anyone else comes along!
â Torxed
Sep 24 '17 at 19:01
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f255114%2fpam-pkcs11-peers-certificate-issuer-has-been-marked-as-not-trusted-by-the-use%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password