FreeIPA fails with "A PKCS #11 module returned CKR_DEVICE_ERROR" when ipalib is initialized in the parent process and later used in a child process. The error is raised by python-nss but libcurl and libldap can also trigger the error on Fedora. Custodia is affected by the problem, forking WSGI servers and other forking services can also trigger the issue.
https://github.com/latchset/custodia.ipa/issues/2 https://github.com/avocado-framework/avocado/issues/1112 See NSS_STRICT_NOFORK https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_environment_variables
Metadata Update from @cheimes: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @pvoborni: - Issue close_status updated to: None - Issue priority set to: 3 (was: 2) - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5)
Since IPA no longer uses python-nss, this became a very low priority.
Metadata Update from @cheimes: - Assignee reset - Issue priority set to: minor (was: normal)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
I'm closing my feature request as wontfix. IPA no longer uses NSS for TLS/SSL. The development of custodia IPA plugins have been put on hold, too. I don't have any use case for a forking API at the moment.
Metadata Update from @cheimes: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.