#7810 [F28] Require NSS with fix for p11-kit issue.
Closed: fixed 3 years ago Opened 3 years ago by cheimes.


On Fedora 28 NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all PKCS#11 providers including the default SoftHSM2 token. F28's OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because it is waiting for PIN.

Workaround for Travis CI: Delete the p11-kit policy and regenerate crypto policy:

rm -f /etc/crypto-policies/local.d/nss-p11-kit.config && update-crypto-policies

OpenLDAP debug output:

TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
   ***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.

Steps to Reproduce

See Travis CI

Actual behavior

Test installations on Travis CI block

Expected behavior

No errors



Additional info:

Daiki is working on nss-3.41.0-2.fc28, https://koji.fedoraproject.org/koji/taskinfo?taskID=31441102 . Once the build is available, we can drop the workaround and require latest build of NSS instead.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2679
- Issue priority set to: critical

3 years ago


  • a9f34c7 Disable nss-p11-kit crypto policy for tests


  • ee4c0f0 Disable nss-p11-kit crypto policy for tests


  • d710734 Require 3.41.0-3 on Fedora 28


  • 224e2c4 Require 3.41.0-3 on Fedora 28

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago


  • 487ab52 Fix installation when CA subject DN has escapes


  • 74e0908 Globally disable softhsm2 in p11-kit-proxy


  • ae5831b Globally disable softhsm2 in p11-kit-proxy


  • 8f969a5 Restore SELinux context for p11-kit config overrides


  • fd0386f Restore SELinux context for p11-kit config overrides


  • e16099a Restore SELinux context for p11-kit config overrides

Login to comment on this ticket.