On Fedora 28 NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all PKCS#11 providers including the default SoftHSM2 token. F28's OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because it is waiting for PIN.
Workaround for Travis CI: Delete the p11-kit policy and regenerate crypto policy:
rm -f /etc/crypto-policies/local.d/nss-p11-kit.config && update-crypto-policies
OpenLDAP debug output:
ldap_url_parse_ext(ldap://master.ipa.test:389/) TLSMC: MozNSS compatibility interception begins. tlsmc_intercept_initialization: INFO: entry options follow: tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST' tlsmc_intercept_initialization: INFO: certfile = `(null)' tlsmc_intercept_initialization: INFO: keyfile = `(null)' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'. tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``. tlsmc_open_nssdb: INFO: initialized MozNSS context. tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'. tlsmc_convert: WARN: will try to create PEM dir. tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'. tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'. tlsmc_prepare_dir: INFO: successfully created PEM directory structure. ***NSS 3.40 BLOCKS HERE*** tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping. tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.
See Travis CI
Test installations on Travis CI block
No errors
nss-3.40.1-1.0.fc28.x86_64
Daiki is working on nss-3.41.0-2.fc28, https://koji.fedoraproject.org/koji/taskinfo?taskID=31441102 . Once the build is available, we can drop the workaround and require latest build of NSS instead.
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2679 - Issue priority set to: critical
master:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-8:
Login to comment on this ticket.