Kinit command based on opensc-pkcs11.so failing with error "Failed to verify own certificate (depth 0): unable to get local issuer certificate"
Issue
- Smart card authentication failing due to CA certificate chain issue.
kinitcommand based on opensc-pkcs11.so failing with error.
# KRB5_TRACE=/dev/stdout kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so tuser@example.test
[7762] 1720450584.907115: Matching tuser@example.test in collection with result: -1765328243/Can't find client principal
tuser@example.test in cache collection
.
.
[7762] 1720450584.907146: PKINIT loading identity PKCS11:module_name=/usr/lib64/opensc-pkcs11.so
[7762] 1720450584.907147: PKINIT opening PKCS#11 module "/usr/lib64/opensc-pkcs11.so"
[7762] 1720450585.407013: PKINIT PKCS#11 slotid 0 token astropw test
[7762] 1720450585.407014: PKINIT opening PKCS#11 module "/usr/lib64/opensc-pkcs11.so"
[7762] 1720450585.407015: PKINIT PKCS#11 slotid 0 token astropw test
tuser PIN:
[7762] 1720450588.607278: PKINIT loading CA certs and CRLs from FILE /etc/pki/tls/certs/ca-bundle.crt
[7762] 1720450588.607279: PKINIT client computed kdc-req-body checksum 14/5AE198F87173E9D2771C73188D81A074F01F4BD7
[7762] 1720450588.607281: PKINIT client making DH request
[7762] 1720450588.607282: PKINIT OpenSSL error: Failed to verify own certificate (depth 0): unable to get local issuer certificate
[7762] 1720450588.607283: Preauth module pkinit (16) (real) returned: -1765328360/Failed to verify own certificate (depth 0): unable to get local issuer certificate
Password for tuser@example.test:
[7762] 1720450599.275801: Preauth module encrypted_timestamp (2) (real) returned: -1765328252/Password read interrupted
kinit: Password read interrupted while getting initial credentials
Environment
- Red Hat Enterprise Linux 9
- SSSD
- Smartcard
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
