pam_pkcs11 – Peer’s certificate issuer has been marked as not trusted by the user

By | February 15, 2018

Whenever I try to use PAM with a smart card via pam_pkcs11.so I get the following error:

DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user

I’m not sure why I’m getting this error since I’ve extracted the CA’s public cert from the keycard, placed it as a (verified format) .pem file under /etc/pam_pkcs11/cacerts/. The full path being /etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem.

I’ve also created the sym-link needed in this folder both manually but lately via the tool pkcs11_make_hash_link which produces a X5f12asd.0 symlink to my X_CA_Class_B_03.pem file.

All this appears fine, so now to the configuration.

/etc/pam_pkcs11/pam_pkcs11.conf

pam_pkcs11 {
    nullok = true;
    debug = ture;

    use_first_pass = false;

    use_athok = false;

    use_pkcs11_module = externalModule;

    pkcs11_module externalModule {
        module = /opt/extlib/libp11.so;
        description = "My SmartCard lib";

        slot = 2;

        ca_dir = /etc/pam_pkcs11/cacerts;
        crl_dir = /etc/pam_pkcs11/crls;

        cert_policy = ca, crl_off;
        crl_policy = none; # Just for the sake of it
    }

    user_mappers = ldap;

    mapper ldap {
        debug = true;
        module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";

        ldaphost = "10.0.0.3";

        ldapport = ;

        URI = "";

        scope = 2;
        binddn = "dn=admin,dc=server,dc=world";
        paswd = "superSecretPasswort_nonotreally";

        base = "dc=server,dc=world";

        attribute = "userCertificate";
        filter = "(&(objectClass=posixAccount)(uid=%s))"

        ssl = off
    }
}

/etc/pam.d/sudo

auth    required    pam_pkcs11.so debug

I’ve set up a user matching the username against the certificates Subject x5000UniqueID and SerialNumber fields.
I use this in combination with the correct pin and sudo to test the certificate setup:

su testclient
sudo ls

This generates the following output:

DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off 
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0

DEBUG:pkcs11_lib.c:231: dllName= 

DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec= module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug         = 1
DEBUG:ldap_mapper.c:1168: ignorecase    = 0
DEBUG:ldap_mapper.c:1169: ldaphost      = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport      = 0
DEBUG:ldap_mapper.c:1171: ldapURI       =
DEBUG:ldap_mapper.c:1172: scope         = 2
DEBUG:ldap_mapper.c:1173: binddn        = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd        = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base          = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute     = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on        = 0
DEBUG:ldap_mapper.c:1185: tls_randfile  =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers   =
DEBUG:ldap_mapper.c:1190: tls_cert      =
DEBUG:ldap_mapper.c:1191: tls_key       =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc (E=testing01@example.com,OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap

Now this is a lot of information, what it boils down to is basically this (from my understanding):

DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.

Shouldn’t this be solved by exporting the CA from the SmartCard, placing it in /etc/pam_pkcs11/cacerts/ and creating the correct symlink?

(on a small note, it does actually connect to my LDAP and pre-ask it some stuff.. Does this have anything to do with it? Do pam_pkcs11 check the CA in LDAP or?)

Where am I going wrong with this?