p11-kit: no configured writable location to store anchors

From: Mark G. <fbsd.questions_at_palaceofretention.ca>
Date: Wed, 22 Nov 2023 04:25:29 UTC
Hello,

I came across the error in the subject while working
on a jitsi installation (FreeBSD 13.2).

Since I found no satisfactory resolution online, I thought
I would post my own.  The short version is to create the
/usr/local/etc/pkcs11 folder, the /usr/local/etc/pkcs11/modules
folder and copy two sample config files, respectively:

# mkdir -p /usr/local/etc/pkcs11/modules

# cp /usr/local/share/examples/p11-kit/pkcs11.conf.example \
   /usr/local/etc/pkcs11/pkcs11.conf

# cp /usr/local/share/p11-kit/modules/p11-kit-trust.module \
   /usr/local/etc/pkcs11/modules/

Long story...

  p11-kit
=========

p11-kit is a required pkg for using jitsi.
This installs the 'trust' program for managing trust stores.

root@meet:~ # pkg install p11-kit

We created two certificates using prosodyctl. Now we try and add them
to the system’s pkcs11 trust store.

root@meet:/ # trust anchor -v --store /var/db/prosody/meet.crt
p11-kit: no configured writable location to store anchors

After much web searching without success, I tried the ktrace command
to see if I could find out what files 'trust' is looking for.
(Don't forget to heed ktrace's warnings about the possible growth
of the ktrace.out file).

root@meet:/ # ktrace trust anchor -v --store /var/db/prosody/meet.crt
p11-kit: no configured writable location to store anchors

Page through the ktrace.out file using kdump.  It may take a
while to get to the problem area.  Look for file missing errors,
while ignoring most library (.so) loading messages.

root@meet:/ # kdump -f ktrace.out | more
...
  28977 trust    NAMI  ``/usr/local/etc/pkcs11/pkcs11.conf''
  28977 trust    RET   openat -1 errno 2 No such file or directory
...
  29034 trust    NAMI  "/usr/local/etc/pkcs11/modules"
  29034 trust    RET   open -1 errno 2 No such file or directory

The program is looking for a configuration file at:

  /usr/local/etc/pkcs11/pkcs11.conf

We don't have one, nor do we have a pkcs11 folder in /usr/local/etc.

root@meet:/ # mkdir -p /usr/local/etc/pkcs11

Look for those files / paths:

root@meet:/ # find . -name ’*s11*’
...
./usr/local/share/examples/p11-kit/pkcs11.conf.example

Copy the sample to our newly created config directory:

root@meet:/ # cp /usr/local/share/examples/p11-kit/pkcs11.conf.example \
   /usr/local/etc/pkcs11/pkcs11.conf

Here's what it looks like:

root@meet:/ # cat /usr/local/etc/pkcs11/pkcs11.conf
# This is an example /usr/local/etc/pkcs11/pkcs11.conf file. Copy it into
# place before use.

# This setting controls whether to load user configuration from the
# ~/.config/pkcs11 directory. Possible values:
#    none: No user configuration
#    merge: Merge the user config over the system configuration (default)
#    only: Only user configuration, ignore system configuration
user-config: merge

=======

The second problem was with /usr/local/etc/pkcs11/modules, create
it:

root@meet:/ # mkdir -p /usr/local/etc/pkcs11/modules

Look for module files:

root@meet:/ # find . -name ’*p11*’
...
./usr/local/share/p11-kit/modules/p11-kit-trust.module

That was the only module available, so we created the modules
directory and copy p11-kit-trust.module into it.

root@meet:/ # cp /usr/local/share/p11-kit/modules/p11-kit-trust.module \
   /usr/local/etc/pkcs11/modules/

Try the trust anchor command again.

root@meet:/ # trust anchor -v --store /var/db/prosody/meet.crt

No error. Add the auth.meet.crt as well.

root@meet:/ # trust anchor -v --store /var/db/prosody/auth.meet.crt

I hope this helps others who come across the subject error.

Mark