p11-kit: no configured writable location to store anchors
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 22 Nov 2023 04:25:29 UTC
Hello, I came across the error in the subject while working on a jitsi installation (FreeBSD 13.2). Since I found no satisfactory resolution online, I thought I would post my own. The short version is to create the /usr/local/etc/pkcs11 folder, the /usr/local/etc/pkcs11/modules folder and copy two sample config files, respectively: # mkdir -p /usr/local/etc/pkcs11/modules # cp /usr/local/share/examples/p11-kit/pkcs11.conf.example \ /usr/local/etc/pkcs11/pkcs11.conf # cp /usr/local/share/p11-kit/modules/p11-kit-trust.module \ /usr/local/etc/pkcs11/modules/ Long story... p11-kit ========= p11-kit is a required pkg for using jitsi. This installs the 'trust' program for managing trust stores. root@meet:~ # pkg install p11-kit We created two certificates using prosodyctl. Now we try and add them to the system’s pkcs11 trust store. root@meet:/ # trust anchor -v --store /var/db/prosody/meet.crt p11-kit: no configured writable location to store anchors After much web searching without success, I tried the ktrace command to see if I could find out what files 'trust' is looking for. (Don't forget to heed ktrace's warnings about the possible growth of the ktrace.out file). root@meet:/ # ktrace trust anchor -v --store /var/db/prosody/meet.crt p11-kit: no configured writable location to store anchors Page through the ktrace.out file using kdump. It may take a while to get to the problem area. Look for file missing errors, while ignoring most library (.so) loading messages. root@meet:/ # kdump -f ktrace.out | more ... 28977 trust NAMI ``/usr/local/etc/pkcs11/pkcs11.conf'' 28977 trust RET openat -1 errno 2 No such file or directory ... 29034 trust NAMI "/usr/local/etc/pkcs11/modules" 29034 trust RET open -1 errno 2 No such file or directory The program is looking for a configuration file at: /usr/local/etc/pkcs11/pkcs11.conf We don't have one, nor do we have a pkcs11 folder in /usr/local/etc. root@meet:/ # mkdir -p /usr/local/etc/pkcs11 Look for those files / paths: root@meet:/ # find . -name ’*s11*’ ... ./usr/local/share/examples/p11-kit/pkcs11.conf.example Copy the sample to our newly created config directory: root@meet:/ # cp /usr/local/share/examples/p11-kit/pkcs11.conf.example \ /usr/local/etc/pkcs11/pkcs11.conf Here's what it looks like: root@meet:/ # cat /usr/local/etc/pkcs11/pkcs11.conf # This is an example /usr/local/etc/pkcs11/pkcs11.conf file. Copy it into # place before use. # This setting controls whether to load user configuration from the # ~/.config/pkcs11 directory. Possible values: # none: No user configuration # merge: Merge the user config over the system configuration (default) # only: Only user configuration, ignore system configuration user-config: merge ======= The second problem was with /usr/local/etc/pkcs11/modules, create it: root@meet:/ # mkdir -p /usr/local/etc/pkcs11/modules Look for module files: root@meet:/ # find . -name ’*p11*’ ... ./usr/local/share/p11-kit/modules/p11-kit-trust.module That was the only module available, so we created the modules directory and copy p11-kit-trust.module into it. root@meet:/ # cp /usr/local/share/p11-kit/modules/p11-kit-trust.module \ /usr/local/etc/pkcs11/modules/ Try the trust anchor command again. root@meet:/ # trust anchor -v --store /var/db/prosody/meet.crt No error. Add the auth.meet.crt as well. root@meet:/ # trust anchor -v --store /var/db/prosody/auth.meet.crt I hope this helps others who come across the subject error. Mark