From nobody Wed Nov 22 04:25:29 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SZp7x05Z6z51klY for ; Wed, 22 Nov 2023 04:25:33 +0000 (UTC) (envelope-from fbsd.questions@palaceofretention.ca) Received: from mail.vinnythegeek.ca (mail.vinnythegeek.ca [66.183.142.13]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SZp7v6jFwz3ZXq for ; Wed, 22 Nov 2023 04:25:31 +0000 (UTC) (envelope-from fbsd.questions@palaceofretention.ca) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=palaceofretention.ca header.s=all-mail header.b=LjEx3X1g; spf=pass (mx1.freebsd.org: domain of fbsd.questions@palaceofretention.ca designates 66.183.142.13 as permitted sender) smtp.mailfrom=fbsd.questions@palaceofretention.ca; dmarc=pass (policy=none) header.from=palaceofretention.ca Received: from [192.168.60.59] (unknown [192.168.60.59]) by mail.vinnythegeek.ca (Postfix) with ESMTPSA id 916CEE4FD for ; Tue, 21 Nov 2023 20:25:29 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.vinnythegeek.ca 916CEE4FD DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=palaceofretention.ca; s=all-mail; t=1700627129; bh=bfBgd+U1voCB+pu2UDl9h5niJoqdo3DD/0PARJyb8Vc=; h=Date:From:Subject:To; b=LjEx3X1gHR6MBI12bn0BHMOP2YTouBctyxhchaUQoLqtwc0w8GHI3CCTYWr0/8SW3 dbUGnFq/uM/V67KUS0Mrn8j9AUU0If8UfgFmsy7YDhDtZC/N6ZbEG29f6OB+nasUYU U/RfdhrIdIWiawmi0RbVq4vaHzAg2YmWKQPvs4M4= Message-ID: Date: Tue, 21 Nov 2023 20:25:29 -0800 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: "Mark G." Subject: p11-kit: no configured writable location to store anchors To: freebsd-questions@FreeBSD.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.99 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[palaceofretention.ca,none]; R_DKIM_ALLOW(-0.20)[palaceofretention.ca:s=all-mail]; R_SPF_ALLOW(-0.20)[+a:auth-spf.palaceofretention.ca:c]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; MLMMJ_DEST(0.00)[freebsd-questions@FreeBSD.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:852, ipnet:66.183.0.0/16, country:CA]; DKIM_TRACE(0.00)[palaceofretention.ca:+]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4SZp7v6jFwz3ZXq X-Spamd-Bar: --- Hello, I came across the error in the subject while working on a jitsi installation (FreeBSD 13.2). Since I found no satisfactory resolution online, I thought I would post my own. The short version is to create the /usr/local/etc/pkcs11 folder, the /usr/local/etc/pkcs11/modules folder and copy two sample config files, respectively: # mkdir -p /usr/local/etc/pkcs11/modules # cp /usr/local/share/examples/p11-kit/pkcs11.conf.example \ /usr/local/etc/pkcs11/pkcs11.conf # cp /usr/local/share/p11-kit/modules/p11-kit-trust.module \ /usr/local/etc/pkcs11/modules/ Long story... p11-kit ========= p11-kit is a required pkg for using jitsi. This installs the 'trust' program for managing trust stores. root@meet:~ # pkg install p11-kit We created two certificates using prosodyctl. Now we try and add them to the system’s pkcs11 trust store. root@meet:/ # trust anchor -v --store /var/db/prosody/meet.crt p11-kit: no configured writable location to store anchors After much web searching without success, I tried the ktrace command to see if I could find out what files 'trust' is looking for. (Don't forget to heed ktrace's warnings about the possible growth of the ktrace.out file). root@meet:/ # ktrace trust anchor -v --store /var/db/prosody/meet.crt p11-kit: no configured writable location to store anchors Page through the ktrace.out file using kdump. It may take a while to get to the problem area. Look for file missing errors, while ignoring most library (.so) loading messages. root@meet:/ # kdump -f ktrace.out | more ... 28977 trust NAMI ``/usr/local/etc/pkcs11/pkcs11.conf'' 28977 trust RET openat -1 errno 2 No such file or directory ... 29034 trust NAMI "/usr/local/etc/pkcs11/modules" 29034 trust RET open -1 errno 2 No such file or directory The program is looking for a configuration file at: /usr/local/etc/pkcs11/pkcs11.conf We don't have one, nor do we have a pkcs11 folder in /usr/local/etc. root@meet:/ # mkdir -p /usr/local/etc/pkcs11 Look for those files / paths: root@meet:/ # find . -name ’*s11*’ ... ./usr/local/share/examples/p11-kit/pkcs11.conf.example Copy the sample to our newly created config directory: root@meet:/ # cp /usr/local/share/examples/p11-kit/pkcs11.conf.example \ /usr/local/etc/pkcs11/pkcs11.conf Here's what it looks like: root@meet:/ # cat /usr/local/etc/pkcs11/pkcs11.conf # This is an example /usr/local/etc/pkcs11/pkcs11.conf file. Copy it into # place before use. # This setting controls whether to load user configuration from the # ~/.config/pkcs11 directory. Possible values: # none: No user configuration # merge: Merge the user config over the system configuration (default) # only: Only user configuration, ignore system configuration user-config: merge ======= The second problem was with /usr/local/etc/pkcs11/modules, create it: root@meet:/ # mkdir -p /usr/local/etc/pkcs11/modules Look for module files: root@meet:/ # find . -name ’*p11*’ ... ./usr/local/share/p11-kit/modules/p11-kit-trust.module That was the only module available, so we created the modules directory and copy p11-kit-trust.module into it. root@meet:/ # cp /usr/local/share/p11-kit/modules/p11-kit-trust.module \ /usr/local/etc/pkcs11/modules/ Try the trust anchor command again. root@meet:/ # trust anchor -v --store /var/db/prosody/meet.crt No error. Add the auth.meet.crt as well. root@meet:/ # trust anchor -v --store /var/db/prosody/auth.meet.crt I hope this helps others who come across the subject error. Mark