certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN

[pki-bot]

This issue was migrated from Pagure Issue #2888. Originally filed by mharmsen (@mharmsen) on 2018-01-09 19:22:27:

• Assigned to edewata (@edewata)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1531622

---

Steps to Reproduce:

1. pkispawn -s CA -f ca.cfg
2. pkispawn -s KRA -f kra.cfg

Actual results:

Log file: /var/log/pki/pki-kra-spawn.20180105105230.log
Loading deployment configuration from kra.cfg.
Installing KRA into /var/lib/pki/RootKRA_hsm.
certutil: Could not find cert: NHSM6000-OCS:Server-Cert cert-RootKRA_hsm
: PR_FILE_NOT_FOUND_ERROR: File not found
Notice: Trust flag u is set automatically if the private key is present.
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS11 token is not logged in.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin
      Administrator's PKCS 12 file:
            /opt/RootKRA_hsm/kraadmincert.p12

      This KRA subsystem of the 'RootKRA_hsm' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'RootKRA_hsm' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd@RootKRA_hsm.service

      To restart the subsystem:
            systemctl restart pki-tomcatd@RootKRA_hsm.service

      The URL for the subsystem is:
            https://pki.example.com:21042/kra

      PKI instances will be enabled upon system boot

    ==========================================================================

Expected results:

Not able to see any error messages.

Additional info:

This issue is occured due to certutil.
* BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1393668

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-01-09 19:23:26

This issue exists for the following two actions:

• (1) suppress this specific benign error message, and
• (2) update NSS build/runtime dependencies once this error is fixed.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-01-09 19:23:27

Metadata Update from @mharmsen:

• Custom field component adjusted to None
• Custom field feature adjusted to None
• Custom field origin adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-01-09 19:23:58

Metadata Update from @mharmsen:

• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1531622

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-01-18 15:01:49

Per PKI Team Meeting of 20180118 moving to 10.6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-01-18 15:01:50

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.6 (was: 10.5)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-18 20:48:18

Per 10.5.x/10.6 Triage: 10.5.x

edewata: misleading error message

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-18 20:48:19

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.5 (was: 10.6)