Bug 1531622

Summary: certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN
Product: Red Hat Enterprise Linux 8 Reporter: Amol K <akahat>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED UPSTREAM QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: ascheel, mharmsen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-13 20:48:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amol K 2018-01-05 16:35:55 UTC 
Description of problem:
During pkispawn I'm able to see some new messages.

Version-Release number of selected component (if applicable):
10.5.1-5.el7

How reproducible:
Always

Steps to Reproduce:
1. pkispawn -s CA -f ca.cfg
2. pkispawn -s KRA -f kra.cfg
3.

Actual results:
Log file: /var/log/pki/pki-kra-spawn.20180105105230.log
Loading deployment configuration from kra.cfg.
Installing KRA into /var/lib/pki/RootKRA_hsm_akahat.
certutil: Could not find cert: NHSM6000-OCS:Server-Cert cert-RootKRA_hsm_akahat
: PR_FILE_NOT_FOUND_ERROR: File not found
Notice: Trust flag u is set automatically if the private key is present.
certutil: could not change trust on certificate: SEC_ERROR_TOKEN_NOT_LOGGED_IN: The operation failed because the PKCS#11 token is not logged in.

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             kraadmin
      Administrator's PKCS #12 file:
            /opt/RootKRA_hsm_akahat/kraadmincert.p12

      This KRA subsystem of the 'RootKRA_hsm_akahat' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'RootKRA_hsm_akahat' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://csqa4-guest03.idm.lab.eng.rdu.redhat.com:21042/kra

      PKI instances will be enabled upon system boot

    ==========================================================================


Expected results:

Not able to see any error messages.

Additional info:

This issue is occured due to certutil.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1393668
Comment 3 Matthew Harmsen 2018-01-18 19:38:57 UTC 
Per PKI Team Meeting of 20180118 moving to RHEL 7.6.
Comment 4 Matthew Harmsen 2018-04-19 00:49:10 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

edewata: misleading error message
Comment 5 Matthew Harmsen 2018-07-03 23:57:08 UTC 
Moved to RHEL 7.7.