Hello, I upgraded my signing server to Debian 13, but I have a problem with my HSM : Oct 15 21:09:18 arrakeen knotd[29552]: error: [durel.org <http://durel.org>.] zone event 'load' failed (PKCS #11 token not available) Oct 15 21:09:18 arrakeen knotd[29552]: error: [geekwu.org <http://geekwu.org>.] zone event 'load' failed (PKCS #11 token not available) keymgr gives me the same error : # keymgr geekwu.org <http://geekwu.org>list error: failed to initialize KASP (PKCS #11 token not available) despite hsmwiz being able to access the key : # hsmwiz identify Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000         ) 00 00 Version              : 3.4 Config options       :   User PIN reset with SO-PIN enabled SO-PIN tries left    : 15 User PIN tries left  : 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Default SO-PIN: 3537363231383830    Default PIN: 648219 Now executing: pkcs15-tool --dump Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000         ) 00 00 PKCS#15 Card [knot]: Version        : 0 Serial number  : DENK0106796 Manufacturer ID: www.CardContact.de <http://www.CardContact.de> Flags          : PRN generation [...] Public EC Key [Private Key] Object Flags   : [0x00] Usage          : [0x140], verify, derive Access Flags   : [0x02], extract FieldLength    : 384 Key ref        : 0 (0x00) Native         : no ID             : 74f59bc17317bfccc5806108d84df1abd275faef DirectValue    : <present> Knot is using this keystore : keystore:   - id: nitrokey     backend: pkcs11     config: "pkcs11:pin-value=*** /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" I verified /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so still exists, and ldd doesn't report any missing dependency strace let me see communication with pcscd, whose logs have these : Oct 15 21:20:14 arrakeen systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon. Oct 15 21:20:20 arrakeen pcscd[33186]: 00000000 ../src/auth.c:166:IsClientAuthorized() Process 33204 (user: 134) is NOT authorized for action: access_pcsc Oct 15 21:20:20 arrakeen pcscd[33186]: 00000071 ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client After a bit of digging, I found it's controlled by polkit, and added a brutal rule : cat /etc/polkit-1/rules.d/pcsc.rules /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */ polkit.addRule(function(action, subject) { if (subject.isInGroup("pcsc")) { return polkit.Result.YES; } }) with knot added to the pcsc group, it can access the HSM again. Do you know of a better way to configure ? NB: I'm using another account, as I began to write this with no DNS server running Regards, -- Bastien Durel --