pam_privacyidea

hkunz · June 12, 2025, 8:09am

Hi all,

I set up a privacyidea server for testing purposes and I am doing 2FA for ssh and sudo on a test machine using pam_privacyidea:

all works well, with a variety of tokens (TOTP, mail, questionnaire).

BUT: it only works when I use ‘nossl’ in my pam config:

auth [success=1 default=ignore] pam_privacyidea.so url=https://my.privacyidea.server sendEmptyPassword nossl debug

if I remove the ‘nossl’ I get:

Jun 11 13:31:08 maxim pam_privacyidea[2091449]: pam_privacyidea(sshd:auth): Unable to send request to the privacyIDEA server. Error 60

since the ‘nossl’ means (according to the github page) “Disable SSL certificate check” I can only assume that pam_privacyidea is not able to verify the server certificate.

I use a certificate issued by letsencrypt for https://my.privacyidea.server. furthermore, when accessing the https://my.privacyidea.server webinterface, the certificate checks out correctly (in the web browser).

any idea what could be the problem?

Best,
Hp

julio · June 12, 2025, 1:53pm

Hi and welcome hkunz,

Thanks for your message.

We have adapted the instructions on Github.
This should then handle the issue with verify ssl

See:

Best regards

Julio

hkunz · June 13, 2025, 8:34am

Hi Julio,

thanks for the documentation, this is for sure helpful. in our case, however, the problem was not that the root cert was missing (we are not using custom certificates), but your post pointed me in the right direction: the chain cert was missing in our apache config. added that, and, of course, certificate verification is now working. stupid mistake ;]

Many thanks and best regards,
Hp