Thanks for your fast feedback and the helpful suggestions. Before you answered I already rebooted the server (was scheduled anyway) and after the reboot pkcs11-tool again saw the NitroKey HSM2. I presume it might be you point 3) which eventually was the problem and was solved by the reboot.
Is it sensible to also migrate to v0.22.0 of opensc? Or are the nitrokey extensions only available for 0.20.0?
I also have feedback regarding the build-script:
I added to the docker-compose.yml a seperate section for Ubuntu 20.04. “focal” and started it with docker-compose up. Everything ran fine so far, until in-midst of the updates one package asked me for an answer regarding locale/timezone. However, due to being run via docker-compose I could not actually answer anything (input was ignored) so I had to CTRL+C it.
I was eventually able to run it with the following command succesfully without docker-compose;
docker run -it --mount 'type=bind,source=/tmp/opensc-build,destination=/opensc' ubuntu:focal
I then manually installed the two DEB files using:
sudo **dpkg** -i opensc-pkcs11_0.20.0-1\~nitrokey_amd64.deb
sudo **dpkg** -i opensc_0.20.0-1\~nitrokey_amd64.deb
As far as I observed, the installed openssl in the docker container is not the latest and greatest from today (1.1.1m) and the pkcs11-opensc.so is still not working 100% when used as a openssl engine.
Mar 19 12:17:36 bigigloo dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name: symname(bind_engine): /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: undefined symbol: bind_engine, error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name, error:260B6068:engine routines:dynamic_load:DSO failure, error:260BC066:engine routines:int_engine_configure:engine configuration error: section=pkcs11_section, name=dynamic_path, value=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so, error:0E07606D:configuration file routines:module_run:module initialization error: module=engines, value=engine_section, retcode=-1 : user=<>, rip=192.168.0.113, lip=192.168.0.1
As soon as I disable the engine in the openssl.cnf dovecot starts up again happily as all the years before. Unfortunately rebuilding opensc today did not fix the problem. As said, presumably due to not the lastest version of openssl being in the container. The problems started right after I had upgraded openssl today. (I am not actually using pkcs11 in dovecot, but something seems to trigger this error. I only encountered it in dovecot so far)
The original problem this morning was:
Mar 19 08:37:51 bigigloo dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate: error:2506406A:DSO support routines:dlfcn_bind_func:could not bind to the requested symbol name: symname(EVP_PKEY_get_base_id): /usr/lib/ssl/engines/pkcs11.so: undefined symbol: EVP_PKEY_get_base_id, error:2506C06A:DSO support routines:DSO_bind_func:could not bind to the requested symbol name: user=<>, rip=192.168.0.112, lip=192.168.0.1
→ Different symbol “EVP_PKEY_get_base_id” - I presume something changed here in the latest version.