Crl_online even if all certificates are available on crl URI

[tgreil]

=> Problem Description

We already opened an issue, the problems may be related: #68

Our company uses Ubuntu 20.04 and the openSC 0.22.0 library to authenticate with the smartcard. We use pam_pkcs11 to allow users to login to their user only with their card and PIN. Without checking crls, everything works. But when we try to put crl_online on cert_policy the certificate is rejected with error: "Failed: getting the certificate of the crl-issuer failed".
We also used openssl verify -crl_check -CAfile /etc/pam_pkcs11/crls/mycert and here the verification works.

=> Steps to reproduce

To achieve this result, we just identify ourselves on the login screen and we try to log in and we type the PIN code.

=> Logs

The following logs are find in /var/log/auth.log

Nov 3 08:44:41 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): verify_certificate() failed: check_for_revocation() failed: verify_crl() failed: getting the certificate of the crl-issuer failed
Nov 3 08:44:42 hostname gdm-password]: pam_pkcs11(gdm-password:auth): no valid certificate which meets all requirements found

Please tell me what information you need to help us.