PKCS11 not working on mender client with TPM

I tried to configure a client to use a private key stored inside a TPM. In order to get the URI of the private key, I used p11tool. The result is the following.

root@nano-iot:~/tpm2_ptool/tpm2-pkcs11/tools# p11tool --provider='/usr/local/lib/libtpm2_pkcs11.so' --list-all "$token" --login
Token 'my first token' with URL 'pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token' requires user PIN
Enter PIN: 
WARNING: Needed CKA_VALUE but didn't find encrypted blob
Object 0:
	URL: pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token;id=%22%24;object=myrsakey;type=public
	Type: Public key (RSA-2048)
	Label: myrsakey
	Flags: CKA_NEVER_EXTRACTABLE; 
	ID: 22:24

Object 1:
	URL: pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token;id=%22%24;object=myrsakey;type=private
	Type: Private key (RSA-2048)
	Label: myrsakey
	Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; 
	ID: 22:24

With this URL I edit the mender.conf file located in /etc/mender the following way.

{
  "ServerURL": "https://my_server.org",
  "ServerCertificate": "/etc/mender/server.crt",
  "HttpsClient": {
        "Certificate": "/etc/mender/Nano.pem",
        "Key": "pkcs11:model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;token=my%20first%20token;id=%22%24;object=myrsakey;type=private;pin-value=myuserpin",
        "SSLEngine": "pkcs11"
    }
}

Then I restart the mender client using service mender-client restart and the client doesn’t connect. In the journalctl the following can be seen.

ene 26 18:20:09 nano-iot mender[5176]: PKCS11_get_private_key returned NULL
ene 26 18:20:09 nano-iot mender[5176]: Failed to enumerate slots
ene 26 18:20:09 nano-iot mender[5176]: Failed to enumerate slots

I then try with the following mender.conf.

{
  "ServerURL": "https://my_server.org",
  "ServerCertificate": "/etc/mender/server.crt",
  "HttpsClient": {
        "Certificate": "/etc/mender/Nano.pem",
        "Key": "pkcs11:module-path=/usr/local/lib/libtpm2_pkcs11.so;model=Intel%00%00%00%00%00%00%00%00%00%00%00;manufacturer=Intel;serial=0000000000000000;slot-id=0;token=my%20first%20token;id=%22%24;object=myrsakey;type=private;pin-value=myuserpin",
        "SSLEngine": "pkcs11"
    }
}

And I get exactly the same result.

Is there anything that I’m missing?

Best,

I found something interesting on this. After a lot of investigation, I’ve seen that the issue should be on how the daemon is launched by systemd. If I launch the mender client manually the error does not appear.

Do you have any insight on this or how to solve it?

Best,