Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1648351 - certutil -N returns error code 1 on success
Summary: certutil -N returns error code 1 on success
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daiki Ueno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-09 13:51 UTC by Christian Heimes
Modified: 2019-06-05 02:01 UTC (History)
5 users (show)

Fixed In Version: nss-3.43.0-2.fc30 nss-3.44.0-2.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-10 00:47:30 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1549382 0 None None None 2019-06-11 11:01:33 UTC

Description Christian Heimes 2018-11-09 13:51:09 UTC
Description of problem:
certutil -N (new database) exists with error code 1 although the database is created sucessfully. There is no error message either.

Version-Release number of selected component (if applicable):
nss-tools-3.39.0-2.fc29.x86_64

How reproducible:
always

Steps to Reproduce:
$ mkdir /tmp/testdb
$ echo Secret123 > /tmp/testdb/pwdfile.txt
$ certutil -N -d /tmp/testdb/ -f /tmp/testdb/pwdfile.txt 

Actual results:
$ echo $?
1

Expected results:
$ echo $?
0

Additional info:
Database is created successfully
$ ls /tmp/testdb/
cert9.db  key4.db  pkcs11.txt  pwdfile.txt

Comment 1 Christian Heimes 2018-11-09 14:00:17 UTC
It might be related to PKCS#11. After I unplugged my Yubikey, certutil is no longer failing.

Comment 2 Christian Heimes 2018-11-09 14:07:43 UTC
Confirmed, the problem is triggered by my Yubikey NEO and gpg-agent. As soon as gpg-agent process uses my Yubikey for ssh authentication, certutil fails with error code 1.

Reproducer:

* configure a Yubikey NEO to have three GPG keys
* use gpg-agent as ssh-agent
* ssh into another machine using the GPG identity key on the Yubikey NEO
* create a new NSS database with certutil -N  -> certutil exits with error code 1, probably in NSS_shutdown() call.
* kill gpg-agent
* create a new NSS database with certutil -N  -> certutil exits with error code 0

This problem popped up today after I upgraded from F28 to F29. I never had any issues with Yubikey and gpg-agent integration on F28.

Comment 3 Christian Heimes 2018-11-09 14:14:24 UTC
gdb reveals that SECMOD_Shutdown() is failing because it still sees one private module loaded:

Breakpoint 1, SECMOD_Shutdown () at pk11util.c:47
...
91          if (secmod_PrivateModuleCount) {
(gdb) n
92              PORT_SetError(SEC_ERROR_BUSY);
(gdb) n
93              return SECFailure;
(gdb) p secmod_PrivateModuleCount
$1 = 1

Comment 4 Simo Sorce 2019-05-03 20:03:20 UTC
Daiki,
can we get this addressed soonest?
It is blocking IdM team development in many cases.

Comment 5 Fedora Update System 2019-05-07 11:30:53 UTC
nss-3.43.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8584d9df0c

Comment 6 Fedora Update System 2019-05-07 11:30:58 UTC
nss-3.43.0-2.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9f540724f6

Comment 7 Fedora Update System 2019-05-07 17:10:05 UTC
nss-3.43.0-2.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9f540724f6

Comment 8 Fedora Update System 2019-05-08 03:57:15 UTC
nss-3.43.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8584d9df0c

Comment 9 Fedora Update System 2019-05-10 00:47:30 UTC
nss-3.43.0-2.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2019-05-20 16:37:02 UTC
nss-3.44.0-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e2f5e10754

Comment 11 Fedora Update System 2019-05-21 04:53:40 UTC
nss-3.44.0-2.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e2f5e10754

Comment 12 Fedora Update System 2019-06-05 02:01:22 UTC
nss-3.44.0-2.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.