← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #02961

[Bug 2115561] Re: modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04

  Thread PreviousDate PreviousThread Next 
I used Google Gemini extensively in the process of getting my CAC (DoD
smartcard) working. On my home machine (also Ubuntu 24.04), that was
eventually successful. On my work machine, it led to this bug report,
even after detailed comparisons of the two machine configurations.
Gemini wrote the bug description, but I reviewed it for accuracy and, to
the best of my ability, the requirements for Ubuntu bug reports. I
missed the fact that I never ran pkill -f thunderbird, but I don't use
thunderbird and have confirmed that it is not running. I also missed the
"please link to them" statement that Gemini intended for me but that I
inadvertently left in the description.

I look forward to learning that either (a) Gemini missed something
obvious, or (b) Gemini successfully isolated a fundamental problem in
getting CACs working on Ubuntu. Thank you!

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/2115561

Title:
  modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04

Status in nss package in Ubuntu:
  New

Bug description:
  ### Bug Report: `modutil` Fails with `SEC_ERROR_BAD_DATABASE` on
  Ubuntu 24.04

  #### 1. Problem Description

  On an Ubuntu 24.04 LTS (Noble Numbat) machine with GNOME Shell 46.0,
  the `modutil` command (from `libnss3-tools`) consistently fails with
  `SEC_ERROR_BAD_DATABASE: security library: bad database.` when
  attempting to add the `opensc-pkcs11.so` module to the user's default
  NSS database (`~/.pki/nssdb`). This issue persists despite extensive
  troubleshooting and system-level reinstallations. The exact same
  software versions (NSS, OpenSC, PCSC) work correctly on a duplicate
  home machine running the same Ubuntu version.

  #### 2. Steps to Reproduce

  1.  Ensure `opensc` and `libnss3-tools` are installed:
      `sudo apt install opensc libnss3-tools`
  2.  Cleanly re-initialize the user's default NSS database (ensure no Firefox/Chrome/Thunderbird processes are running, as they can conflict):
      ```bash
      pkill -f firefox
      pkill -f chrome
      pkill -f thunderbird # Add if applicable
      mv ~/.pki/nssdb ~/.pki/nssdb_backup_$(date +%Y%m%d%H%M%S) # Backup existing
      mkdir -p ~/.pki/nssdb
      certutil -N -d ~/.pki/nssdb # Leave password blank for testing
      ```
      (Enter `Enter` twice for password)
  3.  Attempt to add the OpenSC PKCS#11 module:
      ```bash
      MODUTIL_DEBUG=1 modutil -add opensc -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -force
      ```

  #### 3. Expected Behavior

  The `modutil` command should successfully add the OpenSC module to the
  NSS database without reporting a database error, as observed on a
  duplicate Ubuntu 24.04 system with identical software versions.

  #### 4. Actual Behavior

  The `modutil` command fails with the following output:
  `modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.`

  #### 5. System Information

  * **Operating System:** Ubuntu 24.04 LTS (Noble Numbat)
  * **GNOME Shell Version:** `GNOME Shell 46.0`
  * **NSS Package Version:**
      ```
      apt-cache policy libnss3
      libnss3:
        Installed: 2:3.98-1build1
        Candidate: 2:3.98-1build1
        Version table:
      *** 2:3.98-1build1 500
              500 [http://us.archive.ubuntu.com/ubuntu](http://us.archive.ubuntu.com/ubuntu) noble/main amd64 Packages
              100 /var/lib/dpkg/status
      ```
  * **Other Relevant Package Versions (identical to working home machine):**
      * `libnss3-tools`: `2:3.98-1build1`
      * `libpcsclite1`: `2.0.3-1build1`
      * `opensc`: `0.25.0-1ubuntu2.1` (assuming standard install)
  * **SELinux Status:** `disabled` (from `sestatus` output)
  * **`~/.pki/nssdb` Contents (after `certutil -N`):**
      (Example content after successful `certutil -N`, indicating `cert9.db`, `key4.db`, `pkcs11.txt`, and `secmod.db` are present with `rw-------` permissions. `secmod.db` creation was verified via `strace`.)
      ```
      total 68
      -rw------- 1 xphileprof xphileprof 28672 <date> cert9.db
      -rw------- 1 xphileprof xphileprof 36864 <date> key4.db
      -rw------- 1 xphileprof xphphileprof   508 <date> pkcs11.txt
      -rw------- 1 xphileprof xphileprof 12288 <date> secmod.db
      ```

  #### 6. Crucial Diagnostic Logs

  These logs provide critical low-level detail about the failure. Please
  link to them as specified.

  * **Ultimate `strace` Log of `modutil` (demonstrates success of low-level ops):**
      * **Link:** [https://pastebin.com/DrBW3ejn](https://pastebin.com/DrBW3ejn)
      * **Context:** This log, generated with `strace -f -v -s 2048`, confirms:
          * Successful loading of `opensc-pkcs11.so` and `libpcsclite.so.1`.
          * Successful IPC communication with `pcscd.comm` (socket `9`) including retrieval of reader names ("Dell Dell Smart Card Reader Keyboard").
          * Successful `openat`, `read`, `write`, `fsync`, `fcntl` (for locking) operations on `cert9.db`, `key4.db`, `secmod.db`, and `pkcs11.txt` within `~/.pki/nssdb` **without any kernel-level errors (all `0` return values)**.
          * The `SEC_ERROR_BAD_DATABASE` error is issued without any immediately preceding failing system call directly related to the database files.

  * **OpenSC Verbose Log (from `modutil` failure):**
      * **Link:** [https://pastebin.com/e5vJfhjD](https://pastebin.com/e5vJfhjD)
      * **Context:** This log (generated with `OPENSC_DEBUG=9 OPENSC_DRIVER=9`) initially showed `SCARD_E_NO_READERS_AVAILABLE`. This was later determined to be a misleading error at the OpenSC layer, as `strace` proved `pcscd` communication and reader enumeration were successful.

  * **`certutil -N` `strace` Log (confirming `secmod.db` creation):**
      * **Link:** [https://pastebin.com/Qb4RHdA1](https://pastebin.com/Qb4RHdA1)
      * **Context:** This log explicitly confirmed that `secmod.db` was successfully created and written to during the `certutil -N` operation, which resolved a previous hurdle.

  * **Note on NSS Internal Debugging:** Attempts to use `NSS_LOG_FILE`
  and `NSS_LOG_MODULES="ALL:5"` did not produce a log file, suggesting a
  very early or fundamental failure within NSS that prevents its logging
  mechanism from initializing.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: libnss3 2:3.98-1build1
  ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12
  Uname: Linux 6.8.0-62-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.1-0ubuntu3.7
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Jun 28 12:16:13 2025
  InstallationDate: Installed on 2018-12-26 (2376 days ago)
  InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
  SourcePackage: nss
  UpgradeStatus: Upgraded to noble on 2024-10-01 (270 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2115561/+subscriptions

References

  Thread PreviousDate PreviousThread Next