debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #03150
Re: [Bug 2115561] Re: modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04
Hi Jeremy,
Thanks for your response!
You were right the first time. I no longer have the snap versions of my
browsers. I'm using the deb installations.
Are you suggesting that I need to try the tutorial before someone will work
on the bug? If so, I'm willing to give it a go, but I've tried it a few
times in the past without success.That was in the days before GenAI, and I
wound up just giving up. I've been favorably impressed by the capabilities
of GenAI (and Gemini in particular), and I'm just interested in
understanding its current capabilities, so I recently decided to make
another attempt. That was successful on my home machine, but I ran into a
dead end on my work machine that led to this bug report.
My IT department does not provide Linux support. If it's not Microsoft,
they can't spell it.
Larry
----------------------------------------------------------------------------------------------------------------------------------------------
How much do you really know about how to use email?
http://www.101emailetiquettetips.com/
"Act only according to that maxim whereby you can at the same time will
that it should become a universal law without contradiction.” — Immanuel
Kant, Grounding for the Metaphysics of Morals.
----------------------------------------------------------------------------------------------------------------------------------------------
On Mon, Jun 30, 2025 at 12:45 PM Jeremy Bícha <2115561@xxxxxxxxxxxxxxxxxx>
wrote:
> Actually you might need https://ubuntu.com/tutorials/enable-smart-cards-
> in-snapped-browsers
> <https://ubuntu.com/tutorials/enable-smart-cards-in-snapped-browsers>
> more than the other tutorial.
>
> ** Changed in: nss (Ubuntu)
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2115561
>
> Title:
> modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04
>
> Status in nss package in Ubuntu:
> Incomplete
>
> Bug description:
> ### Bug Report: `modutil` Fails with `SEC_ERROR_BAD_DATABASE` on
> Ubuntu 24.04
>
> #### 1. Problem Description
>
> On an Ubuntu 24.04 LTS (Noble Numbat) machine with GNOME Shell 46.0,
> the `modutil` command (from `libnss3-tools`) consistently fails with
> `SEC_ERROR_BAD_DATABASE: security library: bad database.` when
> attempting to add the `opensc-pkcs11.so` module to the user's default
> NSS database (`~/.pki/nssdb`). This issue persists despite extensive
> troubleshooting and system-level reinstallations. The exact same
> software versions (NSS, OpenSC, PCSC) work correctly on a duplicate
> home machine running the same Ubuntu version.
>
> #### 2. Steps to Reproduce
>
> 1. Ensure `opensc` and `libnss3-tools` are installed:
> `sudo apt install opensc libnss3-tools`
> 2. Cleanly re-initialize the user's default NSS database (ensure no
> Firefox/Chrome/Thunderbird processes are running, as they can conflict):
> ```bash
> pkill -f firefox
> pkill -f chrome
> pkill -f thunderbird # Add if applicable
> mv ~/.pki/nssdb ~/.pki/nssdb_backup_$(date +%Y%m%d%H%M%S) # Backup
> existing
> mkdir -p ~/.pki/nssdb
> certutil -N -d ~/.pki/nssdb # Leave password blank for testing
> ```
> (Enter `Enter` twice for password)
> 3. Attempt to add the OpenSC PKCS#11 module:
> ```bash
> MODUTIL_DEBUG=1 modutil -add opensc -libfile
> /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -force
> ```
>
> #### 3. Expected Behavior
>
> The `modutil` command should successfully add the OpenSC module to the
> NSS database without reporting a database error, as observed on a
> duplicate Ubuntu 24.04 system with identical software versions.
>
> #### 4. Actual Behavior
>
> The `modutil` command fails with the following output:
> `modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
> database.`
>
> #### 5. System Information
>
> * **Operating System:** Ubuntu 24.04 LTS (Noble Numbat)
> * **GNOME Shell Version:** `GNOME Shell 46.0`
> * **NSS Package Version:**
> ```
> apt-cache policy libnss3
> libnss3:
> Installed: 2:3.98-1build1
> Candidate: 2:3.98-1build1
> Version table:
> *** 2:3.98-1build1 500
> 500 [
> http://us.archive.ubuntu.com/ubuntu](http://us.archive.ubuntu.com/ubuntu)
> noble/main amd64 Packages
> 100 /var/lib/dpkg/status
> ```
> * **Other Relevant Package Versions (identical to working home
> machine):**
> * `libnss3-tools`: `2:3.98-1build1`
> * `libpcsclite1`: `2.0.3-1build1`
> * `opensc`: `0.25.0-1ubuntu2.1` (assuming standard install)
> * **SELinux Status:** `disabled` (from `sestatus` output)
> * **`~/.pki/nssdb` Contents (after `certutil -N`):**
> (Example content after successful `certutil -N`, indicating
> `cert9.db`, `key4.db`, `pkcs11.txt`, and `secmod.db` are present with
> `rw-------` permissions. `secmod.db` creation was verified via `strace`.)
> ```
> total 68
> -rw------- 1 xphileprof xphileprof 28672 <date> cert9.db
> -rw------- 1 xphileprof xphileprof 36864 <date> key4.db
> -rw------- 1 xphileprof xphphileprof 508 <date> pkcs11.txt
> -rw------- 1 xphileprof xphileprof 12288 <date> secmod.db
> ```
>
> #### 6. Crucial Diagnostic Logs
>
> These logs provide critical low-level detail about the failure. Please
> link to them as specified.
>
> * **Ultimate `strace` Log of `modutil` (demonstrates success of
> low-level ops):**
> * **Link:** [
> https://pastebin.com/DrBW3ejn](https://pastebin.com/DrBW3ejn)
> * **Context:** This log, generated with `strace -f -v -s 2048`,
> confirms:
> * Successful loading of `opensc-pkcs11.so` and
> `libpcsclite.so.1`.
> * Successful IPC communication with `pcscd.comm` (socket `9`)
> including retrieval of reader names ("Dell Dell Smart Card Reader
> Keyboard").
> * Successful `openat`, `read`, `write`, `fsync`, `fcntl` (for
> locking) operations on `cert9.db`, `key4.db`, `secmod.db`, and `pkcs11.txt`
> within `~/.pki/nssdb` **without any kernel-level errors (all `0` return
> values)**.
> * The `SEC_ERROR_BAD_DATABASE` error is issued without any
> immediately preceding failing system call directly related to the database
> files.
>
> * **OpenSC Verbose Log (from `modutil` failure):**
> * **Link:** [
> https://pastebin.com/e5vJfhjD](https://pastebin.com/e5vJfhjD)
> * **Context:** This log (generated with `OPENSC_DEBUG=9
> OPENSC_DRIVER=9`) initially showed `SCARD_E_NO_READERS_AVAILABLE`. This was
> later determined to be a misleading error at the OpenSC layer, as `strace`
> proved `pcscd` communication and reader enumeration were successful.
>
> * **`certutil -N` `strace` Log (confirming `secmod.db` creation):**
> * **Link:** [
> https://pastebin.com/Qb4RHdA1](https://pastebin.com/Qb4RHdA1)
> * **Context:** This log explicitly confirmed that `secmod.db` was
> successfully created and written to during the `certutil -N` operation,
> which resolved a previous hurdle.
>
> * **Note on NSS Internal Debugging:** Attempts to use `NSS_LOG_FILE`
> and `NSS_LOG_MODULES="ALL:5"` did not produce a log file, suggesting a
> very early or fundamental failure within NSS that prevents its logging
> mechanism from initializing.
>
> ProblemType: Bug
> DistroRelease: Ubuntu 24.04
> Package: libnss3 2:3.98-1build1
> ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12
> Uname: Linux 6.8.0-62-generic x86_64
> NonfreeKernelModules: nvidia_modeset nvidia
> ApportVersion: 2.28.1-0ubuntu3.7
> Architecture: amd64
> CasperMD5CheckResult: unknown
> CurrentDesktop: ubuntu:GNOME
> Date: Sat Jun 28 12:16:13 2025
> InstallationDate: Installed on 2018-12-26 (2376 days ago)
> InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64
> (20180725)
> SourcePackage: nss
> UpgradeStatus: Upgraded to noble on 2024-10-01 (270 days ago)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2115561/+subscriptions
>
>
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/2115561
Title:
modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04
Status in nss package in Ubuntu:
Incomplete
Bug description:
### Bug Report: `modutil` Fails with `SEC_ERROR_BAD_DATABASE` on
Ubuntu 24.04
#### 1. Problem Description
On an Ubuntu 24.04 LTS (Noble Numbat) machine with GNOME Shell 46.0,
the `modutil` command (from `libnss3-tools`) consistently fails with
`SEC_ERROR_BAD_DATABASE: security library: bad database.` when
attempting to add the `opensc-pkcs11.so` module to the user's default
NSS database (`~/.pki/nssdb`). This issue persists despite extensive
troubleshooting and system-level reinstallations. The exact same
software versions (NSS, OpenSC, PCSC) work correctly on a duplicate
home machine running the same Ubuntu version.
#### 2. Steps to Reproduce
1. Ensure `opensc` and `libnss3-tools` are installed:
`sudo apt install opensc libnss3-tools`
2. Cleanly re-initialize the user's default NSS database (ensure no Firefox/Chrome/Thunderbird processes are running, as they can conflict):
```bash
pkill -f firefox
pkill -f chrome
pkill -f thunderbird # Add if applicable
mv ~/.pki/nssdb ~/.pki/nssdb_backup_$(date +%Y%m%d%H%M%S) # Backup existing
mkdir -p ~/.pki/nssdb
certutil -N -d ~/.pki/nssdb # Leave password blank for testing
```
(Enter `Enter` twice for password)
3. Attempt to add the OpenSC PKCS#11 module:
```bash
MODUTIL_DEBUG=1 modutil -add opensc -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -force
```
#### 3. Expected Behavior
The `modutil` command should successfully add the OpenSC module to the
NSS database without reporting a database error, as observed on a
duplicate Ubuntu 24.04 system with identical software versions.
#### 4. Actual Behavior
The `modutil` command fails with the following output:
`modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.`
#### 5. System Information
* **Operating System:** Ubuntu 24.04 LTS (Noble Numbat)
* **GNOME Shell Version:** `GNOME Shell 46.0`
* **NSS Package Version:**
```
apt-cache policy libnss3
libnss3:
Installed: 2:3.98-1build1
Candidate: 2:3.98-1build1
Version table:
*** 2:3.98-1build1 500
500 [http://us.archive.ubuntu.com/ubuntu](http://us.archive.ubuntu.com/ubuntu) noble/main amd64 Packages
100 /var/lib/dpkg/status
```
* **Other Relevant Package Versions (identical to working home machine):**
* `libnss3-tools`: `2:3.98-1build1`
* `libpcsclite1`: `2.0.3-1build1`
* `opensc`: `0.25.0-1ubuntu2.1` (assuming standard install)
* **SELinux Status:** `disabled` (from `sestatus` output)
* **`~/.pki/nssdb` Contents (after `certutil -N`):**
(Example content after successful `certutil -N`, indicating `cert9.db`, `key4.db`, `pkcs11.txt`, and `secmod.db` are present with `rw-------` permissions. `secmod.db` creation was verified via `strace`.)
```
total 68
-rw------- 1 xphileprof xphileprof 28672 <date> cert9.db
-rw------- 1 xphileprof xphileprof 36864 <date> key4.db
-rw------- 1 xphileprof xphphileprof 508 <date> pkcs11.txt
-rw------- 1 xphileprof xphileprof 12288 <date> secmod.db
```
#### 6. Crucial Diagnostic Logs
These logs provide critical low-level detail about the failure. Please
link to them as specified.
* **Ultimate `strace` Log of `modutil` (demonstrates success of low-level ops):**
* **Link:** [https://pastebin.com/DrBW3ejn](https://pastebin.com/DrBW3ejn)
* **Context:** This log, generated with `strace -f -v -s 2048`, confirms:
* Successful loading of `opensc-pkcs11.so` and `libpcsclite.so.1`.
* Successful IPC communication with `pcscd.comm` (socket `9`) including retrieval of reader names ("Dell Dell Smart Card Reader Keyboard").
* Successful `openat`, `read`, `write`, `fsync`, `fcntl` (for locking) operations on `cert9.db`, `key4.db`, `secmod.db`, and `pkcs11.txt` within `~/.pki/nssdb` **without any kernel-level errors (all `0` return values)**.
* The `SEC_ERROR_BAD_DATABASE` error is issued without any immediately preceding failing system call directly related to the database files.
* **OpenSC Verbose Log (from `modutil` failure):**
* **Link:** [https://pastebin.com/e5vJfhjD](https://pastebin.com/e5vJfhjD)
* **Context:** This log (generated with `OPENSC_DEBUG=9 OPENSC_DRIVER=9`) initially showed `SCARD_E_NO_READERS_AVAILABLE`. This was later determined to be a misleading error at the OpenSC layer, as `strace` proved `pcscd` communication and reader enumeration were successful.
* **`certutil -N` `strace` Log (confirming `secmod.db` creation):**
* **Link:** [https://pastebin.com/Qb4RHdA1](https://pastebin.com/Qb4RHdA1)
* **Context:** This log explicitly confirmed that `secmod.db` was successfully created and written to during the `certutil -N` operation, which resolved a previous hurdle.
* **Note on NSS Internal Debugging:** Attempts to use `NSS_LOG_FILE`
and `NSS_LOG_MODULES="ALL:5"` did not produce a log file, suggesting a
very early or fundamental failure within NSS that prevents its logging
mechanism from initializing.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: libnss3 2:3.98-1build1
ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12
Uname: Linux 6.8.0-62-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.28.1-0ubuntu3.7
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Sat Jun 28 12:16:13 2025
InstallationDate: Installed on 2018-12-26 (2376 days ago)
InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
SourcePackage: nss
UpgradeStatus: Upgraded to noble on 2024-10-01 (270 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2115561/+subscriptions
References
