debcrafters-packages team mailing list archive

Thread
Date
[Bug 2115561] Re: modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Larry Merkle <2115561@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Jul 2025 03:40:44 -0000
Reply-to: Bug 2115561 <2115561@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hi Jeremy,

Thanks for your response!

You were right the first time. I no longer have the snap versions of my
browsers. I'm using the deb installations.

Are you suggesting that I need to try the tutorial before someone will
work on the bug? If so, I'm willing to give it a go, but I've tried it a
few times in the past without success.That was in the days before GenAI,
and I wound up just giving up. I've been favorably impressed by the
capabilities of GenAI (and Gemini in particular), and I'm just
interested in understanding its current capabilities, so I recently
decided to make another attempt. That was successful on my home machine,
but I ran into a dead end on my work machine that led to this bug
report.

My IT department does not provide Linux support.

Larry

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/2115561

Title:
  modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04

Status in nss package in Ubuntu:
  Incomplete

Bug description:
  ### Bug Report: `modutil` Fails with `SEC_ERROR_BAD_DATABASE` on
  Ubuntu 24.04

  #### 1. Problem Description

  On an Ubuntu 24.04 LTS (Noble Numbat) machine with GNOME Shell 46.0,
  the `modutil` command (from `libnss3-tools`) consistently fails with
  `SEC_ERROR_BAD_DATABASE: security library: bad database.` when
  attempting to add the `opensc-pkcs11.so` module to the user's default
  NSS database (`~/.pki/nssdb`). This issue persists despite extensive
  troubleshooting and system-level reinstallations. The exact same
  software versions (NSS, OpenSC, PCSC) work correctly on a duplicate
  home machine running the same Ubuntu version.

  #### 2. Steps to Reproduce

  1.  Ensure `opensc` and `libnss3-tools` are installed:
      `sudo apt install opensc libnss3-tools`
  2.  Cleanly re-initialize the user's default NSS database (ensure no Firefox/Chrome/Thunderbird processes are running, as they can conflict):
      ```bash
      pkill -f firefox
      pkill -f chrome
      pkill -f thunderbird # Add if applicable
      mv ~/.pki/nssdb ~/.pki/nssdb_backup_$(date +%Y%m%d%H%M%S) # Backup existing
      mkdir -p ~/.pki/nssdb
      certutil -N -d ~/.pki/nssdb # Leave password blank for testing
      ```
      (Enter `Enter` twice for password)
  3.  Attempt to add the OpenSC PKCS#11 module:
      ```bash
      MODUTIL_DEBUG=1 modutil -add opensc -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -force
      ```

  #### 3. Expected Behavior

  The `modutil` command should successfully add the OpenSC module to the
  NSS database without reporting a database error, as observed on a
  duplicate Ubuntu 24.04 system with identical software versions.

  #### 4. Actual Behavior

  The `modutil` command fails with the following output:
  `modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.`

  #### 5. System Information

  * **Operating System:** Ubuntu 24.04 LTS (Noble Numbat)
  * **GNOME Shell Version:** `GNOME Shell 46.0`
  * **NSS Package Version:**
      ```
      apt-cache policy libnss3
      libnss3:
        Installed: 2:3.98-1build1
        Candidate: 2:3.98-1build1
        Version table:
      *** 2:3.98-1build1 500
              500 [http://us.archive.ubuntu.com/ubuntu](http://us.archive.ubuntu.com/ubuntu) noble/main amd64 Packages
              100 /var/lib/dpkg/status
      ```
  * **Other Relevant Package Versions (identical to working home machine):**
      * `libnss3-tools`: `2:3.98-1build1`
      * `libpcsclite1`: `2.0.3-1build1`
      * `opensc`: `0.25.0-1ubuntu2.1` (assuming standard install)
  * **SELinux Status:** `disabled` (from `sestatus` output)
  * **`~/.pki/nssdb` Contents (after `certutil -N`):**
      (Example content after successful `certutil -N`, indicating `cert9.db`, `key4.db`, `pkcs11.txt`, and `secmod.db` are present with `rw-------` permissions. `secmod.db` creation was verified via `strace`.)
      ```
      total 68
      -rw------- 1 xphileprof xphileprof 28672 <date> cert9.db
      -rw------- 1 xphileprof xphileprof 36864 <date> key4.db
      -rw------- 1 xphileprof xphphileprof   508 <date> pkcs11.txt
      -rw------- 1 xphileprof xphileprof 12288 <date> secmod.db
      ```

  #### 6. Crucial Diagnostic Logs

  These logs provide critical low-level detail about the failure. Please
  link to them as specified.

  * **Ultimate `strace` Log of `modutil` (demonstrates success of low-level ops):**
      * **Link:** [https://pastebin.com/DrBW3ejn](https://pastebin.com/DrBW3ejn)
      * **Context:** This log, generated with `strace -f -v -s 2048`, confirms:
          * Successful loading of `opensc-pkcs11.so` and `libpcsclite.so.1`.
          * Successful IPC communication with `pcscd.comm` (socket `9`) including retrieval of reader names ("Dell Dell Smart Card Reader Keyboard").
          * Successful `openat`, `read`, `write`, `fsync`, `fcntl` (for locking) operations on `cert9.db`, `key4.db`, `secmod.db`, and `pkcs11.txt` within `~/.pki/nssdb` **without any kernel-level errors (all `0` return values)**.
          * The `SEC_ERROR_BAD_DATABASE` error is issued without any immediately preceding failing system call directly related to the database files.

  * **OpenSC Verbose Log (from `modutil` failure):**
      * **Link:** [https://pastebin.com/e5vJfhjD](https://pastebin.com/e5vJfhjD)
      * **Context:** This log (generated with `OPENSC_DEBUG=9 OPENSC_DRIVER=9`) initially showed `SCARD_E_NO_READERS_AVAILABLE`. This was later determined to be a misleading error at the OpenSC layer, as `strace` proved `pcscd` communication and reader enumeration were successful.

  * **`certutil -N` `strace` Log (confirming `secmod.db` creation):**
      * **Link:** [https://pastebin.com/Qb4RHdA1](https://pastebin.com/Qb4RHdA1)
      * **Context:** This log explicitly confirmed that `secmod.db` was successfully created and written to during the `certutil -N` operation, which resolved a previous hurdle.

  * **Note on NSS Internal Debugging:** Attempts to use `NSS_LOG_FILE`
  and `NSS_LOG_MODULES="ALL:5"` did not produce a log file, suggesting a
  very early or fundamental failure within NSS that prevents its logging
  mechanism from initializing.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: libnss3 2:3.98-1build1
  ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12
  Uname: Linux 6.8.0-62-generic x86_64
  NonfreeKernelModules: nvidia_modeset nvidia
  ApportVersion: 2.28.1-0ubuntu3.7
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Sat Jun 28 12:16:13 2025
  InstallationDate: Installed on 2018-12-26 (2376 days ago)
  InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725)
  SourcePackage: nss
  UpgradeStatus: Upgraded to noble on 2024-10-01 (270 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2115561/+subscriptions
References

[Bug 2115561] [NEW] modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04
From: Larry Merkle, 2025-06-28