Certutil process is continuously running and not returning when creating new NSS DB

[skrati]

Hi,

I am trying to create new NSS DB by running following command using popen and reading the output. Please find below code snippet. The below code is getting stuck after cout "Before closing Pipe" in catch block.

char c_abuffer[128];
CString c_strFinalCmd, strResult;
c_strFinalCmd = " certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password 2>&1 ";
try{
pipe = popen(c_strFinalCmd.c_str(), "r");

//Below fgets throwing exception internally - error "basic_string::append " with type "St12length_error"
while(fgets(c_abuffer, sizeof c_abuffer, pipe) != NULL) 
strResult += c_abuffer;
cout<<"Success .. "<<endl;
}                                               
catch(exception& e)
 {
 if(pipe)
 {
  cout<<"Before closing pipe"<<endl;
   pclose(pipe); 
}
 cout<<"ExecuteCommand failed"<<endl;
  throw;              
}

After checking the processes running, saw that certutil is running continuously and not returning.

ps -ef | grep certutil root 2933 2234 0 Nov10 ? 00:00:00 sh -c certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password 2>&1 root 2943 2933 89 Nov10 ? 01:05:50 certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password root 6715 21209 0 13:13 ttyS2 00:00:00 grep certutil

Below is the gdb output of certutil -

0 0xf7714b39 in __kernel_vsyscall ()

1 0xf737a033 in __open_nocancel () at ../sysdeps/unix/syscall-template.S:81

2 0xf730cab7 in GIIO_file_open (fp=0x80cda00,

filename=0x8072674 "/dev/tty", posix_mode=0, prot=438, read_write=8,
is32not64=1) at fileops.c:227

3 0xf730cc59 in _IO_new_file_fopen (fp=0x80cda00,

filename=0x8072674 "/dev/tty", mode=<optimized out>, is32not64=1)
at fileops.c:332

4 0xf73016c1 in __fopen_internal (filename=0x8072674 "/dev/tty",

mode=0x8060eaf "r", is32=1) at iofopen.c:90

5 0xf730172e in _IO_new_fopen (filename=0x8072674 "/dev/tty",

mode=0x8060eaf "r") at iofopen.c:103

6 0x08058305 in ?? ()

7 0x08058699 in SECU_GetModulePassword ()

8 0x08058a89 in ?? ()

9 0x080536bb in ?? ()

10 0x0804f15a in ?? ()

11 0xf72b7efe in __libc_start_main (main=0x804f130, argc=5, argv=0xffdda0e4,

init=0x805f890, fini=0x805f8f0, rtld_fini=0xf7724820 <_dl_fini>,
stack_end=0xffdda0dc) at libc-start.c:287

12 0x0804f197 in ?? ()

(gdb) detach Detaching from program: /usr/bin/certutil, process 3278 (gdb) quit

Below is the strace output of certutil, coming continously - write(2, "Invalid password. Try again.\n", 30) = -1 EPIPE (Broken pipe) --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2943, si_uid=0} --- open("/dev/tty", O_RDONLY) = -1 ENXIO (No such device or address) write(2, "Error opening input terminal for"..., 38) = -1 EPIPE (Broken pipe) --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2943, si_uid=0} --- gettimeofday({1699704735, 608686}, NULL) = 0 write(2, "Invalid password. Try again.\n", 30) = -1 EPIPE (Broken pipe)

When i tried to open FD 2 - below messages are coming , endless Error opening input terminal for read Invalid password. Try again.

Please let me know why certutil command is not returning. Thanks

[skrati]

No response so closing it thanks

[darioseidl]

I have the same problem. mkcert -install hangs trying to install into the nssdb, because certutil hangs.

I assume the culprit is

Error opening input terminal for read

Looks like certutil wants to ask for a password, but for some reason cannot open /dev/tty for reading.

[darioseidl]

Seems to be a permission problem. I managed to work around it by starting bash with root privileges, but keeping my environment (including $HOME): tmp=$(mktemp); export >$tmp; sudo bash -c ". $tmp; exec bash" and then run mkcert -install. To verify that it worked: certutil -L -d .pki/nssdb/ in the same root bash session.