search

SilleBille / pki

Dogtag PKI Issues should be reported to the Dogtag PKI Pagure Issues site
https://pagure.io/dogtagpki/issues
GNU General Public License v2.0
1 stars 1 forks source link

NSS db migration #502

Closed SilleBille closed 4 years ago

SilleBille commented 4 years ago

This issue was migrated from Pagure Issue #3104.Originally filed by slev on 2019-08-13

During FreeIPA upgrade from an old version (4.3.3) to a new one (4.7.2) pki-tomcatdpki-tomcat.service fails with:

pki-tomcatdpki-tomcat.service - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/pki-tomcatd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2019-08-13 08:15:47 MSK; 52min ago
  Process: 2026 ExecStartPre=/usr/sbin/pki-server migrate --instance pki-tomcat (code=exited, status=1/FAILURE)

Aug 13 08:15:46 dc.ipa.test systemd[1]: Starting PKI Tomcat Server pki-tomcat...
Aug 13 08:15:46 dc.ipa.test pki-server[2026]: ERROR: /var/lib/pki/pki-tomcat/alias contains an incomplete NSS database in SQL format
Aug 13 08:15:47 dc.ipa.test systemd[1]: pki-tomcatdpki-tomcat.service: Control process exited, code=exited, status=1/FAILURE
Aug 13 08:15:47 dc.ipa.test systemd[1]: pki-tomcatdpki-tomcat.service: Failed with result 'exit-code'.
Aug 13 08:15:47 dc.ipa.test systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.
# LANG=C ls -la /var/lib/pki/pki-tomcat/alias/
-rw------- 1 pkiuser pkiuser 65536 Aug 13 09:12 cert8.db
-rw------- 1 root    root    28672 Aug 13 09:12 cert9.db
-rw------- 1 pkiuser pkiuser 24576 Aug 13 09:12 key3.db
-rw------- 1 root    root    28672 Aug 13 09:12 key4.db
-r-------- 1 pkiuser pkiuser    13 Aug  8 11:53 pwdfile.txt
-rw------- 1 pkiuser pkiuser 16384 Jul 16 16:30 secmod.db

There is a partially upgraded NSS db. As it's known, ( https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql ) an implicit migration takes place on write open.

certmonger during the same RPM upgrade process restarted and re-read the tracked certs. https://pagure.io/certmonger/blob/master/f/src/certread-n.c#_103 The root cause of this issue is NSS_INIT_NOMODDB flag, used by certmonger in NSS_InitContext. Actually, certmonger just triggers the issue.

NSS_INIT_NOMODDB - Don't open the security module DB, just initialize the PKCS #11 module.

The very simple reproducer in pytest is attached.

SilleBille commented 4 years ago

Posted by slev on 2019-08-13:

repr.py

SilleBille commented 4 years ago

Posted by rcritten on 2019-09-30:

Perhaps NSS should not initiate a migration when opened with NSS_INIT_NOMODDB. I'm not sure this is a bug in certmonger.

SilleBille commented 4 years ago

Posted by slev on 2019-09-30:

I could open a ticket against NSS. But looks like the migration process is not standardized.