Hi Jeremy, Thanks for your response!
You were right the first time. I no longer have the snap versions of my browsers. I'm using the deb installations. Are you suggesting that I need to try the tutorial before someone will work on the bug? If so, I'm willing to give it a go, but I've tried it a few times in the past without success.That was in the days before GenAI, and I wound up just giving up. I've been favorably impressed by the capabilities of GenAI (and Gemini in particular), and I'm just interested in understanding its current capabilities, so I recently decided to make another attempt. That was successful on my home machine, but I ran into a dead end on my work machine that led to this bug report. My IT department does not provide Linux support. If it's not Microsoft, they can't spell it. Larry ---------------------------------------------------------------------------------------------------------------------------------------------- How much do you really know about how to use email? http://www.101emailetiquettetips.com/ "Act only according to that maxim whereby you can at the same time will that it should become a universal law without contradiction.” — Immanuel Kant, Grounding for the Metaphysics of Morals. ---------------------------------------------------------------------------------------------------------------------------------------------- On Mon, Jun 30, 2025 at 12:45 PM Jeremy Bícha <[email protected]> wrote: > Actually you might need https://ubuntu.com/tutorials/enable-smart-cards- > in-snapped-browsers > <https://ubuntu.com/tutorials/enable-smart-cards-in-snapped-browsers> > more than the other tutorial. > > ** Changed in: nss (Ubuntu) > Status: New => Incomplete > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/2115561 > > Title: > modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04 > > Status in nss package in Ubuntu: > Incomplete > > Bug description: > ### Bug Report: `modutil` Fails with `SEC_ERROR_BAD_DATABASE` on > Ubuntu 24.04 > > #### 1. Problem Description > > On an Ubuntu 24.04 LTS (Noble Numbat) machine with GNOME Shell 46.0, > the `modutil` command (from `libnss3-tools`) consistently fails with > `SEC_ERROR_BAD_DATABASE: security library: bad database.` when > attempting to add the `opensc-pkcs11.so` module to the user's default > NSS database (`~/.pki/nssdb`). This issue persists despite extensive > troubleshooting and system-level reinstallations. The exact same > software versions (NSS, OpenSC, PCSC) work correctly on a duplicate > home machine running the same Ubuntu version. > > #### 2. Steps to Reproduce > > 1. Ensure `opensc` and `libnss3-tools` are installed: > `sudo apt install opensc libnss3-tools` > 2. Cleanly re-initialize the user's default NSS database (ensure no > Firefox/Chrome/Thunderbird processes are running, as they can conflict): > ```bash > pkill -f firefox > pkill -f chrome > pkill -f thunderbird # Add if applicable > mv ~/.pki/nssdb ~/.pki/nssdb_backup_$(date +%Y%m%d%H%M%S) # Backup > existing > mkdir -p ~/.pki/nssdb > certutil -N -d ~/.pki/nssdb # Leave password blank for testing > ``` > (Enter `Enter` twice for password) > 3. Attempt to add the OpenSC PKCS#11 module: > ```bash > MODUTIL_DEBUG=1 modutil -add opensc -libfile > /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -force > ``` > > #### 3. Expected Behavior > > The `modutil` command should successfully add the OpenSC module to the > NSS database without reporting a database error, as observed on a > duplicate Ubuntu 24.04 system with identical software versions. > > #### 4. Actual Behavior > > The `modutil` command fails with the following output: > `modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad > database.` > > #### 5. System Information > > * **Operating System:** Ubuntu 24.04 LTS (Noble Numbat) > * **GNOME Shell Version:** `GNOME Shell 46.0` > * **NSS Package Version:** > ``` > apt-cache policy libnss3 > libnss3: > Installed: 2:3.98-1build1 > Candidate: 2:3.98-1build1 > Version table: > *** 2:3.98-1build1 500 > 500 [ > http://us.archive.ubuntu.com/ubuntu](http://us.archive.ubuntu.com/ubuntu) > noble/main amd64 Packages > 100 /var/lib/dpkg/status > ``` > * **Other Relevant Package Versions (identical to working home > machine):** > * `libnss3-tools`: `2:3.98-1build1` > * `libpcsclite1`: `2.0.3-1build1` > * `opensc`: `0.25.0-1ubuntu2.1` (assuming standard install) > * **SELinux Status:** `disabled` (from `sestatus` output) > * **`~/.pki/nssdb` Contents (after `certutil -N`):** > (Example content after successful `certutil -N`, indicating > `cert9.db`, `key4.db`, `pkcs11.txt`, and `secmod.db` are present with > `rw-------` permissions. `secmod.db` creation was verified via `strace`.) > ``` > total 68 > -rw------- 1 xphileprof xphileprof 28672 <date> cert9.db > -rw------- 1 xphileprof xphileprof 36864 <date> key4.db > -rw------- 1 xphileprof xphphileprof 508 <date> pkcs11.txt > -rw------- 1 xphileprof xphileprof 12288 <date> secmod.db > ``` > > #### 6. Crucial Diagnostic Logs > > These logs provide critical low-level detail about the failure. Please > link to them as specified. > > * **Ultimate `strace` Log of `modutil` (demonstrates success of > low-level ops):** > * **Link:** [ > https://pastebin.com/DrBW3ejn](https://pastebin.com/DrBW3ejn) > * **Context:** This log, generated with `strace -f -v -s 2048`, > confirms: > * Successful loading of `opensc-pkcs11.so` and > `libpcsclite.so.1`. > * Successful IPC communication with `pcscd.comm` (socket `9`) > including retrieval of reader names ("Dell Dell Smart Card Reader > Keyboard"). > * Successful `openat`, `read`, `write`, `fsync`, `fcntl` (for > locking) operations on `cert9.db`, `key4.db`, `secmod.db`, and `pkcs11.txt` > within `~/.pki/nssdb` **without any kernel-level errors (all `0` return > values)**. > * The `SEC_ERROR_BAD_DATABASE` error is issued without any > immediately preceding failing system call directly related to the database > files. > > * **OpenSC Verbose Log (from `modutil` failure):** > * **Link:** [ > https://pastebin.com/e5vJfhjD](https://pastebin.com/e5vJfhjD) > * **Context:** This log (generated with `OPENSC_DEBUG=9 > OPENSC_DRIVER=9`) initially showed `SCARD_E_NO_READERS_AVAILABLE`. This was > later determined to be a misleading error at the OpenSC layer, as `strace` > proved `pcscd` communication and reader enumeration were successful. > > * **`certutil -N` `strace` Log (confirming `secmod.db` creation):** > * **Link:** [ > https://pastebin.com/Qb4RHdA1](https://pastebin.com/Qb4RHdA1) > * **Context:** This log explicitly confirmed that `secmod.db` was > successfully created and written to during the `certutil -N` operation, > which resolved a previous hurdle. > > * **Note on NSS Internal Debugging:** Attempts to use `NSS_LOG_FILE` > and `NSS_LOG_MODULES="ALL:5"` did not produce a log file, suggesting a > very early or fundamental failure within NSS that prevents its logging > mechanism from initializing. > > ProblemType: Bug > DistroRelease: Ubuntu 24.04 > Package: libnss3 2:3.98-1build1 > ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12 > Uname: Linux 6.8.0-62-generic x86_64 > NonfreeKernelModules: nvidia_modeset nvidia > ApportVersion: 2.28.1-0ubuntu3.7 > Architecture: amd64 > CasperMD5CheckResult: unknown > CurrentDesktop: ubuntu:GNOME > Date: Sat Jun 28 12:16:13 2025 > InstallationDate: Installed on 2018-12-26 (2376 days ago) > InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 > (20180725) > SourcePackage: nss > UpgradeStatus: Upgraded to noble on 2024-10-01 (270 days ago) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2115561/+subscriptions > > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/2115561 Title: modutil Fails with SEC_ERROR_BAD_DATABASE on Ubuntu 24.04 Status in nss package in Ubuntu: Incomplete Bug description: ### Bug Report: `modutil` Fails with `SEC_ERROR_BAD_DATABASE` on Ubuntu 24.04 #### 1. Problem Description On an Ubuntu 24.04 LTS (Noble Numbat) machine with GNOME Shell 46.0, the `modutil` command (from `libnss3-tools`) consistently fails with `SEC_ERROR_BAD_DATABASE: security library: bad database.` when attempting to add the `opensc-pkcs11.so` module to the user's default NSS database (`~/.pki/nssdb`). This issue persists despite extensive troubleshooting and system-level reinstallations. The exact same software versions (NSS, OpenSC, PCSC) work correctly on a duplicate home machine running the same Ubuntu version. #### 2. Steps to Reproduce 1. Ensure `opensc` and `libnss3-tools` are installed: `sudo apt install opensc libnss3-tools` 2. Cleanly re-initialize the user's default NSS database (ensure no Firefox/Chrome/Thunderbird processes are running, as they can conflict): ```bash pkill -f firefox pkill -f chrome pkill -f thunderbird # Add if applicable mv ~/.pki/nssdb ~/.pki/nssdb_backup_$(date +%Y%m%d%H%M%S) # Backup existing mkdir -p ~/.pki/nssdb certutil -N -d ~/.pki/nssdb # Leave password blank for testing ``` (Enter `Enter` twice for password) 3. Attempt to add the OpenSC PKCS#11 module: ```bash MODUTIL_DEBUG=1 modutil -add opensc -libfile /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so -force ``` #### 3. Expected Behavior The `modutil` command should successfully add the OpenSC module to the NSS database without reporting a database error, as observed on a duplicate Ubuntu 24.04 system with identical software versions. #### 4. Actual Behavior The `modutil` command fails with the following output: `modutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.` #### 5. System Information * **Operating System:** Ubuntu 24.04 LTS (Noble Numbat) * **GNOME Shell Version:** `GNOME Shell 46.0` * **NSS Package Version:** ``` apt-cache policy libnss3 libnss3: Installed: 2:3.98-1build1 Candidate: 2:3.98-1build1 Version table: *** 2:3.98-1build1 500 500 [http://us.archive.ubuntu.com/ubuntu](http://us.archive.ubuntu.com/ubuntu) noble/main amd64 Packages 100 /var/lib/dpkg/status ``` * **Other Relevant Package Versions (identical to working home machine):** * `libnss3-tools`: `2:3.98-1build1` * `libpcsclite1`: `2.0.3-1build1` * `opensc`: `0.25.0-1ubuntu2.1` (assuming standard install) * **SELinux Status:** `disabled` (from `sestatus` output) * **`~/.pki/nssdb` Contents (after `certutil -N`):** (Example content after successful `certutil -N`, indicating `cert9.db`, `key4.db`, `pkcs11.txt`, and `secmod.db` are present with `rw-------` permissions. `secmod.db` creation was verified via `strace`.) ``` total 68 -rw------- 1 xphileprof xphileprof 28672 <date> cert9.db -rw------- 1 xphileprof xphileprof 36864 <date> key4.db -rw------- 1 xphileprof xphphileprof 508 <date> pkcs11.txt -rw------- 1 xphileprof xphileprof 12288 <date> secmod.db ``` #### 6. Crucial Diagnostic Logs These logs provide critical low-level detail about the failure. Please link to them as specified. * **Ultimate `strace` Log of `modutil` (demonstrates success of low-level ops):** * **Link:** [https://pastebin.com/DrBW3ejn](https://pastebin.com/DrBW3ejn) * **Context:** This log, generated with `strace -f -v -s 2048`, confirms: * Successful loading of `opensc-pkcs11.so` and `libpcsclite.so.1`. * Successful IPC communication with `pcscd.comm` (socket `9`) including retrieval of reader names ("Dell Dell Smart Card Reader Keyboard"). * Successful `openat`, `read`, `write`, `fsync`, `fcntl` (for locking) operations on `cert9.db`, `key4.db`, `secmod.db`, and `pkcs11.txt` within `~/.pki/nssdb` **without any kernel-level errors (all `0` return values)**. * The `SEC_ERROR_BAD_DATABASE` error is issued without any immediately preceding failing system call directly related to the database files. * **OpenSC Verbose Log (from `modutil` failure):** * **Link:** [https://pastebin.com/e5vJfhjD](https://pastebin.com/e5vJfhjD) * **Context:** This log (generated with `OPENSC_DEBUG=9 OPENSC_DRIVER=9`) initially showed `SCARD_E_NO_READERS_AVAILABLE`. This was later determined to be a misleading error at the OpenSC layer, as `strace` proved `pcscd` communication and reader enumeration were successful. * **`certutil -N` `strace` Log (confirming `secmod.db` creation):** * **Link:** [https://pastebin.com/Qb4RHdA1](https://pastebin.com/Qb4RHdA1) * **Context:** This log explicitly confirmed that `secmod.db` was successfully created and written to during the `certutil -N` operation, which resolved a previous hurdle. * **Note on NSS Internal Debugging:** Attempts to use `NSS_LOG_FILE` and `NSS_LOG_MODULES="ALL:5"` did not produce a log file, suggesting a very early or fundamental failure within NSS that prevents its logging mechanism from initializing. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: libnss3 2:3.98-1build1 ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12 Uname: Linux 6.8.0-62-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.28.1-0ubuntu3.7 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sat Jun 28 12:16:13 2025 InstallationDate: Installed on 2018-12-26 (2376 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: nss UpgradeStatus: Upgraded to noble on 2024-10-01 (270 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2115561/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
