Learn more about these different git repos.
Other Git URLs
Originally, I've opened this issue against Dogtag PKI: https://pagure.io/dogtagpki/issue/3104
Related discussion on PR: https://github.com/dogtagpki/pki/pull/239
Short history:
Inputs: Certmonger - 0.79.7 FreeIPA - 4.3.3 Dogtag PKI - 10.2.6
Actions: RPM upgrade Certmonger - 0.79.7 FreeIPA - 4.7.x Dogtag PKI - 10.7.x
Issue: Certmonger during RPM upgrade process restarted and re-read the tracked certs. https://pagure.io/certmonger/blob/master/f/src/certread-n.c#_103
/* Open the database. */ settings = userdata; readwrite = settings->readwrite; ctx = NSS_InitContext(entry->cm_cert_storage_location, NULL, NULL, NULL, NULL, (readwrite ? 0 : NSS_INIT_READONLY) | NSS_INIT_NOROOTINIT | NSS_INIT_NOMODDB);
This triggers the implicit migration of NSS DB (DBM => SQL), which breaks the following PKI migration procedure.
The root cause of this issue is NSS_INIT_NOMODDB flag, used by certmonger in NSS_InitContext.
NSS_INIT_NOMODDB - Don't open the security module DB, just initialize the PKCS #11 module.
Login to comment on this ticket.