#133 Certmonger implicitly triggers NSS DB migration
Opened 5 months ago by slev. Modified 5 months ago

Originally, I've opened this issue against Dogtag PKI:
https://pagure.io/dogtagpki/issue/3104

Related discussion on PR:
https://github.com/dogtagpki/pki/pull/239

Short history:

Inputs:
Certmonger - 0.79.7
FreeIPA - 4.3.3
Dogtag PKI - 10.2.6

Actions:
RPM upgrade
Certmonger - 0.79.7
FreeIPA - 4.7.x
Dogtag PKI - 10.7.x

Issue:
Certmonger during RPM upgrade process restarted and re-read the tracked certs.
https://pagure.io/certmonger/blob/master/f/src/certread-n.c#_103

    /* Open the database. */
    settings = userdata;
    readwrite = settings->readwrite;
    ctx = NSS_InitContext(entry->cm_cert_storage_location,
                  NULL, NULL, NULL, NULL,
                  (readwrite ? 0 : NSS_INIT_READONLY) |
                  NSS_INIT_NOROOTINIT |
                  NSS_INIT_NOMODDB);

This triggers the implicit migration of NSS DB (DBM => SQL), which breaks the following PKI migration procedure.

The root cause of this issue is NSS_INIT_NOMODDB flag, used by certmonger in NSS_InitContext.

NSS_INIT_NOMODDB - Don't open the security module DB, just initialize the PKCS #11 module.


Login to comment on this ticket.

Metadata