Hide Forgot
Description of problem: I'm seeing rather unexpected behaviour when sysinit is disabled. My expectation is that when CA cert is imported in sql:/etc/pki/nssdb , tstclient should be able to verify server cert when it's called with -d sql:$HOME/.pki/nssdb . There still seem to be some issues with listing CA certs from system nssdb. Version-Release number of selected component (if applicable): nss-3.12.9-13.fc15 Steps to Reproduce: Start with empty /etc/pki/nssdb and $HOME/.pki/nssdb . Get CAcert.org certificate: http://www.cacert.org/certs/root.crt Import into system nssdb and mark as trusted: # certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert-root CT,C,C Make sure nsssysinit is enabled: $ setup-nsssysinit.sh status NSS sysinit is enabled If I repeat certutil -L as non-root, nothing is printed even when specifying sql:/etc/pki/nssdb directly: $ certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI $ certutil -d sql:$HOME/.pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI tstclient is only able to verify server cert when using sql:/etc/pki/nssdb , but not sql:$HOME/.pki/nssdb database path: $ tstclnt -d sql:$HOME/.pki/nssdb -p 443 -h www.cacert.org tstclnt: read from socket failed: Peer's Certificate issuer is not recognized. $ tstclnt -d sql:/etc/pki/nssdb -p 443 -h www.cacert.org subject DN: E=support,CN=www.cacert.org,O=CAcert Inc.,L=Sydney,ST=NSW,C=AU issuer DN: E=support,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA Disabling sysinit fixes -d sql:/etc/pki/nssdb -L output: $ setup-nsssysinit.sh status NSS sysinit is disabled $ certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert-root CT,C,C After a quick check with Elio, this behaviour is not expected.
I assume you imported the certuficate as root. Now, you haven't stated teh details of how you imported the certitificate. It could have been one of two ways: 1) certutil -A -i root.crt -t "CT,C,C" -d sql:`pwd`/.pki/nssdb -n "cacert-root" 2) certutil -A -i root.crt -t "CT,C,C" -d sql:/etc/pki/nssdb -n "cacert-root" I would like to know if it makes a difference for you and I suspect it does. My thinking is that if root imports the certificate pointing to it's own database (as in 1) then the certificate shouldn't be visible by regular users. In this case root is acting as a user (with rooty powers) and his own db is been accessed read and write whereas in case 2 root is acting as a mere system administrator adding certs to the system-wide database. So the current behavour isn't all than unexpected after all. It turns out to be consistent with some of my thinking back then when I was making modifications to nss-sysinit and keeping track permissions for root versus regular users.
(In reply to comment #1) > 2) certutil -A -i root.crt -t "CT,C,C" -d sql:/etc/pki/nssdb -n "cacert-root" This one. Adding straight to system nssdb. I guess wouldn't expect cert to propagate to system nssdb when adding it to root's user nssdb. Given that 'tstclnt -d sql:/etc/pki/nssdb' works for non-root user, I assume the cert is really imported in the system nssdb.
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
(In reply to comment #3) > (Please note: Our normal process is to give advanced warning of this > occurring, but we forgot to do that. A thousand apologies.) And closing without warning rather than doing warning now and closing a month later is better?! Anyway, confirmed the same behavior with: nss-3.13.5-1.fc16 nss-sysinit-3.13.5-1.fc16
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Confirmed the same behavior with: nss-3.14.1-3.fc17 nss-sysinit-3.14.1-3.fc17 Is this expected to work with sysinit enabled? $ tstclnt -d sql:$HOME/.pki/nssdb -p 443 -h www.cacert.org
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I can't test this now, but I'm moving it blindly to F19, just as blindly as bug zappers want to close this without checking if it's fixed, even though testing details are available.
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Same with: nss-3.17.3-2.fc20.x86_64 nss-sysinit-3.17.3-2.fc20.x86_64 # certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI # certutil -A -i root.crt -t "CT,C,C" -d sql:/etc/pki/nssdb -n "cacert-root" # certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert-root CT,C,C # setup-nsssysinit.sh status NSS sysinit is enabled $ certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI $ certutil -d sql:$HOME/.pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI $ /usr/lib64/nss/unsupported-tools/tstclnt -d sql:$HOME/.pki/nssdb -p 443 -h www.cacert.org tstclnt: authentication of server cert failed: error 0: Success # Note that error message here changed and it itself seems incorrect, but # connection still fails $ /usr/lib64/nss/unsupported-tools/tstclnt -d sql:/etc/pki/nssdb -p 443 -h www.cacert.org subject DN: CN=www.cacert.org,O=CAcert Inc.,L=Sydney,ST=NSW,C=AU issuer DN: E=support,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA # setup-nsssysinit.sh off # setup-nsssysinit.sh status NSS sysinit is disabled $ certutil -d sql:/etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert-root CT,C,C Can anyone answer question in comment 6?
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
There does not seem to be any change in 3.18.0 wrt this bug.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I don't see a reason to believe anything has changed, so moving to later version to avoid automatic closing of this bug.
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Bumping version to avoid auto close. Still hoping for some feedback on the expected behaviour.
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
(In reply to Tomas Hoger from comment #0) > I'm seeing rather unexpected behaviour when sysinit is disabled. My > expectation is that when CA cert is imported in sql:/etc/pki/nssdb , > tstclient should be able to verify server cert when it's called with -d > sql:$HOME/.pki/nssdb . I wonder if this is really an intended behavior. My understanding is that the propagation happens in the other way, that is ~/.pki/nssdb -> /etc/pki/nssdb, so applications can use certificates installed under ~/.pki/nssdb, just by pointing to /etc/pki/nssdb: $ certutil -L -d sql:/etc/pki/nssdb -h all Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI $ rm -rf ~/.pki $ mkdir -p ~/.pki/nssdb $ certutil -N -d sql:$HOME/.pki/nssdb --empty-password $ certutil -d sql:$HOME/.pki/nssdb -A -t 'CT,C,C' -n cacert-root -i root.crt $ certutil -L -d sql:/etc/pki/nssdb -h all Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert-root CT,C,C
Confirmed with Bob that this is a wrong expectation. If you have any specific use-case where such behavior is useful, feel free to open an RFE as a separate bug.
I'm fine having this closed after comment 21 clarification. I asked about what is the expected behaviour back in comment 6, so thank you for providing it. I do see how comment 21 behaviour makes sense.