You may be unable to update Centos via yum after installing the most recent updates. The issue is described in this article:
What you will likely see if you attempt to do updates or certificate checks or even find out what packages are installed:
- You might see an email from the server telling you that the certwatch program (which checks for expired or expiring certificates) cannot run:
/etc/cron.daily/certwatch:
NSS_Init(“/etc/pki/nssdb”) failed
- Or you might see yum saying that it can’t update the nss-softokn-freebl library:
An update to kpartx from 0.4.9-80.el6_6.1 to 0.4.9-80.el6_6.2 is needed.
This update has been successfully installed.
An update to nss-softokn from 3.14.3-18.el6_6 to 3.14.3-19.el6_6 is needed.
This update has been successfully installed.
An update to nss-softokn-freebl from 3.14.3-18.el6_6 to 3.14.3-19.el6_6 is needed.
However, this update could not be installed! Try the update manually
using the Package Updates module. - Or you might see yum giving this error:
yum update
Loaded plugins: fastestmirror
Setting up Update Process
Loading mirror speeds from cached hostfile
Resolving Dependencies
–> Running transaction check
—> Package nss-softokn-freebl.x86_64 0:3.14.3-18.el6_6 will be updated
—> Package nss-softokn-freebl.x86_64 0:3.14.3-19.el6_6 will be an update
–> Finished Dependency ResolutionDependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
nss-softokn-freebl x86_64 3.14.3-19.el6_6 updates 166 k
Transaction Summary
================================================================================
Upgrade 1 Package(s)
Total size: 166 k
Is this ok [y/N]: y
Downloading Packages:
error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
Problem opening package nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm - Or, if you run this command rpm –qa, you will see errors like these:
error: rpmdbNextIterator: skipping h# 514 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
error: rpmdbNextIterator: skipping h# 4 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
error: rpmdbNextIterator: skipping h# 518 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
error: rpmdbNextIterator: skipping h# 263 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
error: rpmdbNextIterator: skipping h# 8 Header V3 RSA/SHA256 Signature, key ID c105b9de: BAD
…
So, in all of these cases it looks like the RPM database (that holds all the details of what has been installed, what they contain, etc.) is corrupt – when in reality the nss-softokn-freebl library that we are trying to install is the wrong version – simply because they did not get installed AT THE SAME TIME as the nss-softokn libraries. The Centos guys SHOULD HAVE set a dependency from nss-softokn to nss-softokn-freebl – but they forgot to do that and hence we have this issue.
Simple fix (NOTE: the following commands are for 64 bit versions of Centos):
Login as root (you may need to sudo bash to start up a shell as root if you use a USER login):
cd /root
wget http://mirror.centos.org/centos-6/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
cp ./lib64/libfreeblpriv3.* /lib64
yum update
(hopefully the last step will work and fix up the yum & rpm databases).
Hope this helps others out with the updates.