Issues with updates on Centos6 – nss-softokn-freebl

You may be unable to update Centos via yum after installing the most recent updates. The issue is described in this article:

http://kiteplans.info/2015/01/15/solved-bug-centos-yum-rpm-broken-by-nss-softokn-3-14-3-19-el6_6-update-error-rpmts_hdrfromfdno-error-rpmdbnextiterator-header-v3-rsasha1-signature-key-id-bad/

What you will likely see if you attempt to do updates or certificate checks or even find out what packages are installed:

  1. You might see an email from the server telling you that the certwatch program (which checks for expired or expiring certificates) cannot run:

    /etc/cron.daily/certwatch:

    NSS_Init(“/etc/pki/nssdb”) failed

  2. Or you might see yum saying that it can’t update the nss-softokn-freebl library:

    An update to kpartx from 0.4.9-80.el6_6.1 to 0.4.9-80.el6_6.2 is needed.
    This update has been successfully installed.

    An update to nss-softokn from 3.14.3-18.el6_6 to 3.14.3-19.el6_6 is needed.
    This update has been successfully installed.

    An update to nss-softokn-freebl from 3.14.3-18.el6_6 to 3.14.3-19.el6_6 is needed.
    However, this update could not be installed! Try the update manually
    using the Package Updates module.

  3. Or you might see yum giving this error:

    yum update
    Loaded plugins: fastestmirror
    Setting up Update Process
    Loading mirror speeds from cached hostfile
    Resolving Dependencies
    –> Running transaction check
    —> Package nss-softokn-freebl.x86_64 0:3.14.3-18.el6_6 will be updated
    —> Package nss-softokn-freebl.x86_64 0:3.14.3-19.el6_6 will be an update
    –> Finished Dependency ResolutionDependencies Resolved

    ================================================================================
    Package                 Arch        Version                 Repository    Size
    ================================================================================
    Updating:
    nss-softokn-freebl      x86_64      3.14.3-19.el6_6         updates      166 k

    Transaction Summary
    ================================================================================
    Upgrade       1 Package(s)

    Total size: 166 k
    Is this ok [y/N]: y
    Downloading Packages:
    error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
    Problem opening package nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm

  4. Or, if you run this command rpm –qa, you will see errors like these:

    error: rpmdbNextIterator: skipping h#     514 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
    error: rpmdbNextIterator: skipping h#       4 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
    error: rpmdbNextIterator: skipping h#     518 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
    error: rpmdbNextIterator: skipping h#     263 Header V3 RSA/SHA1 Signature, key ID c105b9de: BAD
    error: rpmdbNextIterator: skipping h#       8 Header V3 RSA/SHA256 Signature, key ID c105b9de: BAD

So, in all of these cases it looks like the RPM database (that holds all the details of what has been installed, what they contain, etc.) is corrupt – when in reality the nss-softokn-freebl library that we are trying to install is the wrong version – simply because they did not get installed AT THE SAME TIME as the nss-softokn libraries.  The Centos guys SHOULD HAVE set a dependency from nss-softokn to nss-softokn-freebl – but they forgot to do that and hence we have this issue.

Simple fix (NOTE: the following commands are for 64 bit versions of Centos):

Login as root (you may need to sudo bash to start up a shell as root if you use a USER login):

cd /root
wget  http://mirror.centos.org/centos-6/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
cp ./lib64/libfreeblpriv3.* /lib64
yum update

(hopefully the last step will work and fix up the yum & rpm databases).

Hope this helps others out with the updates.

Bookmark the permalink.

Comments are closed