I'm having trouble getting PKCS#11 and PAM to work, for whatever reason nss has stopped working and I can't create a new database.
Here's the output from PKCS11 and NSS:
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:206: NSS_Initialize failed: (null)
ERROR:pam_pkcs11.c:250: Failed to initialize crypto
After checking all my configs and howto's I googled and found this: certutil: function failed: security library: bad database
Which reminded me that I probably never created a new nss database. (which, however, I thought would be done automatically?)
But when trying to create a new database, i get the following:
# certutil -d /etc/pam_pkcs11/nssdb -N
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
So I did some digging and tried:
# certutil -d sql:/etc/pam_pkcs11/nssdb -N
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
System: Fedora 21 (This is as new as it gets)
NSS: nss-tools-3.20.1-1.0 + nss-3.20.1-1.0
PAM: pam_pkcs11-0.6.8-6
OpenSC: opensc-0.14.0-2
OpenSSL: openssl-1.0.1k-12
SqlLite: sqlite-3.8.11.1-1
Best Answer
I should probably go home and have some food or something.
Forgot to create the folder
nssdb
(yes, it's a folder and not a file.. which is so clearly stated in every forum google came up with during my debugging).I should know this.
Also note that when using NSS with PAM, especially on older systems.
Never use
sql:
style nss databases.