Fail to start caddy2, not NSS security databases found

kjellkvinge · March 14, 2020, 8:06pm

1. My Caddy version (`caddy version`):

caddy2_beta16_linux_amd64 and caddy2_beta17_linux_amd64

2. How I run Caddy:

./caddy2_beta16_linux_amd64 reverse-proxy

This situation appear even whithout configfile.

a. System environment:

A new VM, minimal debian buster installation.

b. Command:

./caddy2_beta16_linux_amd64 reverse-proxy

d. My complete Caddyfile or JSON config:

localhost:2016 {
proxy / 192.168.10.101:80
}

3. The problem I’m having:

4. Error messages and/or full log output:

2020/03/14 19:59:21.812 WARN    admin   admin endpoint disabled
2020/03/14 19:59:21.813 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2020/03/14 19:59:21.813 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2020/03/14 19:59:21 [INFO][cache:0xc000436780] Started certificate maintenance routine
2020/03/14 19:59:21.825 INFO    tls     cleaned up storage units
2020/03/14 19:59:21.871 WARN    pki.ca.local    trusting root certificate (you might be prompted for password)  {"path": "storage:pki/authorities/local/root.crt"}
2020/03/14 19:59:21 define JAVA_HOME environment variable to use the Java trust
reverse-proxy: loading new config: pki app module: start: adding root certificate to trust store: not NSS security databases found

5. What I already tried:

I have tested the version 1 of caddy, which seems to work. First attempt came up with a note to install libnss3-tools which i did.

I have tried to figure out what “not NSS security databases found” means. My googling skills failed me.
First time I play with caddy, so I guess its me and not you

Thank you for your work.

6. Links to relevant resources:

Is it this error?

github.com

smallstep/truststore/blob/7a1553ad972ba151d76814b975a6c6d4d58460c2/truststore_nss.go#L69

    
      
          // Install implements the Trust interface.
          func (t *NSSTrust) Install(filename string, cert *x509.Certificate) error {
          	// install certificate in all profiles
          	if forEachNSSProfile(func(profile string) {
          		cmd := exec.Command(t.certutilPath, "-A", "-d", profile, "-t", "C,,", "-n", uniqueName(cert), "-i", filename)
          		out, err := cmd.CombinedOutput()
          		if err != nil {
          			debug("failed to execute \"certutil -A\": %s\n\n%s", err, out)
          		}
          	}) == 0 {
          		return fmt.Errorf("not NSS security databases found")
          	}
          
          
	// check for the cert in all profiles
          	if !t.Exists(cert) {
          		return fmt.Errorf("certificate cannot be installed in NSS security databases")
          	}
          
          
	debug("certificate installed properly in NSS security databases")
          	return nil
          }

francislavoie · March 14, 2020, 8:27pm

Please try using beta17. beta16 was unfortunately a broken build, so it was quickly rereleased. I’m not sure if the error you’re seeing is because of that, but it might’ve been.

kjellkvinge · March 14, 2020, 8:30pm

Thankyou, Tested with caddy2_beta17_linux_amd64. same error here.

matt · March 14, 2020, 9:21pm

Interesting… thanks for the report. And welcome!

Meh, alright – certificate trust is optional, and without required libraries, I guess it can’t be done successfully.

@kjellkvinge Can you please try building from this commit: pki: Don't treat cert installation failure as error · caddyserver/caddy@acf4dde · GitHub

You will still see an error reported, but it shouldn’t block startup.

kjellkvinge · March 14, 2020, 10:58pm

Thank you for your reply.

With the new build it starts like you say.

Which libraries is required for this to work?

./caddy2_acf4d reverse-proxy
2020/03/14 22:54:25.215 WARN    admin   admin endpoint disabled
2020/03/14 22:54:25.216 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2020/03/14 22:54:25.216 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2020/03/14 22:54:25 [INFO][cache:0xc00049e780] Started certificate maintenance routine
2020/03/14 22:54:25.228 INFO    http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2020/03/14 22:54:25.229 INFO    tls     cleaned up storage units
2020/03/14 22:54:25 [INFO][localhost] Obtain certificate; acquiring lock...
2020/03/14 22:54:25 [INFO][localhost] Obtain: Lock acquired; proceeding...
2020/03/14 22:54:25 [INFO][localhost] Certificate obtained successfully
2020/03/14 22:54:25 [INFO][localhost] Obtain: Releasing lock
2020/03/14 22:54:25 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/14 22:54:25.276 WARN    pki.ca.local    trusting root certificate (you might be prompted for password)  {"path": "storage:pki/authorities/local/root.crt"}
2020/03/14 22:54:25.276 ERROR   pki     failed to install root certificate      {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/14 22:54:25.277 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
Caddy 2 proxying from http://localhost:443 to http://:80

matt · March 14, 2020, 11:17pm

Depends on your platform:

sudo yum install nss-tools
sudo apt install libnss3-tools
sudo pacman -S nss
sudo zypper install mozilla-nss-tools

(from GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.)

(That particular error just means it couldn’t install trust for Firefox. Definitely non-critical.)

ggilmore · March 16, 2020, 9:23pm

Hi @matt , I’m running Caddy 2.0.0-beta.17 in an ubuntu18.04- docker image (Buildkite CI agent). I ran into the same issue even after installing the libnss library:

(show that libnss and certutil are installed)

root@buildkite-agent-75bbc68d9c-8nzhv:/# apt-get install libnss3-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
libnss3-tools is already the newest version (2:3.35-2ubuntu2.7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
...
...
root@buildkite-agent-75bbc68d9c-8nzhv:/# certutil
certutil - Utility to manipulate NSS certificate databases

Usage:  certutil <command> -d <database-directory> <options>

Valid commands:
-A              Add a certificate to the database        (create if needed)
-B              Run a series of certutil commands from a batch file
-E              Add an Email certificate to the database (create if needed)
-C              Create a new binary certificate from a BINARY cert request
-G              Generate a new key pair
-D              Delete a certificate from the database
--rename        Change the database nickname of a certificate
-F              Delete a key from the database
-U              List all modules
-K              List all private keys
-L              List all certs, or print out a single named cert (or a subset)
--build-flags   Print enabled build flags relevant for NSS test execution
-M              Modify trust attributes of certificate
-N              Create a new certificate database
-T              Reset the Key database or token
-O              Print the chain of a certificate
-R              Generate a certificate request (stdout)
-V              Validate a certificate
-W              Change the key database password
--upgrade-merge Upgrade an old database and merge it into a new one
--merge         Merge source database into the target database
-S              Make a certificate and add to database

(error still happens when running caddy)

root@buildkite-agent-75bbc68d9c-d5twx:/# caddy version
v2.0.0-beta.17 h1:x+Ur3uX83j+STerOWsrLDlknXe7z71VnO5xD+H2OwAw=
...
root@buildkite-agent-75bbc68d9c-8nzhv:/# caddy reverse-proxy --to localhost:7080
2020/03/16 21:18:31.345	WARN	admin	admin endpoint disabled
2020/03/16 21:18:31.345	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "proxy", "https_port": 443}
2020/03/16 21:18:31.345	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "proxy"}
2020/03/16 21:18:31 [INFO][cache:0xc0007d66e0] Started certificate maintenance routine
2020/03/16 21:18:31.356	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/16 21:18:31.357	INFO	tls	cleaned up storage units
2020/03/16 21:18:31 [INFO][localhost] Obtain certificate; acquiring lock...
2020/03/16 21:18:31 [INFO][localhost] Obtain: Lock acquired; proceeding...
2020/03/16 21:18:31 [INFO][localhost] Certificate obtained successfully
2020/03/16 21:18:31 [INFO][localhost] Obtain: Releasing lock
2020/03/16 21:18:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/16 21:18:31.393	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
reverse-proxy: loading new config: pki app module: start: adding root certificate to trust store: not NSS security databases found

Is there another library that I need to install? Or do I need to wait for the team to cut a new release?

matt · March 16, 2020, 9:29pm

If you use Firefox, try running Firefox and then run the caddy command again.

If not, the NSS libs aren’t really needed, so the error is non-critical. If you build from the latest on the v2 branch we treat it as a log entry instead of a fatal error.

system · June 14, 2020, 9:33pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.