Fail to start caddy2, not NSS security databases found

1. My Caddy version (caddy version):

caddy2_beta16_linux_amd64 and caddy2_beta17_linux_amd64

2. How I run Caddy:

./caddy2_beta16_linux_amd64 reverse-proxy

This situation appear even whithout configfile.

a. System environment:

A new VM, minimal debian buster installation.

b. Command:

./caddy2_beta16_linux_amd64 reverse-proxy

d. My complete Caddyfile or JSON config:

localhost:2016 {
proxy / 192.168.10.101:80
}

3. The problem I’m having:

4. Error messages and/or full log output:

2020/03/14 19:59:21.812 WARN    admin   admin endpoint disabled
2020/03/14 19:59:21.813 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2020/03/14 19:59:21.813 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2020/03/14 19:59:21 [INFO][cache:0xc000436780] Started certificate maintenance routine
2020/03/14 19:59:21.825 INFO    tls     cleaned up storage units
2020/03/14 19:59:21.871 WARN    pki.ca.local    trusting root certificate (you might be prompted for password)  {"path": "storage:pki/authorities/local/root.crt"}
2020/03/14 19:59:21 define JAVA_HOME environment variable to use the Java trust
reverse-proxy: loading new config: pki app module: start: adding root certificate to trust store: not NSS security databases found

5. What I already tried:

I have tested the version 1 of caddy, which seems to work. First attempt came up with a note to install libnss3-tools which i did.

I have tried to figure out what “not NSS security databases found” means. My googling skills failed me.
First time I play with caddy, so I guess its me and not you :slight_smile:

Thank you for your work.

6. Links to relevant resources:

Is it this error?

Please try using beta17. beta16 was unfortunately a broken build, so it was quickly rereleased. I’m not sure if the error you’re seeing is because of that, but it might’ve been.

Thankyou, Tested with caddy2_beta17_linux_amd64. same error here.

Interesting… thanks for the report. And welcome!

Meh, alright – certificate trust is optional, and without required libraries, I guess it can’t be done successfully.

@kjellkvinge Can you please try building from this commit: https://github.com/caddyserver/caddy/commit/acf4dde1dd1fa2d30b76c19009e5a7019cce0b2b

You will still see an error reported, but it shouldn’t block startup.

Thank you for your reply.

With the new build it starts like you say.

Which libraries is required for this to work?

./caddy2_acf4d reverse-proxy
2020/03/14 22:54:25.215 WARN    admin   admin endpoint disabled
2020/03/14 22:54:25.216 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2020/03/14 22:54:25.216 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2020/03/14 22:54:25 [INFO][cache:0xc00049e780] Started certificate maintenance routine
2020/03/14 22:54:25.228 INFO    http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2020/03/14 22:54:25.229 INFO    tls     cleaned up storage units
2020/03/14 22:54:25 [INFO][localhost] Obtain certificate; acquiring lock...
2020/03/14 22:54:25 [INFO][localhost] Obtain: Lock acquired; proceeding...
2020/03/14 22:54:25 [INFO][localhost] Certificate obtained successfully
2020/03/14 22:54:25 [INFO][localhost] Obtain: Releasing lock
2020/03/14 22:54:25 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/14 22:54:25.276 WARN    pki.ca.local    trusting root certificate (you might be prompted for password)  {"path": "storage:pki/authorities/local/root.crt"}
2020/03/14 22:54:25.276 ERROR   pki     failed to install root certificate      {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/14 22:54:25.277 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
Caddy 2 proxying from http://localhost:443 to http://:80

1 Like

Depends on your platform:

sudo yum install nss-tools
sudo apt install libnss3-tools
sudo pacman -S nss
sudo zypper install mozilla-nss-tools

(from https://github.com/FiloSottile/mkcert)

(That particular error just means it couldn’t install trust for Firefox. Definitely non-critical.)

Hi @matt , I’m running Caddy 2.0.0-beta.17 in an ubuntu18.04- docker image (Buildkite CI agent). I ran into the same issue even after installing the libnss library:

(show that libnss and certutil are installed)

root@buildkite-agent-75bbc68d9c-8nzhv:/# apt-get install libnss3-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
libnss3-tools is already the newest version (2:3.35-2ubuntu2.7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
...
...
root@buildkite-agent-75bbc68d9c-8nzhv:/# certutil
certutil - Utility to manipulate NSS certificate databases

Usage:  certutil <command> -d <database-directory> <options>

Valid commands:
-A              Add a certificate to the database        (create if needed)
-B              Run a series of certutil commands from a batch file
-E              Add an Email certificate to the database (create if needed)
-C              Create a new binary certificate from a BINARY cert request
-G              Generate a new key pair
-D              Delete a certificate from the database
--rename        Change the database nickname of a certificate
-F              Delete a key from the database
-U              List all modules
-K              List all private keys
-L              List all certs, or print out a single named cert (or a subset)
--build-flags   Print enabled build flags relevant for NSS test execution
-M              Modify trust attributes of certificate
-N              Create a new certificate database
-T              Reset the Key database or token
-O              Print the chain of a certificate
-R              Generate a certificate request (stdout)
-V              Validate a certificate
-W              Change the key database password
--upgrade-merge Upgrade an old database and merge it into a new one
--merge         Merge source database into the target database
-S              Make a certificate and add to database

(error still happens when running caddy)

root@buildkite-agent-75bbc68d9c-d5twx:/# caddy version
v2.0.0-beta.17 h1:x+Ur3uX83j+STerOWsrLDlknXe7z71VnO5xD+H2OwAw=
...
root@buildkite-agent-75bbc68d9c-8nzhv:/# caddy reverse-proxy --to localhost:7080
2020/03/16 21:18:31.345	WARN	admin	admin endpoint disabled
2020/03/16 21:18:31.345	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "proxy", "https_port": 443}
2020/03/16 21:18:31.345	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "proxy"}
2020/03/16 21:18:31 [INFO][cache:0xc0007d66e0] Started certificate maintenance routine
2020/03/16 21:18:31.356	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/16 21:18:31.357	INFO	tls	cleaned up storage units
2020/03/16 21:18:31 [INFO][localhost] Obtain certificate; acquiring lock...
2020/03/16 21:18:31 [INFO][localhost] Obtain: Lock acquired; proceeding...
2020/03/16 21:18:31 [INFO][localhost] Certificate obtained successfully
2020/03/16 21:18:31 [INFO][localhost] Obtain: Releasing lock
2020/03/16 21:18:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/16 21:18:31.393	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
reverse-proxy: loading new config: pki app module: start: adding root certificate to trust store: not NSS security databases found

Is there another library that I need to install? Or do I need to wait for the team to cut a new release?

If you use Firefox, try running Firefox and then run the caddy command again.

If not, the NSS libs aren’t really needed, so the error is non-critical. If you build from the latest on the v2 branch we treat it as a log entry instead of a fatal error.