starred/mkcert
1
0
Fork 0
mirror of https://github.com/FiloSottile/mkcert.git synced 2026-04-25 05:26:03 +03:00
Code Issues 165 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #558] Certutil process is continuously running and not returning when creating new NSS DB #328

New issue
Closed
opened 2026-02-25 22:33:07 +03:00 by kerem · 3 comments
kerem commented 2026-02-25 22:33:07 +03:00
Owner
Copy link

Originally created by @skrati on GitHub (Nov 17, 2023).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/558

Hi,

I am trying to create new NSS DB by running following command using popen and reading the output. Please find below code snippet.
The below code is getting stuck after cout "Before closing Pipe" in catch block.

char c_abuffer[128];
CString c_strFinalCmd, strResult;
c_strFinalCmd = " certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password 2>&1 ";
try{
pipe = popen(c_strFinalCmd.c_str(), "r");

//Below fgets throwing exception internally - error "basic_string::append " with type "St12length_error"
while(fgets(c_abuffer, sizeof c_abuffer, pipe) != NULL) 
strResult += c_abuffer;
cout<<"Success .. "<<endl;
}                                               
catch(exception& e)
 {
 if(pipe)
 {
  cout<<"Before closing pipe"<<endl;
   pclose(pipe); 
}
 cout<<"ExecuteCommand failed"<<endl;
  throw;              
}

After checking the processes running, saw that certutil is running continuously and not returning.

ps -ef | grep certutil
root 2933 2234 0 Nov10 ? 00:00:00 sh -c certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password 2>&1
root 2943 2933 89 Nov10 ? 01:05:50 certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password
root 6715 21209 0 13:13 ttyS2 00:00:00 grep certutil

Below is the gdb output of certutil -
#0 0xf7714b39 in __kernel_vsyscall ()
#1 0xf737a033 in __open_nocancel () at ../sysdeps/unix/syscall-template.S:81
#2 0xf730cab7 in __GI__IO_file_open (fp=0x80cda00,
filename=0x8072674 "/dev/tty", posix_mode=0, prot=438, read_write=8,
is32not64=1) at fileops.c:227
#3 0xf730cc59 in _IO_new_file_fopen (fp=0x80cda00,
filename=0x8072674 "/dev/tty", mode=, is32not64=1)
at fileops.c:332
#4 0xf73016c1 in __fopen_internal (filename=0x8072674 "/dev/tty",
mode=0x8060eaf "r", is32=1) at iofopen.c:90
#5 0xf730172e in _IO_new_fopen (filename=0x8072674 "/dev/tty",
mode=0x8060eaf "r") at iofopen.c:103
#6 0x08058305 in ?? ()
#7 0x08058699 in SECU_GetModulePassword ()
#8 0x08058a89 in ?? ()
#9 0x080536bb in ?? ()
#10 0x0804f15a in ?? ()
#11 0xf72b7efe in __libc_start_main (main=0x804f130, argc=5, argv=0xffdda0e4,
init=0x805f890, fini=0x805f8f0, rtld_fini=0xf7724820 <_dl_fini>,
stack_end=0xffdda0dc) at libc-start.c:287
#12 0x0804f197 in ?? ()
(gdb) detach
Detaching from program: /usr/bin/certutil, process 3278
(gdb) quit

Below is the strace output of certutil, coming continously -
write(2, "Invalid password. Try again.\n", 30) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2943, si_uid=0} ---
open("/dev/tty", O_RDONLY) = -1 ENXIO (No such device or address)
write(2, "Error opening input terminal for"..., 38) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2943, si_uid=0} ---
gettimeofday({1699704735, 608686}, NULL) = 0
write(2, "Invalid password. Try again.\n", 30) = -1 EPIPE (Broken pipe)

When i tried to open FD 2 - below messages are coming , endless
Error opening input terminal for read
Invalid password. Try again.

Please let me know why certutil command is not returning.
Thanks

Originally created by @skrati on GitHub (Nov 17, 2023). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/558 Hi, I am trying to create new NSS DB by running following command using popen and reading the output. Please find below code snippet. The below code is getting stuck after cout "Before closing Pipe" in catch block. ``` char c_abuffer[128]; CString c_strFinalCmd, strResult; c_strFinalCmd = " certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password 2>&1 "; try{ pipe = popen(c_strFinalCmd.c_str(), "r"); //Below fgets throwing exception internally - error "basic_string::append " with type "St12length_error" while(fgets(c_abuffer, sizeof c_abuffer, pipe) != NULL) strResult += c_abuffer; cout<<"Success .. "<<endl; } catch(exception& e) { if(pipe) { cout<<"Before closing pipe"<<endl; pclose(pipe); } cout<<"ExecuteCommand failed"<<endl; throw; } ``` After checking the processes running, saw that certutil is running continuously and not returning. ps -ef | grep certutil root 2933 2234 0 Nov10 ? 00:00:00 sh -c certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password 2>&1 root 2943 2933 89 Nov10 ? **01:05:50** certutil -N -d sql:/platform/tmp/.pki/nssdb --empty-password root 6715 21209 0 13:13 ttyS2 00:00:00 grep certutil **Below is the gdb output of certutil -** #0 0xf7714b39 in __kernel_vsyscall () #1 0xf737a033 in __open_nocancel () at ../sysdeps/unix/syscall-template.S:81 #2 0xf730cab7 in __GI__IO_file_open (fp=0x80cda00, filename=0x8072674 "/dev/tty", posix_mode=0, prot=438, read_write=8, is32not64=1) at fileops.c:227 #3 0xf730cc59 in _IO_new_file_fopen (fp=0x80cda00, filename=0x8072674 "/dev/tty", mode=<optimized out>, is32not64=1) at fileops.c:332 #4 0xf73016c1 in __fopen_internal (filename=0x8072674 "/dev/tty", mode=0x8060eaf "r", is32=1) at iofopen.c:90 #5 0xf730172e in _IO_new_fopen (filename=0x8072674 "/dev/tty", mode=0x8060eaf "r") at iofopen.c:103 #6 0x08058305 in ?? () #7 0x08058699 in SECU_GetModulePassword () #8 0x08058a89 in ?? () #9 0x080536bb in ?? () #10 0x0804f15a in ?? () #11 0xf72b7efe in __libc_start_main (main=0x804f130, argc=5, argv=0xffdda0e4, init=0x805f890, fini=0x805f8f0, rtld_fini=0xf7724820 <_dl_fini>, stack_end=0xffdda0dc) at libc-start.c:287 #12 0x0804f197 in ?? () (gdb) detach Detaching from program: /usr/bin/certutil, process 3278 (gdb) quit **Below is the strace output of certutil, coming continously -** write(2, "Invalid password. Try again.\n", 30) = -1 EPIPE (Broken pipe) --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2943, si_uid=0} --- open("/dev/tty", O_RDONLY) = -1 ENXIO (No such device or address) write(2, "Error opening input terminal for"..., 38) = -1 EPIPE (Broken pipe) --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=2943, si_uid=0} --- gettimeofday({1699704735, 608686}, NULL) = 0 write(2, "Invalid password. Try again.\n", 30) = -1 EPIPE (Broken pipe) **When i tried to open FD 2 - below messages are coming , endless** Error opening input terminal for read Invalid password. Try again. Please let me know why certutil command is not returning. Thanks
kerem closed this issue 2026-02-25 22:33:07 +03:00
kerem commented 2026-02-25 22:33:07 +03:00
Author
Owner
Copy link

@skrati commented on GitHub (Feb 6, 2024):

No response so closing it
thanks

<!-- gh-comment-id:1929554593 --> @skrati commented on GitHub (Feb 6, 2024): No response so closing it thanks
kerem commented 2026-02-25 22:33:07 +03:00
Author
Owner
Copy link

@darioseidl commented on GitHub (Aug 17, 2024):

I have the same problem. mkcert -install hangs trying to install into the nssdb, because certutil hangs.

I assume the culprit is

Error opening input terminal for read

Looks like certutil wants to ask for a password, but for some reason cannot open /dev/tty for reading.

<!-- gh-comment-id:2294883551 --> @darioseidl commented on GitHub (Aug 17, 2024): I have the same problem. `mkcert -install` hangs trying to install into the nssdb, because `certutil` hangs. I assume the culprit is > Error opening input terminal for read Looks like certutil wants to ask for a password, but for some reason cannot open /dev/tty for reading.
kerem commented 2026-02-25 22:33:07 +03:00
Author
Owner
Copy link

@darioseidl commented on GitHub (Aug 17, 2024):

Seems to be a permission problem.
I managed to work around it by starting bash with root privileges, but keeping my environment (including $HOME):
tmp=$(mktemp); export >$tmp; sudo bash -c ". $tmp; exec bash"
and then run mkcert -install.
To verify that it worked: certutil -L -d .pki/nssdb/ in the same root bash session.

<!-- gh-comment-id:2294906908 --> @darioseidl commented on GitHub (Aug 17, 2024): Seems to be a permission problem. I managed to work around it by starting bash with root privileges, but keeping my environment (including $HOME): `tmp=$(mktemp); export >$tmp; sudo bash -c ". $tmp; exec bash"` and then run `mkcert -install`. To verify that it worked: `certutil -L -d .pki/nssdb/` in the same root bash session.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.3.0
v1.2.0
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.9.1
v0.9.0
Labels
Clear labels   
TLS stack issue

   
Windows

   
bug

   
duplicate

   
duplicate

   
enhancement

   
help wanted

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question

   
root store

   
waiting for info
No labels
TLS stack issue
Windows
bug
duplicate
duplicate
enhancement
help wanted
help wanted
pull-request
question
question
root store
waiting for info
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#328
No description provided.