[GH-ISSUE #83] Certutil error on fresh Mac OS Mojave install #43

Closed
opened 2026-02-25 22:32:27 +03:00 by kerem · 12 comments
Owner

Originally created by @selfagency on GitHub (Oct 26, 2018).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/83

when i attempt to install mkcert, i get the following error:

➜ mkcert -install
Using the local CA at "/Users/daniel/Library/Application Support/mkcert" ✨
Password:
The local CA is now installed in the system trust store! ⚡️
ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

when i google the issue, it says i need to initialize the nss database. i did this, however, and still get the same error above.

➜ ls -la ~/.pki/nssdb/
total 136
drwx------  5 daniel  staff    160 Oct 25 22:45 .
drwxr-xr-x  3 daniel  staff     96 Oct 25 22:44 ..
-rw-------  1 daniel  staff  28672 Oct 25 22:45 cert9.db
-rw-------  1 daniel  staff  36864 Oct 25 22:45 key4.db
-rw-------  1 daniel  staff    431 Oct 25 22:45 pkcs11.txt
Originally created by @selfagency on GitHub (Oct 26, 2018). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/83 when i attempt to install mkcert, i get the following error: ``` ➜ mkcert -install Using the local CA at "/Users/daniel/Library/Application Support/mkcert" ✨ Password: The local CA is now installed in the system trust store! ⚡️ ERROR: failed to execute "certutil -A": exit status 255 certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. ``` when i google the issue, it says i need to initialize the nss database. i did this, however, and still get the same error above. ``` ➜ ls -la ~/.pki/nssdb/ total 136 drwx------ 5 daniel staff 160 Oct 25 22:45 . drwxr-xr-x 3 daniel staff 96 Oct 25 22:44 .. -rw------- 1 daniel staff 28672 Oct 25 22:45 cert9.db -rw------- 1 daniel staff 36864 Oct 25 22:45 key4.db -rw------- 1 daniel staff 431 Oct 25 22:45 pkcs11.txt ```
kerem closed this issue 2026-02-25 22:32:27 +03:00
Author
Owner

@adamdecaf commented on GitHub (Oct 26, 2018):

What version are you on? How did you initialize the db?

<!-- gh-comment-id:433276118 --> @adamdecaf commented on GitHub (Oct 26, 2018): What version are you on? How did you initialize the db?
Author
Owner

@selfagency commented on GitHub (Oct 26, 2018):

Mac OS 10.14
mkcert 1.1.2

mkdir -p ~/.pki/nssdb
chmod 700 ~/.pki/nssdb
certutil -d ~/.pki/nssdb -N

also tried

certutil -d sql:$HOME/.pki/nssdb -N

with the same result

<!-- gh-comment-id:433278178 --> @selfagency commented on GitHub (Oct 26, 2018): Mac OS 10.14 mkcert 1.1.2 ``` mkdir -p ~/.pki/nssdb chmod 700 ~/.pki/nssdb certutil -d ~/.pki/nssdb -N ``` also tried ``` certutil -d sql:$HOME/.pki/nssdb -N ``` with the same result
Author
Owner

@adamdecaf commented on GitHub (Oct 26, 2018):

Can you delete ~/.pki, load a few https sites in Firefox and then run
mkcert?

On Thu, Oct 25, 2018, 8:55 PM Daniel Sieradski notifications@github.com
wrote:

Mac OS 10.14
mkcert 1.1.2

mkdir -p ~/.pki/nssdb
chmod 700 ~/.pki/nssdb
certutil -d $HOME/.pki/nssdb -N

also tried

certutil -d sql:$HOME/.pki/nssdb -N

with the same result


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/FiloSottile/mkcert/issues/83#issuecomment-433278178,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHYd8nbaa0kBDSrdfvmEMaQB-d22OTqks5uooeYgaJpZM4X7cx7
.

<!-- gh-comment-id:433284675 --> @adamdecaf commented on GitHub (Oct 26, 2018): Can you delete ~/.pki, load a few https sites in Firefox and then run mkcert? On Thu, Oct 25, 2018, 8:55 PM Daniel Sieradski <notifications@github.com> wrote: > Mac OS 10.14 > mkcert 1.1.2 > > mkdir -p ~/.pki/nssdb > chmod 700 ~/.pki/nssdb > certutil -d $HOME/.pki/nssdb -N > > also tried > > certutil -d sql:$HOME/.pki/nssdb -N > > with the same result > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/FiloSottile/mkcert/issues/83#issuecomment-433278178>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AAHYd8nbaa0kBDSrdfvmEMaQB-d22OTqks5uooeYgaJpZM4X7cx7> > . >
Author
Owner

@selfagency commented on GitHub (Oct 26, 2018):

same deal

<!-- gh-comment-id:433295307 --> @selfagency commented on GitHub (Oct 26, 2018): same deal
Author
Owner

@selfagency commented on GitHub (Oct 26, 2018):

hmm seems to work if i use sudo

<!-- gh-comment-id:433544347 --> @selfagency commented on GitHub (Oct 26, 2018): hmm seems to work if i use sudo
Author
Owner

@selfagency commented on GitHub (Oct 26, 2018):

ok, so i have both firefox and firefox developer edition installed. after using sudo, it added the CA to the developer edition, but not the regular edition. and if i try to do mkcert -install without sudo, i get the error above.

<!-- gh-comment-id:433548705 --> @selfagency commented on GitHub (Oct 26, 2018): ok, so i have both firefox and firefox developer edition installed. after using `sudo`, it added the CA to the developer edition, but not the regular edition. and if i try to do `mkcert -install` without `sudo`, i get the error above.
Author
Owner

@adamdecaf commented on GitHub (Oct 27, 2018):

Hmm, is the path different than what's mentioned in https://github.com/FiloSottile/mkcert/issues/51 ?

<!-- gh-comment-id:433587011 --> @adamdecaf commented on GitHub (Oct 27, 2018): Hmm, is the path different than what's mentioned in https://github.com/FiloSottile/mkcert/issues/51 ?
Author
Owner

@selfagency commented on GitHub (Oct 27, 2018):

Both Firefox and Firefox Dev Ed are in /Applications and my data folder is /Users/daniel/Library/Application Support/Firefox.

<!-- gh-comment-id:433590757 --> @selfagency commented on GitHub (Oct 27, 2018): Both Firefox and Firefox Dev Ed are in /Applications and my data folder is /Users/daniel/Library/Application Support/Firefox.
Author
Owner

@adamdecaf commented on GitHub (Nov 10, 2018):

I just realized ~/.pki/nssdb/ is the linux path, what's at this filepath:

$ ls -l ~/Library/Application\ Support/Firefox/Profiles/*.default/ | grep '.db' 
-rw-------@ 1 adam  staff    327680 Nov 10 13:32 cert9.db
-rw-------@ 1 adam  staff    294912 Nov 10 13:32 key4.db
<!-- gh-comment-id:437623088 --> @adamdecaf commented on GitHub (Nov 10, 2018): I just realized `~/.pki/nssdb/` is the linux path, what's at this filepath: ``` $ ls -l ~/Library/Application\ Support/Firefox/Profiles/*.default/ | grep '.db' -rw-------@ 1 adam staff 327680 Nov 10 13:32 cert9.db -rw-------@ 1 adam staff 294912 Nov 10 13:32 key4.db ```
Author
Owner

@selfagency commented on GitHub (Nov 12, 2018):

➜ ls -l ~/Library/Application\ Support/Firefox/Profiles/*.default/ | grep '.db'
-rw-------   1 root    staff     28672 Oct 26 17:08 cert9.db
-rw-------   1 root    staff     36864 Oct 26 17:08 key4.db
<!-- gh-comment-id:437932709 --> @selfagency commented on GitHub (Nov 12, 2018): ``` ➜ ls -l ~/Library/Application\ Support/Firefox/Profiles/*.default/ | grep '.db' -rw------- 1 root staff 28672 Oct 26 17:08 cert9.db -rw------- 1 root staff 36864 Oct 26 17:08 key4.db ```
Author
Owner

@adamdecaf commented on GitHub (Nov 13, 2018):

Can mkcert read those files? They're owned by root and not world readable.

<!-- gh-comment-id:438417350 --> @adamdecaf commented on GitHub (Nov 13, 2018): Can `mkcert` read those files? They're owned by root and not world readable.
Author
Owner

@selfagency commented on GitHub (Nov 13, 2018):

changing the owner to myself seems to have worked. thanks for your help!

➜ sudo chown -R daniel:staff ~/Library/Application\ Support/Firefox/Profiles/*.default/
➜ mkcert -install
Using the local CA at "/Users/daniel/Library/Application Support/mkcert" ✨
<!-- gh-comment-id:438428315 --> @selfagency commented on GitHub (Nov 13, 2018): changing the owner to myself seems to have worked. thanks for your help! ``` ➜ sudo chown -R daniel:staff ~/Library/Application\ Support/Firefox/Profiles/*.default/ ➜ mkcert -install Using the local CA at "/Users/daniel/Library/Application Support/mkcert" ✨ ```
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mkcert#43
No description provided.