[Nut-upsuser] NSS on Debian Stretch with libnss3: Can not initialize SSL context

Roger Price roger at rogerprice.org
Tue Jul 10 15:25:22 BST 2018 

I am unable to get 2.7.4 to work with NSS support as provided by libnss3 
2:3.26.2 on Debian stretch.

Currently NSS supports two database formats identified by prefixes "sql:" for 
the new database and "dbm:" for the legacy database.

I created the NSS database in directory /etc/nut with command

    certutil -N -d dbm:NSS_db --empty-password

I copied over public key and certificate from a working NUT+OpenSSL installation 
and checked them as follows:

List certificates:

   root at gold /etc/nut # certutil -L -d dbm:NSS_db
   Certificate Nickname       Trust Attributes
                              SSL,S/MIME,JAR/XPI
   gold                       Cu,u,u

Check certificates:

   root at gold /etc/nut → certutil -K -d dbm:NSS_db
   certutil: Checking token "NSS Certificate DB" in slot
             "NSS User Private Key and Certificate Services"
   < 0> rsa      df7b376946c8cfe59d74095dfc4b882d081b981b   gold

My upsd.conf is
   # upsd.conf
   LISTEN 0.0.0.0 3493
   CERTPATH /etc/nut/NSS_db
   CERTIDENT gold sekret

but when I run systemctl start nut-server I get the message

Jul 10 15:02:51 gold upsd[15961]: Connected to UPS [heartbeat]: dummy-ups-heartbeat
Jul 10 15:02:51 gold upsd[15961]: Connected to UPS [Eaton]: usbhid-ups-Eaton
Jul 10 15:02:51 gold upsd[15961]: listening on 0.0.0.0 port 3493
Jul 10 15:02:51 gold upsd[15962]: Startup successful
Jul 10 15:02:51 gold upsd[15962]: Can not initialize SSL context

The error message comes from netssl.c

 	if (certfile)
 		status = NSS_Init(certfile);
 	else
 		status = NSS_NoDB_Init(NULL);
 	if (status != SECSuccess) {
 		upslogx(LOG_ERR, "Can not initialize SSL context");
 		nss_error("upscli_init / NSS_[NoDB]_Init");
 		return;
 	}

Since certfile is defined, it looks as if legacy NSS_Init is unable to access 
the libnss3 NSS_db database.

Has anyone managed to get NSS support to work with libnss3?  How does one 
specify the dbm: or sql: format?

Roger
___________________________________________________________________

PS, for the brave, here is how I import private key and certificate:

Import private key:

   root at gold /etc/nut # openssl pkcs12 -export -inkey ./keys/gold.key \
                        -in ./keys/gold.crt -out ./keys/gold.p12 -name gold
   Enter Export Password: sekret
   Verifying - Enter Export Password: sekret

   root at gold /etc/nut # pk12util -i ./keys/gold.p12 -d dbm:NSS_db
   Enter password for PKCS12 file: sekret
   pk12util: PKCS12 IMPORT SUCCESSFUL

Import certificate:

   root at gold /etc/nut # openssl x509 -outform der \
                        -in ./keys/gold.pem -out ./keys/gold.der
   root at gold /etc/nut # certutil -A -d dbm:NSS_db -t "C,," \
                        -v 120 -n "gold" -i ./keys/gold.der

More information about the Nut-upsuser mailing list