1

I have a smartcard and reader installed in Debian 8.5; it works under Firefox. I am trying to activate in Chrome. I followed these instructions and got the following:

> cd > modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/libcackey.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: ERROR: Failed to add module "CAC Module". Probable cause : "File not found".

and yet the file indeed exists

> ls -oh /usr/lib/libcackey.so -rw-r--r-- 1 myuser 122K Sep 30 2015 /usr/lib/libcackey.so

(Oddly, when I tried the same command with sudo, it failed but with a different message, Probable cause : "Failure to load dynamic library".)

I changed the owner of ~/.pki/nssdb/pkcs11.txt from root to me and now I get the message: Probable cause : "Failure to load dynamic library" and the following is the listing

 > modutil -dbdir sql:.pki/nssdb/ -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. CAC Module library name: /usr/lib/libcackey.so slots: 2 slots attached status: loaded slot: CACKey Slot token: slot: CACKey Slot token: US Government Certificates -----------------------------------------------------------

How do I install the library?

Improve this question
6
  • Does .pki/nssdb/ exist? Commented Aug 8, 2016 at 20:05
  • @depquid Yes, I should have mentioned that. It is a directory with cert9.db, key4.db, and pkcs11.txt. The first two are owned by me, the last one by root. Permissions are all 600. Commented Aug 8, 2016 at 20:41
  • Why is pkcs11.txt owned by root? If it's under your home directory (i.e. in ~/.pki/nssdb), then it should be owned by you. Commented Aug 9, 2016 at 13:09
  • @depquid I don't know why it has that ownership, whatever installed it installed it that way. Nevertheless, I changed ownership. It still fails, but I now get the Probable cause : "Failure to load dynamic library" message. Commented Aug 9, 2016 at 15:08
  • Please add the output of modutil -dbdir sql:.pki/nssdb/ -list to your question. Commented Aug 9, 2016 at 15:31

2 Answers 2

Reset to default
1

You were getting the first error ("File not found") because of incorrect ownership of ~/.pki/nssdb/pkcs11.txt. Since it couldn't be accessed, it appeared to modutil to not exist.

The second error ("Failure to load dynamic library") is because the library is already loaded. See the second entry in the module list: "CAC Module": "library name: /usr/lib/libcackey.so". So there's nothing else to do.

Improve this answer
1
  • OK that is an explanation. In the case where the library is already loaded, I'd say the second message has confusing wording. Regardless, there should have been a time when the library wasn't loaded, and then the modutil command loaded it without an error message, but I never saw a non-error response to the modutil command. Commented Aug 11, 2016 at 19:15
0

The problem apparently was that the ownership of .pki/nssdb/pkcs11.txt was root rather than me. With changed ownership, there is an error message implying that the dynamic library did not load, but everything seems to function correctly.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.