For CentOS servers an update for the nss-softokn package was release today – nss-softokn-3.14.3-19
However, nss-softokn-3.14.3-19 needs nss-softokn-freebl-3.14.3-19 to operate properly, and vice versa, but those packages do not have checks in place to make sure that a matching version of the other package are also installed.
Thus if you yum update only installed one of the packages you will end up with a broken YUM and RPM.
You might see error messages like these when trying to run YUM and RPM commands:
error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID xxx BAD
error: rpmdbNextIterator: skipping h# 1784 Header V3 RSA/SHA1 Signature, key ID xxx BAD
Most of the time you will have had nss-softokn-3.14.3-19 installed but not nss-softokn-freebl-3.14.3-19
To fix this you have to:
1. Manually download nss-softokn-freebl-3.14.3-19
yumdownloader nss-softokn-freebl
or wget the RPMs
64-Bit servers / x86_64 run
wget ftp://195.220.108.108/linux/centos/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm
32-Bit Servers / i686 run
wget ftp://195.220.108.108/linux/centos/6.6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm
2. Extract the RPM
64-Bit servers / x86_64 run
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv
32-Bit Servers / i686 run
rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv
3. Copy .libfreeblpriv3.* to correct location
64-Bit servers / x86_64 run
cp ./lib64/libfreeblpriv3.* /lib64
32-Bit Servers / i686 run
cp ./lib/libfreeblpriv3.* /lib
4. Rerun Yum Update to update nss-softokn-freebl and FIX YUM and RPM
yum update
If you still have problems you might have to reinstall yum as below for a 64bit server, 32bit servers will just need to locate the 32bit versions of the rpms! But most servers won’t need this:
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/yum-3.2.29-60.el6.centos.noarch.rpm wget http://mirror.centos.org/centos/6/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.30-30.el6.noarch.rpm wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-6.el6.centos.12.2.x86_64.rpm
rpm -ivh --nodeps yum-3.2.29-60.el6.centos.noarch.rpm rpm -ivh yum-plugin-fastestmirror-1.1.30-30.el6.noarch.rpm rpm -ivh centos-release-6-6.el6.centos.12.2.x86_64.rpm
I have also had some questions about how to restore the rpmdb that got corrupted while trying to fix the problem, there are two ways:
1. Copy a good copy of the /var/lib/rpm folder over from an identical good server of from a backups – you do have backups right?
On good server or from backup:
tar -cf rpmbackup.tar /var/lib/rpm
Then send the tar over to the bad server
On broken server:
cd /var/lib
mv /var/lib/rpm /var/lib/rpm.bak
tar -xf /location/to/rpmbackup.tar
Then you should be good to go!
The second way is to reinstall every rpm ever installed via checking the rpm install log. See the comment below
Bug Report: https://bugzilla.redhat.com/show_bug.cgi?id=1182337
I had literally messed up my CentOS machine. Nothing related to yum seemed to work. I got enough
information from this blog about what all to do when yum goes down.
Thanks a ton!! 🙂
Cracking write-up. Thank you.
One of my system’s was in such as state that the instructions didn’t quite work, but I got enough info from here to be able to fix it.
Basically, I had to rpm2cpio etc etc both nss-softokn-freebl AND nss-softokn, then cp the entire contents of ./lib64 and ./usr into the appropriate places.
yum update worked perfectly after this.
Thank you very much for this solution !! Worked perfect !
This post if f*****g genious! Thank you so much to you and to Elise for updating the wget link.
It worked with 3-23 instead of 3-19
thanks dude !
It’s Worked!
Thanks Very Much!
So I waited WAY too long to discover this thread 🙁
And now I do, the wget mirrors above (and others I’ve tried) no longer work for the nss-softokn-freebl package…
My situation is just as described above, but I don’t know what to do, as I can’t seem to find the updated -freebl package on any mirror!
—> Package nss-softokn.x86_64 0:3.14.3-19.el6_6 will be updated —> Package nss-softokn.x86_64 0:3.14.3-22.el6_6 will be an update —> Package nss-softokn-freebl.x86_64 0:3.14.3-18.el6_6 will be updated —> Package nss-softokn-freebl.x86_64 0:3.14.3-22.el6_6 will be an update
I’ve tried changing the number in the link above from “19” to “22” but it’s still not found.
Do you know how I should proceed here? Sorry I don’t know my way around Yum or RPM, but my yum updater is definitely broken with all the symptoms in this thread! I’m running CentOS Linux 6.6 with Virtualmin 4.13.gpl GPL (and I don’t have “yumdownloader” command available).
I found help on the CentOS forum here: https://www.centos.org/forums/viewtopic.php?f=13&t=51605&p=227286#p227286
If anyone finds this thread, the actual wget link to use now is this (because CentOS 6.7 has been released and the 6.6 files have been moved to vault.centos.org)
wget http://vault.centos.org/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm
Nice… Saved a whole lot of trouble!!!
Many thanks for your clear solution.
Worked perfectly
Thank you very much! I couldn’t install some rpms and your solution worked great!
Great guide, fixed the issue with no problems.
Thanks much for the information. I realized webmin hadn’t notified me of updates in a while, and found the problem when attempting to manually update.
Thanks a lot!!
Great article.
You’ve saved my day.
I’m using CentOS 6.6 and it worked perfectly :)…
Much thanks for this explanation, once I located your post the fix was easy to implement and instructions spot on. Much thanks once again, much appreciated.
So brilliant. Thank you very much for this explanation and clear instructions to an aggravating problem.
Thanks, saved me a lot of hair pulling.