For CentOS servers an update for the nss-softokn package was release today – nss-softokn-3.14.3-19

However, nss-softokn-3.14.3-19 needs nss-softokn-freebl-3.14.3-19 to operate properly, and vice versa, but those packages do not have checks in place to make sure that a matching version of the other package are also installed.

Thus if you yum update only installed one of the packages you will end up with a broken YUM and RPM.

You might see error messages like these when trying to run YUM and RPM commands:

error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID xxx BAD

error: rpmdbNextIterator: skipping h# 1784 Header V3 RSA/SHA1 Signature, key ID xxx BAD

Most of the time you will have had nss-softokn-3.14.3-19 installed but not nss-softokn-freebl-3.14.3-19
To fix this you have to:
1. Manually download nss-softokn-freebl-3.14.3-19

yumdownloader nss-softokn-freebl

or wget the RPMs

64-Bit servers / x86_64 run

wget ftp://195.220.108.108/linux/centos/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm

32-Bit Servers / i686 run

wget ftp://195.220.108.108/linux/centos/6.6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm

 

2. Extract the RPM

64-Bit servers / x86_64 run

rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv

32-Bit Servers / i686 run

rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv

 

3. Copy .libfreeblpriv3.* to correct location

64-Bit servers / x86_64 run

cp ./lib64/libfreeblpriv3.* /lib64

32-Bit Servers / i686 run

cp ./lib/libfreeblpriv3.* /lib

 

4. Rerun Yum Update to update nss-softokn-freebl and FIX YUM and RPM

yum update

If you still have problems you might have to reinstall yum as below for a 64bit server, 32bit servers will just need to locate the 32bit versions of the rpms! But most servers won’t need this:

 wget http://mirror.centos.org/centos/6/os/x86_64/Packages/yum-3.2.29-60.el6.centos.noarch.rpm
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.30-30.el6.noarch.rpm
wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-6.el6.centos.12.2.x86_64.rpm 
 rpm -ivh --nodeps yum-3.2.29-60.el6.centos.noarch.rpm
rpm -ivh yum-plugin-fastestmirror-1.1.30-30.el6.noarch.rpm
rpm -ivh centos-release-6-6.el6.centos.12.2.x86_64.rpm 

I have also had some questions about how to restore the rpmdb that got corrupted while trying to fix the problem, there are two ways:
1. Copy a good copy of the /var/lib/rpm folder over from an identical good server of from a backups – you do have backups right?

On good server or from backup:

 tar -cf rpmbackup.tar /var/lib/rpm 

Then send the tar over to the bad server

On broken server:

 cd /var/lib 
 mv /var/lib/rpm /var/lib/rpm.bak
 tar -xf /location/to/rpmbackup.tar 

Then you should be good to go!

The second way is to reinstall every rpm ever installed via checking the rpm install log. See the comment below

Bug Report: https://bugzilla.redhat.com/show_bug.cgi?id=1182337

SOLVED: BUG – CentOS – Yum – RPM Broken by nss-softokn-3.14.3-19.el6_6 Update – error: rpmts_HdrFromFdno – error: rpmdbNextIterator – Header V3 RSA/SHA1 Signature, key ID BAD

Leave a Reply to bob Cancel reply

Your email address will not be published. Required fields are marked *

108 thoughts on “SOLVED: BUG – CentOS – Yum – RPM Broken by nss-softokn-3.14.3-19.el6_6 Update – error: rpmts_HdrFromFdno – error: rpmdbNextIterator – Header V3 RSA/SHA1 Signature, key ID BAD