1/16/15

Header V3 RSA/SHA1 Signature, key ID BAD - Bug Resolved


For CentOS servers an update for the nss-softokn package was release today – nss-softokn-3.14.3-19However, nss-softokn-3.14.3-19 needs nss-softokn-freebl-3.14.3-19 to operate properly, and vice versa, but those packages do not have checks in place to make sure that a matching version of the other package are also installed.

Thus if you yum update only installed one of the packages you will end up with a broken YUM and RPM.

You might see error messages like these when trying to run YUM and RPM commands:

error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID xxx BAD

error: rpmdbNextIterator: skipping h# 1784 Header V3 RSA/SHA1 Signature, key ID xxx BAD


Most of the time you will have had nss-softokn-3.14.3-19 installed but not nss-softokn-freebl-3.14.3-19

To fix this you have to:

1. Manually download nss-softokn-freebl-3.14.3-19


yumdownloader nss-softokn-freebl

or wget the RPMs

64-Bit servers / x86_64 run

wget ftp://195.220.108.108/linux/centos/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm

32-Bit Servers / i686 run

wget ftp://195.220.108.108/linux/centos/6.6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm

Note: The FTP IP address above grabs the rpm package from an RPMFIND mirror in France, but you can get it from any other mirror that you usually use.

2. Extract the RPM

64-Bit servers / x86_64 run

rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv

32-Bit Servers / i686 run

rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv

3. Copy .libfreeblpriv3.* to correct location

64-Bit servers / x86_64 run

cp ./lib64/libfreeblpriv3.* /lib64

32-Bit Servers / i686 run

cp ./lib/libfreeblpriv3.* /lib


4. Rerun Yum Update to update nss-softokn-freebl and FIX YUM and RPM

yum update

-----------------------------------------------------------------------------------

Bug Report: https://bugzilla.redhat.com/show_bug.cgi?id=1182337


Quick HTTP to HTTPS - Apache2

There are several methods for redirecting your Apache-based website visitors who might type your servers URL using the plain (non-secure) HT...