Page 1 of 1

DDEV: certificate database is in an old, unsupported format

PostPosted: Apr 13th, '24, 19:45
by flink
When I start the recommended way to install DDEV, then I try the command:

Code: Select all
sudo curl -fsSL https://ddev.com/install.sh | bash


However I get this output:

Code: Select all
ddev_linux-amd64.v1.22.7.tar.gz: OK
Download verified. Ready to place ddev and mkcert in your /usr/local/bin.
Attempting to unlink any homebrew-installed ddev with 'brew unlink ddev'
Running "sudo mv  -f ddev mkcert macos_ddev_nfs_setup.sh /usr/local/bin/" Please enter your password if prompted.
Installed ddev bash completions in /home/linuxbrew/.linuxbrew/etc/bash_completion.d
zsh completion for ddev was not installed. You may manually install /tmp/ddev_zsh_completion.sh in your zsh-completions directory.
Running mkcert -install, which may request your sudo password.'.
The local CA is already installed in the system trust store! 👍


And then follows the error message:

Code: Select all
ERROR: failed to execute "certutil -A -d dbm:/etc/pki/nssdb": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.


Code: Select all
[franz@franz-820 ~]$ ls -l /etc/pki/nssdb
total 96
-rw-r--r-- 1 root root 65536 Apr 13 19:28 cert8.db
-rw-r--r-- 1 root root 16384 Apr 13 19:28 key3.db
-rw-r--r-- 1 root root 16384 Aug 17  2011 secmod.db


What must I do to get the new DDEV installed?

Re: certificate/key database is in an old, unsupported forma

PostPosted: Apr 14th, '24, 00:22
by doktor5000
See https://ddev.readthedocs.io/en/stable/u ... tabbed_1_2 - should be able to install the Fedora packages, the script is just an alternative option.

You can also create a copy of that directory and convert the databases there like this: https://stackoverflow.com/a/37400981/4017010

Although this can also happen if you simply don't have write permissions on that database: https://osric.com/chris/accidental-deve ... ed-format/

Re: certificate/key database is in an old, unsupported forma

PostPosted: Apr 26th, '24, 08:39
by flink
This looks good!

I am starting again with

Code: Select all
brew install mkcert



My installation of Homebrew on Linux is completely outdated. :oops:

With the lated brew installation I continue and end up here:

Code: Select all
[franz@franz-820 ~]$ mkcert -install
The local CA is already installed in the system trust store! 👍
ERROR: failed to execute "certutil -A -d dbm:/etc/pki/nssdb": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.


I am still working on it to follow your other links.

Re: certificate/key database is in an old, unsupported forma

PostPosted: Apr 26th, '24, 09:05
by flink
Now I follow the Stackoverflow recommendations and end up here:


Code: Select all
 
[franz@franz-820 ~]$ certutil -L -d sql:${HOME}/.pki/nssdb 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

mkcert development CA 213017914528344141664923888219294936  C,,

[franz@franz-820 ~]$ mkcert -install
The local CA is already installed in the system trust store! 👍
ERROR: failed to execute "certutil -A -d dbm:/etc/pki/nssdb": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.


certutil -L
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

Re: certificate/key database is in an old, unsupported forma

PostPosted: Apr 26th, '24, 16:06
by doktor5000
You're still running the installation as regular user, no wonder you get an error for /etc/pki/nssdb due to missing write access.

Re: certificate/key database is in an old, unsupported forma

PostPosted: Apr 26th, '24, 18:31
by flink
Now I do the same as root user and get:


Code: Select all
[root@franz-820 ~]# mkcert -install
The local CA is already installed in the system trust store! 👍
The local CA is already installed in the Firefox and/or Chrome/Chromium trust store! 👍

[root@franz-820 ~]# certutil -L
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
[root@franz-820 ~]#
:cry:


Code: Select all
[root@franz-820 ~]# certutil -A -d dbm:/etc/pki/nssdb
certutil -A: nickname is required for this command (-n).

Re: certificate/key database is in an old, unsupported forma

PostPosted: Jun 5th, '24, 10:33
by flink
This works.


Code: Select all
[root@franz-820 ~]# certutil -L -d sql:/etc/pki/nssdb 

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

mkcert development CA 106724762252176102372202628437625727685 C,,

Re: certificate/key database is in an old, unsupported forma

PostPosted: Jun 5th, '24, 22:42
by flink
What must I do here?

Installed ddev bash completions in /home/linuxbrew/.linuxbrew/etc/bash_completion.d
zsh completion for ddev was not installed. You may manually install /tmp/ddev_zsh_completion.sh in your zsh-completions directory.


Which zsh_completion must I install to get the script running?

Code: Select all
[franz@franz-820 DDEV]$ sudo urpmi zsh_completion
No package named zsh_completion


install_ddev.sh

Re: certificate/key database is in an old, unsupported forma

PostPosted: Jun 6th, '24, 01:44
by Germ
search for zsh in rpmdrake. There are several zsh-completion packages. Don't know which one you need...

Re: certificate/key database is in an old, unsupported forma

PostPosted: Jun 8th, '24, 11:53
by doktor5000
If you don't use zsh as your shell no need to install anything.

Re: certificate/key database is in an old, unsupported forma

PostPosted: Jun 22nd, '24, 17:40
by flink
:o

Thank you for this hint. Then I am fine to use the bash and I install nothing for zsh.