CentOS servers an update for the nss-softokn package

For CentOS servers an update for the nss-softokn package was release today – nss-softokn-3.14.3-19
However, nss-softokn-3.14.3-19 needs nss-softokn-freebl-3.14.3-19 to operate properly, and vice versa, but those packages do not have checks in place to make sure that a matching version of the other package are also installed.

Thus if you yum update only installed one of the packages you will end up with a broken YUM and RPM.

You might see error messages like these when trying to run YUM and RPM commands:


error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 Signature, key ID xxx BAD
error: rpmdbNextIterator: skipping h# 1784 Header V3 RSA/SHA1 Signature, key ID xxx BAD
Most of the time you will have had nss-softokn-3.14.3-19 installed but not nss-softokn-freebl-3.14.3-19
To fix this you have to:
1. Manually download nss-softokn-freebl-3.14.3-19

1 yumdownloader nss-softokn-freebl

or wget the RPMs

64-Bit servers / x86_64 run

1 wget ftp://195.220.108.108/linux/centos/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm

32-Bit Servers / i686 run

1 wget ftp://195.220.108.108/linux/centos/6.6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm

 

2. Extract the RPM

64-Bit servers / x86_64 run

1 rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv

32-Bit Servers / i686 run

1 rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv

 

3. Copy .libfreeblpriv3.* to correct location

64-Bit servers / x86_64 run

1 cp ./lib64/libfreeblpriv3.* /lib64

32-Bit Servers / i686 run

1 cp ./lib/libfreeblpriv3.* /lib

 

4. Rerun Yum Update to update nss-softokn-freebl and FIX YUM and RPM

1 yum update

If you still have problems you might have to reinstall yum as below for a 64bit server, 32bit servers will just need to locate the 32bit versions of the rpms! But most servers won’t need this:

1 wget http://mirror.centos.org/centos/6/os/x86_64/Packages/yum-3.2.29-60.el6.centos.noarch.rpm
2 wget http://mirror.centos.org/centos/6/os/x86_64/Packages/yum-plugin-fastestmirror-1.1.30-30.el6.noarch.rpm
3 wget http://mirror.centos.org/centos/6/os/x86_64/Packages/centos-release-6-6.el6.centos.12.2.x86_64.rpm
1 rpm -ivh --nodeps yum-3.2.29-60.el6.centos.noarch.rpm
2 rpm -ivh yum-plugin-fastestmirror-1.1.30-30.el6.noarch.rpm
3 rpm -ivh centos-release-6-6.el6.centos.12.2.x86_64.rpm

I have also had some questions about how to restore the rpmdb that got corrupted while trying to fix the problem, there are two ways:
1. Copy a good copy of the /var/lib/rpm folder over from an identical good server of from a backups – you do have backups right?

On good server or from backup:

1 tar -cf rpmbackup.tar /var/lib/rpm

Then send the tar over to the bad server

On broken server:

1 cd /var/lib
1 mv /var/lib/rpm /var/lib/rpm.bak
1 tar -xf /location/to/rpmbackup.tar

Then you should be good to go!

The second way is to reinstall every rpm ever installed via checking the rpm install log. See the comment below

Bug Report: https://bugzilla.redhat.com/show_bug.cgi?id=1182337

 

This post copy from

http://kiteplans.info/2015/01/15/solved-bug-centos-yum-rpm-broken-by-nss-softokn-3-14-3-19-el6_6-update-error-rpmts_hdrfromfdno-error-rpmdbnextiterator-header-v3-rsasha1-signature-key-id-bad/