The command from postinst asks for a password if executed in a dir. which has the files already, it seems (so in case of second and further command invocations). And same happens in case of installing twice from the ebuild. It seems to be so because there is a wrong condition in pkg_postinst that tries to avoid this: checks for cert8.db but the command creates cert9.db. Happens with net-vpn/libreswan-3.22 and IIRC also 3.21, probably the newer versions as well.
Update: changing the if to cert9.db does not help when cert8.db is present because it still asks for the password.
Confirm it.
Maybe, certutil -N -d "${IPSEC_CONFDIR}" --empty-password instead of certutil -N -d "${IPSEC_CONFDIR}" -f <(echo) ?
I've never seen this when updating. Looking at https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Creating_the_NSS_db_for_use_with_libreswan this code is outdated anyway as evidenced by the mention of cert9.db. I've gone with Alexander's suggestion of using --empty-password, and I've added an einfo on how to set one in accordance with the libreswan documentation.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f8ab4c6aa28f7ec1e54c2a112d3c400119499af commit 3f8ab4c6aa28f7ec1e54c2a112d3c400119499af Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2018-11-12 20:03:11 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2018-11-12 20:03:27 +0000 net-vpn/libreswan: avoid interaction in pkg_postinst Generate the NSS database with an emtpy password like other distributions do and indicate how to change that. Also check for the non-deprecated cert9.db file. Fixes: https://bugs.gentoo.org/649068 Signed-off-by: Hans de Graaff <graaff@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 net-vpn/libreswan/libreswan-3.27-r1.ebuild | 113 +++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+)