Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743995 - net-misc/curl[nss]: 'WARNING: failed to load NSS PEM library' with USE="nss openssl"
Summary: net-misc/curl[nss]: 'WARNING: failed to load NSS PEM library' wi...
Status: RESOLVED DUPLICATE of bug 768912
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Anthony Basile
Depends on:
Reported: 2020-09-21 18:19 UTC by Sam James
Modified: 2021-02-08 16:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-21 18:19:53 UTC
Some users [0] are hitting problems involving NSS:
> $ curl -v 
> *   Trying 
> * Connected to ( port 443 (#0) 
> * Initializing NSS with certpath: none 
> * WARNING: failed to load NSS PEM library Using OpenSSL PEM certificates will not work. 
> *   CAfile: /etc/ssl/certs/ca-certificates.crt 
>  CApath: /etc/ssl/certs 
>* Closing connection 0 
>curl: (77) Problem with the SSL CA cert (path? access rights?)

Interestingly, USE="nss -openssl" CURL_SSL="nss" seems to *not* trigger this problem, while USE="nss openssl" CURL_SSL="nss" fails as above unless dev-libs/nss-pem is installed.

I assume there's some pkcs12 support provided by openssl which ends up being used, but not sure.

The curl docs which say:
>If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module,, which enables NSS to read the OpenSSL PEM CA bundle. On openSUSE you can install p11-kit-nss-trust which makes NSS use the system wide CA certificate store.


[0] Forum post:
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-21 18:21:24 UTC
Note also that some deps like net-libs/liboauth are depending on CURL_SSL="nss" but they should be depending on USE=nss instead, as CURL_SSL just controls the default provider now.
Comment 2 Anthony Basile gentoo-dev 2021-02-08 16:20:46 UTC

*** This bug has been marked as a duplicate of bug 768912 ***