Keygen for Secure Boot setup not working

So I’m currently trying to install the proprietary nvidia drivers with this this guide and thus first setup secure boot with this guide. But I’m already failing at the very first step - generating the key pair.

daniel@turtle:~$ sudo kmodgenca -a
WARNING: AUTOMATIC BUILD SELECTED. USING DEFAULT VALUES FOR CA/KEY PAIR CREATION.
INFO: CHECKING FOR ELEVATED PRIVILEGES...
INFO: CHECKING FOR AN EXISTING KEY PAIR...
INFO: UPDATING CACERT CONFIGURATION FILE AT '/etc/pki/akmods/cacert.config'...
INFO: CREATING NEW KEY PAIR...
........+.+..+...+.+......+.....+++++++++++++++++++++++++++++++++++++++++++++*....+......+..+++++++++++++++++++++++++++++++++++++++++++++*...........+.+.....+................+.................+.......+...........+............+......+....+......+.....+......+................+..+.......+..............+......+.+.........+...+..+....+......+.........+..+.........+.+..+......+............+.......+...........+......+.+...+.....+....+..+......+..................+....+......+..............+.+.....+.+.........+..+..................+....+..................+.....+......................+...+.........+.....+...+......................+...+..+.........+....+...+.................+.+......+.....................+...+.........+............+.....+.+...+.........+...+.........+...+...+........+..........+......+.....+..........+...+...+..+...+...+......+...+.......+.......................+.......+.....+......+...+....+......+...........+...+...............................+......+........+..................+...+.+.........+.........+...+.........+...+.....+......+..........+..............+.......+.....+...+.............+.....+...+.+......+........+.......+..+............+...+..........+...+.........+......+........+.......+........+.+........+......+......+.+...+..+.........+....+...............+......+...+.................+.+.........+......+.....+........................+....+.........+........+.......+..+...+.......+......+...+.....................+.....+...+......+.+...........+...+....+...+........+....+...+..+...+....+..............+.....................+.........+..............................+.+...+........+.........+...+.+.........+..+...................+..........................+...+......+............+...+....+...+........+....+......+.................+.......+...+..+......+.+...+...+..+.+.....+.......+..+.+..+.......+.................................+...+..+....+.....+.............+.................+.........+.+....................+................+........+.......+..............+.............+.....+.+.....+......+...+............................+............+........+.............+..+...............+...+.+......+...+..+..........+...+.....+.............................................+....+..+......+....+...+.....+.............+........+....+......+......+.....+.+...+..+..........+........+.+..................+....................+.+............+...+..+.......+.....+................+.....+.......+.........+.....+.....................+....+.....................+.....+.........+..................+.......+...............+.....+......+.........+.+..+.+..+...............+..........+........+.+++++
.....+...+.....+.+.....+.+++++++++++++++++++++++++++++++++++++++++++++*................+.....+.......+..+...+....+.....+....+..............+...+....+...+..+...............+......+++++++++++++++++++++++++++++++++++++++++++++*..+.......+..+....+..+...+............+.......+........+....+...+........+.........+..................+.+.....+...............+.+......+........+......+...............+...+.+..+...+....+........+..........+..+.......+......+...............+........+.+.........+.....+......+......+.........+....+..+..........+..+.......+....................+...+.+.........+...+..+.......+...........+.......+........+....+........+...+...+.+..............+....+...+..+.+......+.....+.+.................+...+...+....+.................+..................+.+......+.........+..+...+......+....+.....+.+.....+.+.........+.....+.+..+...+..........+...+..+.......+......+..+.............+.....+.........+...+.............+...........+...+......+.+......+.....+....+.....+.............+......+.........+..........................+.........+.+.....+.+.....+.+..............+................+...+..+.........+.+..+..........+............+......+..+..........+...........+............+...+...................+...........+....+......+..+.......+.....+......+...............+.........+............+................+.....+....+.........+..+..........+..+............+...+................+.....+....+...+..................+............+.....+..........+............+..+....+...........+.............+...........+......................+.....+.........+...............+.+.....+.......+..+...+...+.......+......+..+...+.+...+...+.....+...+.+...+...........+.+...........+..........+..................+............+...+.........+....................+...............+............+...+.........................+...........................+..................+......+.....+....+..+.+...............+..+.+.........+........+...+..........+.....+......+..........+...+..+.............+...+.....+....+........+................+......+...+...+..............+....+................................+.......+...+++++
-----
Error making certificate request
C002395DDD7F0000:error:06800098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:crypto/asn1/a_mbstr.c:100:minsize=2
ERROR: KEY PAIR CREATION FAILED!
The OpenSSL key pair generation command did not complete successfully.
Quitting.

Does anyone have an idea how to fix this?

You might redo and check if the strings are correct (copying all necessary characters)

What exactly do you mean with redo? I already tried to run this command a couple of times if that’s what you mean. Still, error doesn’t change.

This didn’t change anything, unfortunately.

You can collect a detailed log like this:

sudo sh -x kmodgenca -a -f &> kmodgenca.log

Then upload it to pastebin.com and post the link here.

Alright, here it is.

The log shows that countryName in the OpenSSL config is empty.

I wonder if that’s the problem, since other problems reported online suggest that this needs be exactly 2 characters long. For example: OpenSSL Config error when generating self-signed certificate string too long - Stack Overflow (shows the error when countryName is too long)

The log (and the code of the kmodgenca script) suggest that the country name comes from calling locale country_ab2. If that gives an empty string, that would explain the problem you’re seeing.

Now when I myself execute locale country_ab2 on my Fedora system, I get an empty string. When I do it on one of my other systems, I get a valid country code. (This hasn’t actually caused me problems in Fedora, but I don’t use Secure Boot.) The difference between the two systems is that on my Fedora system, I’ve messed around a bit with my locale (for example I don’t use the normal date/time format for my location).

So I wonder if such “hybrid” locales cause locale country_ab2 to be empty and therefore cause this issue?

Well, it has been some time but I just reset my region settings, logged out and in again and it actually fixed the error. Really interesting, thanks!