[Opendnssec-user] ods-signer - create_dnskey stderr: Error initializing libhsm

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Nov 5 07:57:55 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Laurent,

It appears that the create_dnskey tool failed because the call to
hsm_open failed. Sadly enough, the error message does not really tell
you why. Would it be possible for you to try out the svn branch
OpenDNSSEC-1.1 (r4170)? I made the error message more descriptive and it
will tell you which config file you have used, as well as the return
code of hsm_open. The config file should of course be the same for the
enforcer and signer.

Best regards,

Matthijs

On 11/04/2010 05:44 PM, Laurent Bauer wrote:
> 	Hello,
> 
> I am getting started with opendnssec (version 1.1.0) with the default setup.
> I initialized SoftHSM, configured the token label and PIN in conf.xml,
> copied a test zone file in /var/lib/opendnssec/unsigned/, added the zone
> with "ods-ksmutil zone -z demo-serveur.fr -p default", started the
> enforcer and signer daemons, and tried to sign the zone with ods-signer.
> 
> 4 keys were generated but the signer fails with "create_dnskey stderr:
> Error initializing libhsm". I could not find what the "status: 3" was
> about (see the log below), could anyone help me fix that ?
> 
> Here are some infos about my current setup :
> 
> # softhsm --show-slots
> Available slots:
> Slot 0
>            Token present: yes
>            Token initialized: yes
>            User PIN initialized: yes
>            Token label: Mailclub
> 
> # ods-ksmutil zone list
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Found Zone: demo-serveur.fr; on policy default
> 
> # ods-ksmutil key list --verbose
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition:  CKA_ID:                           Repository:
>          Keytag:
> demo-serveur.fr                 KSK           publish   2010-11-05
> 05:22:05       4b4c987253a6545d36f0600d5bbebd33  SoftHSM
>            55243
> demo-serveur.fr                 KSK           dssub     waiting for
> ds-seen       52bd18c3836e9c26b19673bef0d9c33d  SoftHSM
>           50356
> demo-serveur.fr                 ZSK           active    2010-12-04
> 15:22:05       165c52bfcedc26fffa8d5f0a7e05f5f8  SoftHSM
>            28439
> demo-serveur.fr                 ZSK           publish   2010-11-05
> 05:22:05       1c6cc30e6f05b653ddaa894014e25fed  SoftHSM
>            53942
> 
> And here is the syslog (same error repeated with all 4 keys) :
> 
> ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_serial -f
> /var/lib/opendnssec/unsigned/demo-serveur.fr'
> ods-signerd: Sorting zone: demo-serveur.fr
> ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/quicksorter -o
> demo-serveur.fr. -f /var/lib/opendnssec/unsigned/demo-serveur.fr -w
> /var/lib/opendnssec/tmp/demo-serveur.fr.sorted -m 3600 -t 3600'
> ods-signerd: Done sorting
> ods-signerd: Nseccing zone: demo-serveur.fr
> ods-signerd: No information yet for key 4b4c987253a6545d36f0600d5bbebd33
> ods-signerd: Generating DNSKEY RR for 4b4c987253a6545d36f0600d5bbebd33
> ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_class -f
> /var/lib/opendnssec/tmp/demo-serveur.fr.sorted'
> ods-signerd: create_dnskey stderr: Error initializing libhsm
> ods-signerd: create_dnskey status: 3
> ods-signerd: equality: False
> ods-signerd: Error: could not find key 4b4c987253a6545d36f0600d5bbebd33
> 
> I could not find any information except "return(3)" after "hsm_open()"
> in the source code, and don't know what to check next.
> I don't understand why the enforcer was able to open the hsm (obviously
> the keys were created) but the signer was not. Do they not share the
> same conf.xml ?
> 
> I am running Ubuntu 10.10 (the production server will hopefully be
> running a Debian but I don't have it yet).
> 
> Any advice is welcome.
> Thanks !
> 
> 	Laurent
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJM07kDAAoJEA8yVCPsQCW5uAoH/iDorL7LgVKOuwN/iBV1JkxQ
AJrD/phmR5OQXEf/hLYOqPIfl9JnpNyotPHYeuipb45GvqOUK8ozmngqp/6Yg6jP
jPVQSjvYXXfP/5FOkn8aiRUk3PNgSY/jqGwVCilCL4TBp5cl1jAbdPWkqYjiX+kN
U0B0ODPazuV4kpREJtrXZKQ/l96iPNJrGvznWfAglqUzR6bVbP8ZaI3tyYgLBvH/
Ayd+5voC1uSVcUwoYMqo9LipA7c5QM92JuUkMn3xQAltUdas3kV57BSMhlH0dqqI
xwTxLP+/OIJAD8zLGQKB4xTWZwooUE+aJdHWT31Cc+HQY3ystDA6ZVidw4Lsoao=
=QTQj
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list