[Opendnssec-user] ods-signer - create_dnskey stderr: Error initializing libhsm
Matthijs Mekking
matthijs at NLnetLabs.nl
Fri Nov 5 07:57:55 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Laurent,
It appears that the create_dnskey tool failed because the call to
hsm_open failed. Sadly enough, the error message does not really tell
you why. Would it be possible for you to try out the svn branch
OpenDNSSEC-1.1 (r4170)? I made the error message more descriptive and it
will tell you which config file you have used, as well as the return
code of hsm_open. The config file should of course be the same for the
enforcer and signer.
Best regards,
Matthijs
On 11/04/2010 05:44 PM, Laurent Bauer wrote:
> Hello,
>
> I am getting started with opendnssec (version 1.1.0) with the default setup.
> I initialized SoftHSM, configured the token label and PIN in conf.xml,
> copied a test zone file in /var/lib/opendnssec/unsigned/, added the zone
> with "ods-ksmutil zone -z demo-serveur.fr -p default", started the
> enforcer and signer daemons, and tried to sign the zone with ods-signer.
>
> 4 keys were generated but the signer fails with "create_dnskey stderr:
> Error initializing libhsm". I could not find what the "status: 3" was
> about (see the log below), could anyone help me fix that ?
>
> Here are some infos about my current setup :
>
> # softhsm --show-slots
> Available slots:
> Slot 0
> Token present: yes
> Token initialized: yes
> User PIN initialized: yes
> Token label: Mailclub
>
> # ods-ksmutil zone list
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Found Zone: demo-serveur.fr; on policy default
>
> # ods-ksmutil key list --verbose
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone: Keytype: State: Date of next
> transition: CKA_ID: Repository:
> Keytag:
> demo-serveur.fr KSK publish 2010-11-05
> 05:22:05 4b4c987253a6545d36f0600d5bbebd33 SoftHSM
> 55243
> demo-serveur.fr KSK dssub waiting for
> ds-seen 52bd18c3836e9c26b19673bef0d9c33d SoftHSM
> 50356
> demo-serveur.fr ZSK active 2010-12-04
> 15:22:05 165c52bfcedc26fffa8d5f0a7e05f5f8 SoftHSM
> 28439
> demo-serveur.fr ZSK publish 2010-11-05
> 05:22:05 1c6cc30e6f05b653ddaa894014e25fed SoftHSM
> 53942
>
> And here is the syslog (same error repeated with all 4 keys) :
>
> ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_serial -f
> /var/lib/opendnssec/unsigned/demo-serveur.fr'
> ods-signerd: Sorting zone: demo-serveur.fr
> ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/quicksorter -o
> demo-serveur.fr. -f /var/lib/opendnssec/unsigned/demo-serveur.fr -w
> /var/lib/opendnssec/tmp/demo-serveur.fr.sorted -m 3600 -t 3600'
> ods-signerd: Done sorting
> ods-signerd: Nseccing zone: demo-serveur.fr
> ods-signerd: No information yet for key 4b4c987253a6545d36f0600d5bbebd33
> ods-signerd: Generating DNSKEY RR for 4b4c987253a6545d36f0600d5bbebd33
> ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_class -f
> /var/lib/opendnssec/tmp/demo-serveur.fr.sorted'
> ods-signerd: create_dnskey stderr: Error initializing libhsm
> ods-signerd: create_dnskey status: 3
> ods-signerd: equality: False
> ods-signerd: Error: could not find key 4b4c987253a6545d36f0600d5bbebd33
>
> I could not find any information except "return(3)" after "hsm_open()"
> in the source code, and don't know what to check next.
> I don't understand why the enforcer was able to open the hsm (obviously
> the keys were created) but the signer was not. Do they not share the
> same conf.xml ?
>
> I am running Ubuntu 10.10 (the production server will hopefully be
> running a Debian but I don't have it yet).
>
> Any advice is welcome.
> Thanks !
>
> Laurent
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJM07kDAAoJEA8yVCPsQCW5uAoH/iDorL7LgVKOuwN/iBV1JkxQ
AJrD/phmR5OQXEf/hLYOqPIfl9JnpNyotPHYeuipb45GvqOUK8ozmngqp/6Yg6jP
jPVQSjvYXXfP/5FOkn8aiRUk3PNgSY/jqGwVCilCL4TBp5cl1jAbdPWkqYjiX+kN
U0B0ODPazuV4kpREJtrXZKQ/l96iPNJrGvznWfAglqUzR6bVbP8ZaI3tyYgLBvH/
Ayd+5voC1uSVcUwoYMqo9LipA7c5QM92JuUkMn3xQAltUdas3kV57BSMhlH0dqqI
xwTxLP+/OIJAD8zLGQKB4xTWZwooUE+aJdHWT31Cc+HQY3ystDA6ZVidw4Lsoao=
=QTQj
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list