[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Wed Jan 18 19:12:51 UTC 2017

On 01/18/2017 10:53 AM, Michael Grimm wrote:
> If I am not mistaken are those files in /usr/local/var/opendnssec/signconf rebuild after restarting opendnssec's deamons. 

here, with ods2, starting with a clean tree

	tree /var/opendnssec
		/var/opendnssec
		├── [opendnssec        4096]  enforcer
		├── [opendnssec        4096]  raw
		├── [opendnssec        4096]  signconf
		├── [opendnssec        4096]  signed
		├── [opendnssec        4096]  signer
		└── [opendnssec        4096]  unsigned

after

	ods-enforcer-db-setup -f
		Database setup successfully.
	systemctl start ods-signerd
	systemctl start ods-enforcerd
	ods-enforcer policy import
		Created policy default successfully
		Created policy lab successfully
	tree /var/opendnssec
		/var/opendnssec
		├── [opendnssec        4096]  enforcer
		├── [opendnssec       98304]  kasp.db
		├── [opendnssec        4096]  raw
		├── [opendnssec        4096]  signconf
		├── [opendnssec        4096]  signed
		├── [opendnssec        4096]  signer
		└── [opendnssec        4096]  unsigned

it's the add zone step that initially populates the signconf/ dir

	ods-enforcer zone add \
	--zone eample.com \
	--xml \
	--policy lab \
	--input  /usr/local/etc/opendnssec/addns.xml \
	--output /usr/local/etc/opendnssec/addns.xml \
	--in-type DNS \
	--out-type DNS

	tree /var/opendnssec
		/var/opendnssec
		├── [opendnssec        4096]  enforcer
		│   └── [opendnssec        2032]  zones.xml
		├── [opendnssec       98304]  kasp.db
		├── [opendnssec        4096]  raw
		├── [opendnssec        4096]  signconf
>>>		│   └── [opendnssec        1168]  example.com.xml
		├── [opendnssec        4096]  signed
		├── [opendnssec        4096]  signer
		...

If I

	rm -f /var/opendnssec/signconf/*
	systemctl restart ods-signerd
	systemctl restart ods-enforcerd

that's NOT sufficient to recreate the signconf/*

	tree /var/opendnssec
		/var/opendnssec
		...
		├── [opendnssec        4096]  raw
>>>		├── [opendnssec        4096]  signconf
		├── [opendnssec        4096]  signed
		├── [opendnssec        4096]  signer
		...