[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Wed Jan 18 21:12:21 UTC 2017

Please note that Michael is running 1.4 which has an entirely different
enforcer than 2.0. It is clear now that the signer can't sign the zone
because you removed the signconf. And the enforcer isn't generating a
signconf because it is stuck generating a new key.

It is hard to imagine anything else than permissions to be the problem
here. Please check if ods-signerd actually runs as root and doesn't drop
permissions. Also share your conf.xml with us/me if you can. Check the
permissions on /etc/softhsm/softhsm.conf and the path mentioned in that
file. It really seems like something is missing write permissions.

Updating OpenDNSSEC will therefore not resolve your problems. After
fixing this issue I would encourage you to update, but not right now.

//Yuri

On 18-01-17 20:12, PGNet Dev wrote:
> On 01/18/2017 10:53 AM, Michael Grimm wrote:
>> If I am not mistaken are those files in /usr/local/var/opendnssec/signconf rebuild after restarting opendnssec's deamons. 
> 
> here, with ods2, starting with a clean tree
> 
> 	tree /var/opendnssec
> 		/var/opendnssec
> 		├── [opendnssec        4096]  enforcer
> 		├── [opendnssec        4096]  raw
> 		├── [opendnssec        4096]  signconf
> 		├── [opendnssec        4096]  signed
> 		├── [opendnssec        4096]  signer
> 		└── [opendnssec        4096]  unsigned
> 
> after
> 
> 	ods-enforcer-db-setup -f
> 		Database setup successfully.
> 	systemctl start ods-signerd
> 	systemctl start ods-enforcerd
> 	ods-enforcer policy import
> 		Created policy default successfully
> 		Created policy lab successfully
> 	tree /var/opendnssec
> 		/var/opendnssec
> 		├── [opendnssec        4096]  enforcer
> 		├── [opendnssec       98304]  kasp.db
> 		├── [opendnssec        4096]  raw
> 		├── [opendnssec        4096]  signconf
> 		├── [opendnssec        4096]  signed
> 		├── [opendnssec        4096]  signer
> 		└── [opendnssec        4096]  unsigned
> 
> it's the add zone step that initially populates the signconf/ dir
> 
> 	ods-enforcer zone add \
> 	--zone eample.com \
> 	--xml \
> 	--policy lab \
> 	--input  /usr/local/etc/opendnssec/addns.xml \
> 	--output /usr/local/etc/opendnssec/addns.xml \
> 	--in-type DNS \
> 	--out-type DNS
> 
> 	tree /var/opendnssec
> 		/var/opendnssec
> 		├── [opendnssec        4096]  enforcer
> 		│   └── [opendnssec        2032]  zones.xml
> 		├── [opendnssec       98304]  kasp.db
> 		├── [opendnssec        4096]  raw
> 		├── [opendnssec        4096]  signconf
>>>> 		│   └── [opendnssec        1168]  example.com.xml
> 		├── [opendnssec        4096]  signed
> 		├── [opendnssec        4096]  signer
> 		...
> 
> If I
> 
> 	rm -f /var/opendnssec/signconf/*
> 	systemctl restart ods-signerd
> 	systemctl restart ods-enforcerd
> 
> that's NOT sufficient to recreate the signconf/*
> 
> 	tree /var/opendnssec
> 		/var/opendnssec
> 		...
> 		├── [opendnssec        4096]  raw
>>>> 		├── [opendnssec        4096]  signconf
> 		├── [opendnssec        4096]  signed
> 		├── [opendnssec        4096]  signer
> 		...
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170118/e5b55a3d/attachment.bin>