[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

Berry A.W. van Halderen berry at nlnetlabs.nl
Wed Jan 18 23:27:46 UTC 2017 

On 01/18/2017 10:12 PM, Yuri Schaeffer wrote:
> Please note that Michael is running 1.4 which has an entirely different
> enforcer than 2.0. It is clear now that the signer can't sign the zone
> because you removed the signconf. And the enforcer isn't generating a
> signconf because it is stuck generating a new key.
>
> It is hard to imagine anything else than permissions to be the problem
> here. Please check if ods-signerd actually runs as root and doesn't drop
> permissions. Also share your conf.xml with us/me if you can. Check the
> permissions on /etc/softhsm/softhsm.conf and the path mentioned in that
> file. It really seems like something is missing write permissions.
>
> Updating OpenDNSSEC will therefore not resolve your problems. After
> fixing this issue I would encourage you to update, but not right now.
>

To chip in, Yuri indicates there might be a section:
  <Enforcer>
    ...
    <Privileges>
      <User>...</User>
      <Group>...</Group>

The Privileges section is optional, as are both User and Group section.
Also the <Signer> has such a section.  If you have such a section,
then the enforcer requires write permissions on the file mentioned
earlier:

> -rw-------  1 root  wheel  uarch 150528 Jan  4 03:01
/usr/local/var/softhsm/slot0.db

This file isn't accessed by OpenDNSSEC directly, but by the SoftHSM
library, which isn't subject to the verbosity setting and it's logging
might be somewhere else.

Based on an earlier response, you this could very well be set as earlier
there was a file generated with group id opendnssec:

> -rw-r--r-- root/opendnssec     990 2017-01-06 21:02
opendnssec/signconf/example.com.xml

Though that one only had the group set differently.

It is perfectly possible to run OpenDNSSEC as a different user or
drop permissions, but it needs write/read permissions to several
files.

\Berry


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170119/feef81cf/attachment.bin>

More information about the Opendnssec-user mailing list