[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
Michael Grimm
trashcan at ellael.org
Wed Jan 18 22:08:40 UTC 2017
Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
> It is clear now that the signer can't sign the zone because you removed
> the signconf. And the enforcer isn't generating a signconf because it is
> stuck generating a new key.
Understood.
I do have daily backups of all files, involved over the last 6 month (thanks to ZFS snapshots). I haven't tried to re-install example.com.xml, yet.
[What doesn't make sense to me is: there are eight other domains involved that do not show this issue.]
> It is hard to imagine anything else than permissions to be the problem
> here. Please check if ods-signerd actually runs as root and doesn't drop
> permissions.
dns> ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 71041 0.0 0.0 53060 10416 - IsJ 22:30 0:00.06 /usr/local/sbin/ods-enforcerd
root 71050 0.0 0.0 79672 11160 - IsJ 22:30 0:00.10 /usr/local/sbin/ods-signerd -c /usr/local/etc/opendnsse
> Also share your conf.xml with us/me if you can.
dns> cat conf.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>__SECRET__</PIN>
<SkipPublicKey/>
</Repository>
</RepositoryList>
<Common>
<Logging>
<Verbosity>5</Verbosity>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/usr/local/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/usr/local/etc/opendnssec/zonelist.xml</ZoneListFile>
</Common>
<Enforcer>
<Datastore>
<SQLite>/usr/local/var/opendnssec/kasp.db</SQLite>
</Datastore>
</Enforcer>
<Signer>
<WorkingDirectory>/usr/local/var/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>
<Listener>
<Interface>
<Address>10.x.x.x</Address>
<Port>53</Port>
</Interface>
</Listener>
</Signer>
</Configuration>
[IP address obscured]
dns> ls -al /usr/local/etc/opendnssec/*.xml
-rw-r--r-- 1 root wheel 1662 Dec 28 12:17 /usr/local/etc/opendnssec/addns.xml
-rw-r----- 1 root wheel 1867 Jan 18 21:17 /usr/local/etc/opendnssec/conf.xml
-rw-r--r-- 1 root wheel 5881 Apr 12 2015 /usr/local/etc/opendnssec/kasp.xml
-rw-r--r-- 1 root wheel 3541 Jan 16 18:30 /usr/local/etc/opendnssec/zonelist.xml
dns> ls -al /usr/local/var/opendnssec/
-rw-r--r-- 1 root wheel 44032 Jan 18 22:30 kasp.db
-rw-r--r-- 1 root wheel 0 Jan 18 22:44 kasp.db.our_lock
drwxr-xr-x 2 opendnssec opendnssec 10 Jan 18 22:30 signconf
drwxr-xr-x 2 opendnssec opendnssec 2 May 18 2016 signed
drwxr-xr-x 2 opendnssec opendnssec 37 Jan 18 22:19 tmp
drwxr-xr-x 2 opendnssec opendnssec 2 May 18 2016 unsigned
> Check the permissions on /etc/softhsm/softhsm.conf and the path mentioned
> in that file.
dns> ls -al /usr/local/etc/softhsm.conf
-rw-r--r-- 1 root wheel 293 Feb 3 2015 /usr/local/etc/softhsm.conf
dsn> cat /usr/local/etc/softhsm.conf
0:/usr/local/var/softhsm/slot0.db
dns> ls -al /usr/local/var/softhsm/slot0.db
-rw------- 1 root wheel 150528 Jan 18 20:26 /usr/local/var/softhsm/slot0.db
[I did change that to 666 for testing purposes, to no avail]
> It really seems like something is missing write permissions.
At first glance, I cannot see an issue here. But I will do continue investigating.
> Updating OpenDNSSEC will therefore not resolve your problems. After
> fixing this issue I would encourage you to update, but not right now.
Thanks for that info. So I will solve my issue first.
Thank you very much for your help,
Michael
More information about the Opendnssec-user
mailing list