[Opendnssec-user] CRITICAL: failed to sign zone example.com: General error
Berry A.W. van Halderen
berry at nlnetlabs.nl
Thu Jan 19 08:48:26 UTC 2017
On 01/18/2017 11:08 PM, Michael Grimm wrote:
> Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
>> It is hard to imagine anything else than permissions to be the problem
>> here. Please check if ods-signerd actually runs as root and doesn't drop
>> permissions.
>
> dns> ps aux
> USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
> root 71041 0.0 0.0 53060 10416 - IsJ 22:30 0:00.06 /usr/local/sbin/ods-enforcerd
> root 71050 0.0 0.0 79672 11160 - IsJ 22:30 0:00.10 /usr/local/sbin/ods-signerd -c /usr/local/etc/opendnsse
>
>> Also share your conf.xml with us/me if you can.
>
> dns> cat conf.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <Configuration>
> <RepositoryList>
> <Repository name="SoftHSM">
> <Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
> <TokenLabel>OpenDNSSEC</TokenLabel>
> <PIN>__SECRET__</PIN>
> <SkipPublicKey/>
> </Repository>
> </RepositoryList>
[deleted]
> <Enforcer>
> <Datastore>
> <SQLite>/usr/local/var/opendnssec/kasp.db</SQLite>
> </Datastore>
> </Enforcer>
That looks all very sound, and indeed the processes should be also to
read everything. Let's also check:
ls -l /usr/local/lib/softhsm/libsofthsm.so
and in case it is a link:
ls -lL /usr/local/lib/softhsm/libsofthsm.so
> I do have daily backups of all files, involved over the last 6 month
(thanks to ZFS snapshots). I haven't tried to re-install
example.com.xml, yet.
> [What doesn't make sense to me is: there are eight other domains
involved that do not show this issue.]
After that I think we have exhausted all possible access permissions.
And we are left with the puzzling question why the other domains
aren't seeing the same issue. It would mean that just the generation
of keys isn't working.
@Yuri also: could there be a change in the policy/kasp which prevents
generation of keys?
\Berry
> [IP address obscured]
>
> dns> ls -al /usr/local/etc/opendnssec/*.xml
> -rw-r--r-- 1 root wheel 1662 Dec 28 12:17 /usr/local/etc/opendnssec/addns.xml
> -rw-r----- 1 root wheel 1867 Jan 18 21:17 /usr/local/etc/opendnssec/conf.xml
> -rw-r--r-- 1 root wheel 5881 Apr 12 2015 /usr/local/etc/opendnssec/kasp.xml
> -rw-r--r-- 1 root wheel 3541 Jan 16 18:30 /usr/local/etc/opendnssec/zonelist.xml
>
> dns> ls -al /usr/local/var/opendnssec/
> -rw-r--r-- 1 root wheel 44032 Jan 18 22:30 kasp.db
> -rw-r--r-- 1 root wheel 0 Jan 18 22:44 kasp.db.our_lock
> drwxr-xr-x 2 opendnssec opendnssec 10 Jan 18 22:30 signconf
> drwxr-xr-x 2 opendnssec opendnssec 2 May 18 2016 signed
> drwxr-xr-x 2 opendnssec opendnssec 37 Jan 18 22:19 tmp
> drwxr-xr-x 2 opendnssec opendnssec 2 May 18 2016 unsigned
>
>
>> Check the permissions on /etc/softhsm/softhsm.conf and the path mentioned
>> in that file.
>
> dns> ls -al /usr/local/etc/softhsm.conf
> -rw-r--r-- 1 root wheel 293 Feb 3 2015 /usr/local/etc/softhsm.conf
>
> dsn> cat /usr/local/etc/softhsm.conf
> 0:/usr/local/var/softhsm/slot0.db
>
> dns> ls -al /usr/local/var/softhsm/slot0.db
> -rw------- 1 root wheel 150528 Jan 18 20:26 /usr/local/var/softhsm/slot0.db
>
> [I did change that to 666 for testing purposes, to no avail]
>
>
>> It really seems like something is missing write permissions.
>
> At first glance, I cannot see an issue here. But I will do continue investigating.
>
>
>> Updating OpenDNSSEC will therefore not resolve your problems. After
>> fixing this issue I would encourage you to update, but not right now.
>
> Thanks for that info. So I will solve my issue first.
>
> Thank you very much for your help,
> Michael
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
More information about the Opendnssec-user
mailing list