[Opendnssec-user] Puzzled with error messages

[Berry A.W. van Halderen]

On 4/7/20 10:47 AM, PASZTOR Miklos via Opendnssec-user wrote:
> I am using OpenDNSSEC 2.1.3 with debian buster.
> 
> There are some error messages, which I really do not understand. The
> following
> two types of message sequences appear frequently:
> 
> 1.
> Mar 31 12:33:16 node ods-signerd[20149]: [hsm] unable to get key: key
> 8af4eb7fc6fd24ab45f87a1e485f00e1 not found
> Mar 31 12:33:16 node ods-signerd[20149]: [hsm] error signing rrset with
> libhsm
> Mar 31 12:33:16 node ods-signerd[20149]: [rrset] unable to sign
> RRset[2]: lhsm_sign() failed
> Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] sign zone
> example.hu failed: 3 RRsets failed
> Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] CRITICAL: failed to
> sign zone example.hu: General error
> 
> The key in question is in softhsm, and is visible with 'ods-hsmutil
> list'.  When
> this happens the zone is not signed. However after a minute the signer
> retries
> the operation, apparently finds the key, and signs the zone with success.
> 
> 2.
> Mar 31 14:36:09 node ods-signerd[20149]: [worker[1]] CRITICAL: failed to
> sign zone example.hu: All OK
> 
> It seems that besides these error messages zones are signed properly.
> 
> Could someone please explain?
> TIA.

Most of the times, this is due to permission problems.  You might see
the key with ods-hsmutil, however you might run this command as a
different user (e.g. root), while OpenDNSSEC is running as a separate
user (either started by a different user or in the configuration a User
and or Group is specified to run as.  This typically leads to not being
able to find the key.  OpenDNSSEC cannot see the permission set of the
files.

\Berry


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20200407/cc40ec62/attachment.bin>