[Opendnssec-user] Puzzled with error messages

PASZTOR Miklos pasztor at iszt.hu
Wed Apr 8 07:35:52 UTC 2020 

On 20-04-07 11:19, Berry A.W. van Halderen via Opendnssec-user wrote:
>On 4/7/20 10:47 AM, PASZTOR Miklos via Opendnssec-user wrote:
>> I am using OpenDNSSEC 2.1.3 with debian buster.
>>
>> There are some error messages, which I really do not understand. The
>> following
>> two types of message sequences appear frequently:
>>
>> 1.
>> Mar 31 12:33:16 node ods-signerd[20149]: [hsm] unable to get key: key
>> 8af4eb7fc6fd24ab45f87a1e485f00e1 not found
>> Mar 31 12:33:16 node ods-signerd[20149]: [hsm] error signing rrset with
>> libhsm
>> Mar 31 12:33:16 node ods-signerd[20149]: [rrset] unable to sign
>> RRset[2]: lhsm_sign() failed
>> Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] sign zone
>> example.hu failed: 3 RRsets failed
>> Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] CRITICAL: failed to
>> sign zone example.hu: General error
>>
>> The key in question is in softhsm, and is visible with 'ods-hsmutil
>> list'.  When
>> this happens the zone is not signed. However after a minute the signer
>> retries
>> the operation, apparently finds the key, and signs the zone with success.
>>
>> 2.
>> Mar 31 14:36:09 node ods-signerd[20149]: [worker[1]] CRITICAL: failed to
>> sign zone example.hu: All OK
>>
>> It seems that besides these error messages zones are signed properly.
>>
>> Could someone please explain?
>> TIA.
>
>Most of the times, this is due to permission problems.  You might see
>the key with ods-hsmutil, however you might run this command as a
>different user (e.g. root), while OpenDNSSEC is running as a separate
>user (either started by a different user or in the configuration a User
>and or Group is specified to run as.  This typically leads to not being
>able to find the key.  OpenDNSSEC cannot see the permission set of the
>files.

 Thanks for responding.

 Do you think that message #2 (CRITICAL: failed to sign...: All OK) is also due
 to permission problems?

 I double-checked the permissions under /var/lib/softhsm and
 /var/lib/opendnssec, and found that the owner of the files is the same user
 which runs the opendnssec processes.

 Besides, if the permissions were wrong, how would opendnssec find the key after
 a minute at the second run?

 So I am still puzzled with these messages.

 Cheers,
 Miklós
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20200408/771d9f62/attachment.bin>

More information about the Opendnssec-user mailing list