[Opendnssec-user] [hsm] unable to get key

Berry van Halderen berry at nlnetlabs.nl
Sun Aug 22 20:44:38 UTC 2021


On 2021-08-22 03:11, Randy Bush via Opendnssec-user wrote:
> list shows this is an old problem.  but microsoft whack did not solve
> this time

There are several incantations of this, which have different causes but 
end
up as the same thing.  The Microsoft whack was a restart of the signer?
I'm looking for both cause and quick fix.  For either, can you
perform a
   ods-enforcer key list -d | grep eae33574e49b6b581e348f6252fb86a5
I'm wondering whether this key is being retired.
In which case a patch fix might be to remove the signconf file
for this zone;
   rm /var/opendnssec/signconf/hipster.biz.xml
and regenerate this:
   ods-enforcer signconf

\Berry


> FreeBSD rip.psg.com 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC  
> amd64
> opendnssec version 2.1.9
> # softhsm --version
> 1.3.8
> 
> 
> Aug 22 01:06:41 rip ods-signerd[707]: [hsm] unable to get key: key
> eae33574e49b6b581e348f6252fb86a5 not found
> Aug 22 01:06:41 rip ods-signerd[707]: [hsm] hsm_get_dnskey(): Got NULL 
> key
> Aug 22 01:06:41 rip ods-signerd[707]: [hsm] unable to get key: hsm
> failed to create dnskey
> Aug 22 01:06:41 rip ods-signerd[707]: [zone] unable to prepare signing
> keys for zone hipster.biz: error getting dnskey
> Aug 22 01:06:41 rip ods-signerd[707]: [worker[1]] CRITICAL: failed to
> sign zone hipster.biz: General error
> 
> same for lots of zones
> 
> any other incantations folk might suggest?
> 
> randy
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


More information about the Opendnssec-user mailing list