[Opendnssec-user] softhsm unable to get key

Ton Amsterdam ton.amsterdam.nl at gmail.com
Thu Jun 24 08:37:19 UTC 2021


ODS 2.1.9 SoftHSM 2.6.1, MySQL backend.



Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] removeDeadKeys
deleting key: 1b3a7b2082eb554cea378955dbe4af6a
Jun 22 09:03:11 signer1 ods-enforcerd[1523461]:
[hsm_key_factory_delete_key] looking for keys to purge from HSM
Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [hsm_key_factory_get_key]
removing key 1b3a7b2082eb554cea378955dbe4af6a from HSM
Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] removeDeadKeys:
keys deleted from HSM: 1
Jun 22 09:03:11 signer1 ods-enforcerd[1523461]: [enforcer] update:
key_data_update() failed


Seeing this regularly - for different  keys. But only once per key.

On Wed, May 26, 2021 at 5:23 PM Berry van Halderen via Opendnssec-user <
opendnssec-user at lists.opendnssec.org> wrote:

> On 2021-05-26 17:15, Roman Serbski via Opendnssec-user wrote:
> > On Fri, May 7, 2021 at 5:14 PM Randy Bush via Opendnssec-user
> > <opendnssec-user at lists.opendnssec.org> wrote:
> >>
> >> > OpenDNSSEC 2.1.9 is out, which solves this issue I think.
> >>
> >> the kindness of dr akkerhuis allowed me to install on a binary-only
> >> freebsd.
> >>
> >> i am not positive that 2.1.9 fixed the problem; but it definintely
> >> suppressed the error messages :)
> >
> > Hello,
> >
> > I'm not 100% sure it's the same issue, but I start getting the similar
> > errors with OpenDNSSEC 2.1.9 under FreeBSD 12.2-RELEASE-p2 r369009.
> >
> > Some days ago, I removed one zone using the command:
> >
> > ods-enforcer zone delete --zone domain.org
> >
> > And yesterday I started receiving:
>
> Related, but not the same issue, and not really in OpenDNSSEC but with
> SoftHSM.
> The start/stop should have fixed it, but a ods-signer update --all
> should
> also have done the trick.  I'm afraid this will turn out to be a
> concurrency
> issue that will be hard to pick up in SoftHSM.
> If anyone else sees this message I would like to know because I think it
> will be
> very rare.
>
> \Berry
>
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: File.cpp(94): Could not
> > open the file (No such file or directory):
> >
> /var/lib/softhsm/tokens//3eab29c6-3b3f-fcf9-4aed-ff695aef81b0/63f07aa8-56e9-3639-4ebd-41692cb2a208.object
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] sign init:
> > CKR_OBJECT_HANDLE_INVALID
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] error signing
> > rrset with libhsm
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [rrset] unable to sign
> > RRset[6]: lhsm_sign() failed
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] sign zone
> > domain.org failed: 1 RRsets failed
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] CRITICAL:
> > failed to sign zone domain.org: General error
> > May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: back-off task [sign] for
> > zone domain.org with 60 seconds
> >
> > I also noticed errors while purging expired ZSKs for other domains, for
> > example:
> >
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update
> > zone: domain2.org
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]
> > removeDeadKeys deleting key: 37abe5998879aceefea122b69ca98751
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> > [hsm_key_factory_delete_key] looking for keys to purge from HSM
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> > [hsm_key_factory_get_key] removing key
> > 37abe5998879aceefea122b69ca98751 from HSM
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> > [hsm_key_factory_get_key] removing key
> > be586f8af9ec83163ffe73c66a21f319 from HSM
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> > [hsm_key_factory_get_key] removing key
> > 78586dbbaab0ebf9ddd01b0fb4cbd83f from HSM
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]
> > removeDeadKeys: keys deleted from HSM: 3
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update:
> > key_data_update() failed
> > May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforce_task] No
> > changes to signconf file required for zone domain2.org
> >
> > /usr/local/etc/rc.d/opendnssec stop/start seems to suppress the error.
> >
> > Thanks.
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210624/dfe16a5f/attachment.htm>


More information about the Opendnssec-user mailing list