[Opendnssec-user] Error converting from 1.4.14 to 2.1.8

Havard Eidnes he at uninett.no
Fri Mar 5 17:46:34 UTC 2021


The good and bad news is that we've now re-created the problem on
our test signer:

Mar  5 18:30:57 test-signer ods-signerd: [zone] unable to publish keys for zone 0.2.6.2.3.2.7.4.nrenum.net: error creating libhsm context
Mar  5 18:30:57 test-signer ods-signerd: [tools] unable to read zone 0.2.6.2.3.2.7.4.nrenum.net: failed to publish dnskeys (HSM error)
Mar  5 18:30:57 test-signer ods-signerd: CRITICAL: failed to sign zone 0.2.6.2.3.2.7.4.nrenum.net: HSM error
Mar  5 18:30:57 test-signer ods-signerd: back-off task [read] for zone 0.2.6.2.3.2.7.4.nrenum.net with 60 seconds

In this installation, "ods-hsmutil list" nicely managed to list
the keys in the converted-to-SoftHSM2 HSM -- some of it:

SoftHSM               ca1db944ee29f342358b802c44f3b0f6  RSA/2048  
SoftHSM               d330c302364d7330ece794b54924fdc7  RSA/2048  
SoftHSM               7b040db24e0dcfed95fe3c3f3c9fd148  RSA/2048  
SoftHSM               b31d6b06ed4b0ee515b5dc4f33963c7b  RSA/2048  
SoftHSM               8df62fee92e8dc3e08fb6682fa11efd0  RSA/1280  
SoftHSM               7d08c98e2643eccc700a2268cc5e4455  RSA/1280  
SoftHSM               a263bd1c5fcfd4bfb2d2d9585a235e8b  RSA/1280  

so there is something else which the HSM code is unhappy about.
The big question is *what*.

There's no file permission problem for the HSM, at least:

$ cat /usr/pkg/etc/softhsm2.conf 
# SoftHSM v2 configuration file

directories.tokendir = /var/db/softhsm
objectstore.backend = db

# ERROR, WARNING, INFO, DEBUG
log.level = ERROR

# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
$
$ ls -lR /var/db/softhsm
total 4
drwx------  2 ods  ods  512 Mar  5 18:34 7efeabbb-6019-8ef8-9175-4f51cc7442af/

/var/db/softhsm/7efeabbb-6019-8ef8-9175-4f51cc7442af:
total 2732
-rw-------  1 ods  ods  2732032 Mar  5 18:34 sqlite3.db
-rw-------  1 ods  ods     8720 Mar  5 18:34 sqlite3.db-journal
$

Apparently the enforcer is talking nicely to the HSM:

Mar  5 18:35:47 test-signer ods-enforcerd: [enforcer] updatePolicy: New key needed for role KSK
Mar  5 18:35:47 test-signer ods-enforcerd: [hsm_key_factory_get_key] get private key
Mar  5 18:35:47 test-signer ods-enforcerd: [hsm_key_factory_get_key] key allocated
Mar  5 18:35:47 test-signer ods-enforcerd: [scheduler] schedule task hsmkeygen for hsm_key_factory_schedule_generation
Mar  5 18:35:47 test-signer ods-enforcerd: [enforcer] updatePolicy: got new key from HSM

So ... why can't the signer-daemon do the same?

Regards,

- Håvard


More information about the Opendnssec-user mailing list