[Opendnssec-user] Error converting from 1.4.14 to 2.1.8
Havard Eidnes
he at uninett.no
Fri Mar 5 17:46:34 UTC 2021
The good and bad news is that we've now re-created the problem on
our test signer:
Mar 5 18:30:57 test-signer ods-signerd: [zone] unable to publish keys for zone 0.2.6.2.3.2.7.4.nrenum.net: error creating libhsm context
Mar 5 18:30:57 test-signer ods-signerd: [tools] unable to read zone 0.2.6.2.3.2.7.4.nrenum.net: failed to publish dnskeys (HSM error)
Mar 5 18:30:57 test-signer ods-signerd: CRITICAL: failed to sign zone 0.2.6.2.3.2.7.4.nrenum.net: HSM error
Mar 5 18:30:57 test-signer ods-signerd: back-off task [read] for zone 0.2.6.2.3.2.7.4.nrenum.net with 60 seconds
In this installation, "ods-hsmutil list" nicely managed to list
the keys in the converted-to-SoftHSM2 HSM -- some of it:
SoftHSM ca1db944ee29f342358b802c44f3b0f6 RSA/2048
SoftHSM d330c302364d7330ece794b54924fdc7 RSA/2048
SoftHSM 7b040db24e0dcfed95fe3c3f3c9fd148 RSA/2048
SoftHSM b31d6b06ed4b0ee515b5dc4f33963c7b RSA/2048
SoftHSM 8df62fee92e8dc3e08fb6682fa11efd0 RSA/1280
SoftHSM 7d08c98e2643eccc700a2268cc5e4455 RSA/1280
SoftHSM a263bd1c5fcfd4bfb2d2d9585a235e8b RSA/1280
so there is something else which the HSM code is unhappy about.
The big question is *what*.
There's no file permission problem for the HSM, at least:
$ cat /usr/pkg/etc/softhsm2.conf
# SoftHSM v2 configuration file
directories.tokendir = /var/db/softhsm
objectstore.backend = db
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
$
$ ls -lR /var/db/softhsm
total 4
drwx------ 2 ods ods 512 Mar 5 18:34 7efeabbb-6019-8ef8-9175-4f51cc7442af/
/var/db/softhsm/7efeabbb-6019-8ef8-9175-4f51cc7442af:
total 2732
-rw------- 1 ods ods 2732032 Mar 5 18:34 sqlite3.db
-rw------- 1 ods ods 8720 Mar 5 18:34 sqlite3.db-journal
$
Apparently the enforcer is talking nicely to the HSM:
Mar 5 18:35:47 test-signer ods-enforcerd: [enforcer] updatePolicy: New key needed for role KSK
Mar 5 18:35:47 test-signer ods-enforcerd: [hsm_key_factory_get_key] get private key
Mar 5 18:35:47 test-signer ods-enforcerd: [hsm_key_factory_get_key] key allocated
Mar 5 18:35:47 test-signer ods-enforcerd: [scheduler] schedule task hsmkeygen for hsm_key_factory_schedule_generation
Mar 5 18:35:47 test-signer ods-enforcerd: [enforcer] updatePolicy: got new key from HSM
So ... why can't the signer-daemon do the same?
Regards,
- Håvard
More information about the Opendnssec-user
mailing list