[Opendnssec-user] softhsm unable to get key

Randy Bush randy at psg.com
Thu May 6 23:53:53 UTC 2021 

# uname -a
FreeBSD rip.psg.com 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC  amd64
# pkg info opendnssec2 | head -1
opendnssec2-2.1.8
# pkg info softhsm | head -1
softhsm-1.3.8

all worked until a reboot this morning

none recently changed
# ls -l `which ods-signerd`
-rwxr-xr-x  1 root  wheel  385632 Mar 13 19:56 /usr/local/sbin/ods-signerd*
# ls -l `which ods-enforcerd`
-rwxr-xr-x  1 root  wheel  482984 Mar 13 19:56 /usr/local/sbin/ods-enforcerd*
# ls -l `which softhsm`
-rwxr-xr-x  1 root  wheel  57200 Jul  7  2019 /usr/local/bin/softhsm*

May  6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: key c659db9ce13d7f18518cd1bbe0a2f0d8 not found
May  6 23:08:15 rip ods-signerd[705]: [hsm] hsm_get_dnskey(): Got NULL key
May  6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: hsm failed to create dnskey
May  6 23:08:15 rip ods-signerd[705]: [zone] unable to prepare signing keys for zone sol.int: error getting dnskey
May  6 23:08:15 rip ods-signerd[705]: [worker[1]] CRITICAL: failed to sign zone sol.int: General error

and same for all signed zones

but

    # sqlite3 /usr/local/var/softhsm/slot0.db ".backup foo"
    # ls -l foo
    -rw-r--r--  1 root  wheel  316416 May  6 23:29 foo

still duckduckgoing for how to see if sqlite3 has that key, c659db9ce13d7f18518cd1bbe0a2f0d8

but

    # softhsm --show-slot
    Available slots:
    Slot 0 
	       Token present: yes
	       Token initialized: yes
	       User PIN initialized: yes
	       Token label: opendnssec

and

    # softhsm --export test --slot 0 --pin no-way --id c659db9ce13d7f18518cd1bbe0a2f0d8
    Error: Could not find the private key with ID = c659db9ce13d7f18518cd1bbe0a2f0d8

but

    # ods-enforcer key list -v -z ymbk.com
    Keys:
    Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
    ymbk.com                        KSK      active    2021-06-28 21:37:27      2048  8          52d55ded0e4a06b444774b9daf9ad050 SoftHSM     53482
    ymbk.com                        ZSK      active    2021-06-28 21:37:27      2048  8          a7f2aa72ecb73b40970abe2b4ffc353e SoftHSM     52456

though i am not sure enforcer is calling softhsm or just looking in its
back pocket

so i

restarted opendnssec
played my backup script
    ods-enforcer backup prepare
    sqlite3 /usr/local/var/softhsm/slot0.db ".backup `date '+%y%m%d'`.softhsm-copy.db"
    ods-enforcer backup commit
tried a reboot

an hour searching the net of a million lies was no help.  similar
problems with much older versions.

i once tried to upgrade to softhsm2 and had to back off after major
mess.  willing to try again if i can find a recipe.

the only possible hint is from a couple of days back, port upgrade of
sqlite3

    bind-tools-9.16.13                 <   needs updating (remote has 9.16.15)
    bind916-9.16.13                    <   needs updating (remote has 9.16.15)
    sqlite3-3.34.1_1,1                 <   needs updating (remote has 3.35.5,1)

clues very much appreciated

randy

---
randy at psg.com
`gpg --locate-external-keys --auto-key-locate wkd randy at psg.com`
signatures are back, thanks to dmarc header butchery

More information about the Opendnssec-user mailing list