[Opendnssec-user] softhsm unable to get key
Berry van Halderen
berry at nlnetlabs.nl
Fri May 7 00:22:00 UTC 2021
On 2021-05-07 01:53, Randy Bush via Opendnssec-user wrote:
> # uname -a
> FreeBSD rip.psg.com 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC
> amd64
> # pkg info opendnssec2 | head -1
> opendnssec2-2.1.8
> # pkg info softhsm | head -1
> softhsm-1.3.8
Dear Randy,
OpenDNSSEC 2.1.9 is out, which solves this issue I think.
The problem is that certain HSMs (amongst which SoftHSM in database
backend mode) have a funny behaviour.
\Berry
> all worked until a reboot this morning
>
> none recently changed
> # ls -l `which ods-signerd`
> -rwxr-xr-x 1 root wheel 385632 Mar 13 19:56
> /usr/local/sbin/ods-signerd*
> # ls -l `which ods-enforcerd`
> -rwxr-xr-x 1 root wheel 482984 Mar 13 19:56
> /usr/local/sbin/ods-enforcerd*
> # ls -l `which softhsm`
> -rwxr-xr-x 1 root wheel 57200 Jul 7 2019 /usr/local/bin/softhsm*
>
> May 6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: key
> c659db9ce13d7f18518cd1bbe0a2f0d8 not found
> May 6 23:08:15 rip ods-signerd[705]: [hsm] hsm_get_dnskey(): Got NULL
> key
> May 6 23:08:15 rip ods-signerd[705]: [hsm] unable to get key: hsm
> failed to create dnskey
> May 6 23:08:15 rip ods-signerd[705]: [zone] unable to prepare signing
> keys for zone sol.int: error getting dnskey
> May 6 23:08:15 rip ods-signerd[705]: [worker[1]] CRITICAL: failed to
> sign zone sol.int: General error
>
> and same for all signed zones
>
> but
>
> # sqlite3 /usr/local/var/softhsm/slot0.db ".backup foo"
> # ls -l foo
> -rw-r--r-- 1 root wheel 316416 May 6 23:29 foo
>
> still duckduckgoing for how to see if sqlite3 has that key,
> c659db9ce13d7f18518cd1bbe0a2f0d8
>
> but
>
> # softhsm --show-slot
> Available slots:
> Slot 0
> Token present: yes
> Token initialized: yes
> User PIN initialized: yes
> Token label: opendnssec
>
> and
>
> # softhsm --export test --slot 0 --pin no-way --id
> c659db9ce13d7f18518cd1bbe0a2f0d8
> Error: Could not find the private key with ID =
> c659db9ce13d7f18518cd1bbe0a2f0d8
>
> but
>
> # ods-enforcer key list -v -z ymbk.com
> Keys:
> Zone: Keytype: State: Date of next
> transition: Size: Algorithm: CKA_ID:
> Repository: KeyTag:
> ymbk.com KSK active 2021-06-28
> 21:37:27 2048 8 52d55ded0e4a06b444774b9daf9ad050
> SoftHSM 53482
> ymbk.com ZSK active 2021-06-28
> 21:37:27 2048 8 a7f2aa72ecb73b40970abe2b4ffc353e
> SoftHSM 52456
>
> though i am not sure enforcer is calling softhsm or just looking in its
> back pocket
>
> so i
>
> restarted opendnssec
> played my backup script
> ods-enforcer backup prepare
> sqlite3 /usr/local/var/softhsm/slot0.db ".backup `date
> '+%y%m%d'`.softhsm-copy.db"
> ods-enforcer backup commit
> tried a reboot
>
> an hour searching the net of a million lies was no help. similar
> problems with much older versions.
>
> i once tried to upgrade to softhsm2 and had to back off after major
> mess. willing to try again if i can find a recipe.
>
> the only possible hint is from a couple of days back, port upgrade of
> sqlite3
>
> bind-tools-9.16.13 < needs updating (remote has
> 9.16.15)
> bind916-9.16.13 < needs updating (remote has
> 9.16.15)
> sqlite3-3.34.1_1,1 < needs updating (remote has
> 3.35.5,1)
>
> clues very much appreciated
>
> randy
>
> ---
> randy at psg.com
> `gpg --locate-external-keys --auto-key-locate wkd randy at psg.com`
> signatures are back, thanks to dmarc header butchery
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list