[Opendnssec-user] softhsm unable to get key

Wed May 26 15:15:36 UTC 2021

On Fri, May 7, 2021 at 5:14 PM Randy Bush via Opendnssec-user
<opendnssec-user at lists.opendnssec.org> wrote:
>
> > OpenDNSSEC 2.1.9 is out, which solves this issue I think.
>
> the kindness of dr akkerhuis allowed me to install on a binary-only
> freebsd.
>
> i am not positive that 2.1.9 fixed the problem; but it definintely
> suppressed the error messages :)

Hello,

I'm not 100% sure it's the same issue, but I start getting the similar
errors with OpenDNSSEC 2.1.9 under FreeBSD 12.2-RELEASE-p2 r369009.

Some days ago, I removed one zone using the command:

ods-enforcer zone delete --zone domain.org

And yesterday I started receiving:

May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: File.cpp(94): Could not
open the file (No such file or directory):
/var/lib/softhsm/tokens//3eab29c6-3b3f-fcf9-4aed-ff695aef81b0/63f07aa8-56e9-3639-4ebd-41692cb2a208.object
May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] sign init:
CKR_OBJECT_HANDLE_INVALID
May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] error signing
rrset with libhsm
May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [rrset] unable to sign
RRset[6]: lhsm_sign() failed
May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] sign zone
domain.org failed: 1 RRsets failed
May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] CRITICAL:
failed to sign zone domain.org: General error
May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: back-off task [sign] for
zone domain.org with 60 seconds

I also noticed errors while purging expired ZSKs for other domains, for example:

May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update
zone: domain2.org
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]
removeDeadKeys deleting key: 37abe5998879aceefea122b69ca98751
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
[hsm_key_factory_delete_key] looking for keys to purge from HSM
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
[hsm_key_factory_get_key] removing key
37abe5998879aceefea122b69ca98751 from HSM
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
[hsm_key_factory_get_key] removing key
be586f8af9ec83163ffe73c66a21f319 from HSM
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
[hsm_key_factory_get_key] removing key
78586dbbaab0ebf9ddd01b0fb4cbd83f from HSM
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]
removeDeadKeys: keys deleted from HSM: 3
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update:
key_data_update() failed
May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforce_task] No
changes to signconf file required for zone domain2.org

/usr/local/etc/rc.d/opendnssec stop/start seems to suppress the error.

Thanks.