[Opendnssec-user] softhsm unable to get key
Berry van Halderen
berry at nlnetlabs.nl
Wed May 26 15:22:53 UTC 2021
On 2021-05-26 17:15, Roman Serbski via Opendnssec-user wrote:
> On Fri, May 7, 2021 at 5:14 PM Randy Bush via Opendnssec-user
> <opendnssec-user at lists.opendnssec.org> wrote:
>>
>> > OpenDNSSEC 2.1.9 is out, which solves this issue I think.
>>
>> the kindness of dr akkerhuis allowed me to install on a binary-only
>> freebsd.
>>
>> i am not positive that 2.1.9 fixed the problem; but it definintely
>> suppressed the error messages :)
>
> Hello,
>
> I'm not 100% sure it's the same issue, but I start getting the similar
> errors with OpenDNSSEC 2.1.9 under FreeBSD 12.2-RELEASE-p2 r369009.
>
> Some days ago, I removed one zone using the command:
>
> ods-enforcer zone delete --zone domain.org
>
> And yesterday I started receiving:
Related, but not the same issue, and not really in OpenDNSSEC but with
SoftHSM.
The start/stop should have fixed it, but a ods-signer update --all
should
also have done the trick. I'm afraid this will turn out to be a
concurrency
issue that will be hard to pick up in SoftHSM.
If anyone else sees this message I would like to know because I think it
will be
very rare.
\Berry
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: File.cpp(94): Could not
> open the file (No such file or directory):
> /var/lib/softhsm/tokens//3eab29c6-3b3f-fcf9-4aed-ff695aef81b0/63f07aa8-56e9-3639-4ebd-41692cb2a208.object
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] sign init:
> CKR_OBJECT_HANDLE_INVALID
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [hsm] error signing
> rrset with libhsm
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [rrset] unable to sign
> RRset[6]: lhsm_sign() failed
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] sign zone
> domain.org failed: 1 RRsets failed
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: [worker[2]] CRITICAL:
> failed to sign zone domain.org: General error
> May 24 19:16:29 SRV-SIGN01 ods-signerd[5480]: back-off task [sign] for
> zone domain.org with 60 seconds
>
> I also noticed errors while purging expired ZSKs for other domains, for
> example:
>
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update
> zone: domain2.org
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]
> removeDeadKeys deleting key: 37abe5998879aceefea122b69ca98751
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> [hsm_key_factory_delete_key] looking for keys to purge from HSM
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> [hsm_key_factory_get_key] removing key
> 37abe5998879aceefea122b69ca98751 from HSM
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> [hsm_key_factory_get_key] removing key
> be586f8af9ec83163ffe73c66a21f319 from HSM
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]:
> [hsm_key_factory_get_key] removing key
> 78586dbbaab0ebf9ddd01b0fb4cbd83f from HSM
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer]
> removeDeadKeys: keys deleted from HSM: 3
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforcer] update:
> key_data_update() failed
> May 24 17:35:01 SRV-SIGN01 ods-enforcerd[5474]: [enforce_task] No
> changes to signconf file required for zone domain2.org
>
> /usr/local/etc/rc.d/opendnssec stop/start seems to suppress the error.
>
> Thanks.
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list