[Opendnssec-user] hsm unable to get key

Randy Bush randy at psg.com
Mon Apr 10 21:12:13 UTC 2023


freebsd 13.1
opendnssec 2.1.10
softhsm 1.3.8

things running happily for months.  suddenly, i have logs full of

    Apr  9 21:22:12 rip ods-enforcerd[35513]: [hsm_key_factory_delete_key] looking for keys to purge from HSM
    Apr  9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: key c6ab03c6ecd8ca4e9d57eae9ccc79a69 not found
    Apr  9 21:22:15 rip ods-signerd[35519]: [hsm] hsm_get_dnskey(): Got NULL key
    Apr  9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: hsm failed to create dnskey
    Apr  9 21:22:15 rip ods-signerd[35519]: [zone] unable to prepare signing keys for zone 150.180.198.in-addr.arpa: error getting dnskey
    Apr  9 21:22:15 rip ods-signerd[35519]: [worker[1]] CRITICAL: failed to sign zone 150.180.198.in-addr.arpa: General error

so i duckduckwent and found
https://opendnssec-user.opendnssec.narkive.com/w52YSVrG/signer-does-not-find-a-key
which seems to suggest a home directory has changed?  really?

https://issues.opendnssec.org/browse/SUPPORT-278 does not wnlighten me
much more; though maybe that's my fault.

reading
https://opendnssec-user.opendnssec.narkive.com/E5sZ0Wrt/missing-keys-and-various-other-problems-on-2-0
i tried

    # service opendnssec restart
    Stopping enforcer..
    Engine shut down.
    pid 35513
    Stopping signer engine...
    Engine shut down.pid 35519
    Starting enforcer...
    OpenDNSSEC key and signing policy enforcer version 2.1.10
    Engine running.
    Starting signer engine...
    OpenDNSSEC signer engine version 2.1.10
    Engine running.

https://www.mail-archive.com/opendnssec-user@lists.opendnssec.org/msg03958.html
and thread seem to say that restarting signerd should have worked.  we
have jokes about 'should' in my family.

rebooting the whole server did not help either.  sigh.

any more clues out there?

randy


More information about the Opendnssec-user mailing list