[Freeipa-users] Re: Segfault from dnssec-keyfroml

Thu, 17 Aug 2023 01:14:25 -0700 

On Чцв, 17 жні 2023, Yavor Marinov via FreeIPA-users wrote:

Hello all,

I have a running IPA and replica 4.10 on Alma 9 and lately i can see some
errors starting from ipa-ods-exporter and involving some other services.

The error is constant on the master and obviously is spawned from
starting ipa-ods-exporter. Below is the exact error from dnssec-keyfroml

Aug 17 13:07:46 login.redacted.net kernel: dnssec-keyfroml[670202]:
segfault at 18 ip 00007fdea693a284 sp 00007ffd544af608 error 4 in
libsofthsm2.so[7fdea68a3000+9b000]
Aug 17 13:07:46 login.redacted.net kernel: Code: 75 f4 48 8b 53 30 49 89 4c
24 20 49 89 44 24 10 49 89 54 24 28 48 83 c4 08 4c 89 e0 5b 41 5c c3 66 0f
1f 44 00 00 f3 0f 1e fa <48> 8b 47 18 48 85 c0 74 44 4c 8d 47 10 4c 89 c7
eb 12 66 2e 0f 1f

The final error is from ip-dnskeysyncd and it is

Aug 17 13:07:46 login.redacted.net ipa-dnskeysyncd[670193]:
ipapython.ipautil.CalledProcessError: CalledProcessError(Command
['/usr/sbin/dnssec-keyfromlabel', '-E', 'pkcs11', '-K',
'/var/named/dyndb-ldap/ipa/master/redacted.net/tmpo7cj2ohc', '-a',
b'RSASHA256', '-l',
b'pkcs11:object=76f06adc7594d5f0dbb882e271636a40;pin-source=/var/lib/ipa/dnssec/softhsm_pin',
'-P', b'20230419122315', '-A', 'none', '-I', 'none', '-D', 'none', '-E',
'pkcs11', 'redacted.net.'] returned non-zero exit status -11: 'Found
uninitialized token\nFound uninitialized token\nKey not
found.\nPKCS11_load_public_key returned NULL\nFound uninitialized
token\nKey not found.\nPKCS11_get_private_key returned
NULL\ndnssec-keyfromlabel: warning: ENGINE_load_private_key failed (not
found)\ndnssec-keyfromlabel: fatal: failed to get key redacted.net/RSASHA256:
not found\n')

I'm not quite sure where the main reason is, so that's why I'm asking here,
and would appreciate your help on this


The output says that dnssec-keyfromlabel was launched to operate against
an uninitialized token. The token in question should be the one setup by
IPA.

Can you show output of

# systemctl cat ipa-dnskeysyncd.service
# cat /etc/sysconfig/ipa-dnskeysyncd
# ls -lRaZ /var/lib/ipa/dnssec/tokens


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to