Re: [Opendnssec-user] Puzzled with error messages

Wed, 08 Apr 2020 00:36:56 -0700 

On 20-04-07 11:19, Berry A.W. van Halderen via Opendnssec-user wrote:

On 4/7/20 10:47 AM, PASZTOR Miklos via Opendnssec-user wrote:

I am using OpenDNSSEC 2.1.3 with debian buster.

There are some error messages, which I really do not understand. The
following
two types of message sequences appear frequently:

1.
Mar 31 12:33:16 node ods-signerd[20149]: [hsm] unable to get key: key
8af4eb7fc6fd24ab45f87a1e485f00e1 not found
Mar 31 12:33:16 node ods-signerd[20149]: [hsm] error signing rrset with
libhsm
Mar 31 12:33:16 node ods-signerd[20149]: [rrset] unable to sign
RRset[2]: lhsm_sign() failed
Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] sign zone
example.hu failed: 3 RRsets failed
Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] CRITICAL: failed to
sign zone example.hu: General error

The key in question is in softhsm, and is visible with 'ods-hsmutil
list'.  When
this happens the zone is not signed. However after a minute the signer
retries
the operation, apparently finds the key, and signs the zone with success.

2.
Mar 31 14:36:09 node ods-signerd[20149]: [worker[1]] CRITICAL: failed to
sign zone example.hu: All OK

It seems that besides these error messages zones are signed properly.

Could someone please explain?
TIA.


Most of the times, this is due to permission problems.  You might see
the key with ods-hsmutil, however you might run this command as a
different user (e.g. root), while OpenDNSSEC is running as a separate
user (either started by a different user or in the configuration a User
and or Group is specified to run as.  This typically leads to not being
able to find the key.  OpenDNSSEC cannot see the permission set of the
files.


Thanks for responding.

Do you think that message #2 (CRITICAL: failed to sign...: All OK) is also due
to permission problems?

I double-checked the permissions under /var/lib/softhsm and
/var/lib/opendnssec, and found that the owner of the files is the same user
which runs the opendnssec processes.

Besides, if the permissions were wrong, how would opendnssec find the key after
a minute at the second run?

So I am still puzzled with these messages.

Cheers,
Miklós
--

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to