On 26/10/14 21:39, John Obaterspok wrote:

I enabled mkosek-freeipa repo for F20 and updated freeipa-server from 3.3.5 to 4.1. The yum update reported just a single error:

Could not load host key: /etc/ssh/ssh_host_dsa_key

After reboot I had 3 services that failed to start:
ipa, kadmin, named-pkcs11

Doing "strace -f named-pkcs11 -u named -f -g" I can see:
   "/var/lib/softhsm/tokens/" => -1 EACCES (Permission denied)
   initializing DST: PKCS#11 initialization failed
   exiting (due to fatal error)

For kadmin the error is due to not being able to connect to sldap

I noticed that softhsm2-util --show-slots reported "ERROR: Could not initialize the library." But that seemed to be because wasn't part of the update. After that I could show the default slot and then I manually called following (as root):

"/usr/bin/softhsm2-util --init-token --slot 0 --label ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"

But the problems won't go away. Any clues?

-- john


can you share your /var/log/ipaupgrade.log ?

your issue with softhsm can be caused by missing enviroment variable
IPA internally uses

please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util --show-slots, and let me know if it works

same with named-pkcs11,

can you share journalctl -u named-pkcs11 output?

I'm not aware of that we need, krb5-libs/openssl, I was getting this error if tokens directory doesnt exists, but IPA uses own configuration (see 2) not default.


Martin Basti

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to