-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Laurent,
It appears that the create_dnskey tool failed because the call to hsm_open failed. Sadly enough, the error message does not really tell you why. Would it be possible for you to try out the svn branch OpenDNSSEC-1.1 (r4170)? I made the error message more descriptive and it will tell you which config file you have used, as well as the return code of hsm_open. The config file should of course be the same for the enforcer and signer. Best regards, Matthijs On 11/04/2010 05:44 PM, Laurent Bauer wrote: > Hello, > > I am getting started with opendnssec (version 1.1.0) with the default setup. > I initialized SoftHSM, configured the token label and PIN in conf.xml, > copied a test zone file in /var/lib/opendnssec/unsigned/, added the zone > with "ods-ksmutil zone -z demo-serveur.fr -p default", started the > enforcer and signer daemons, and tried to sign the zone with ods-signer. > > 4 keys were generated but the signer fails with "create_dnskey stderr: > Error initializing libhsm". I could not find what the "status: 3" was > about (see the log below), could anyone help me fix that ? > > Here are some infos about my current setup : > > # softhsm --show-slots > Available slots: > Slot 0 > Token present: yes > Token initialized: yes > User PIN initialized: yes > Token label: Mailclub > > # ods-ksmutil zone list > zonelist filename set to /etc/opendnssec/zonelist.xml. > Found Zone: demo-serveur.fr; on policy default > > # ods-ksmutil key list --verbose > SQLite database set to: /var/lib/opendnssec/db/kasp.db > Keys: > Zone: Keytype: State: Date of next > transition: CKA_ID: Repository: > Keytag: > demo-serveur.fr KSK publish 2010-11-05 > 05:22:05 4b4c987253a6545d36f0600d5bbebd33 SoftHSM > 55243 > demo-serveur.fr KSK dssub waiting for > ds-seen 52bd18c3836e9c26b19673bef0d9c33d SoftHSM > 50356 > demo-serveur.fr ZSK active 2010-12-04 > 15:22:05 165c52bfcedc26fffa8d5f0a7e05f5f8 SoftHSM > 28439 > demo-serveur.fr ZSK publish 2010-11-05 > 05:22:05 1c6cc30e6f05b653ddaa894014e25fed SoftHSM > 53942 > > And here is the syslog (same error repeated with all 4 keys) : > > ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_serial -f > /var/lib/opendnssec/unsigned/demo-serveur.fr' > ods-signerd: Sorting zone: demo-serveur.fr > ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/quicksorter -o > demo-serveur.fr. -f /var/lib/opendnssec/unsigned/demo-serveur.fr -w > /var/lib/opendnssec/tmp/demo-serveur.fr.sorted -m 3600 -t 3600' > ods-signerd: Done sorting > ods-signerd: Nseccing zone: demo-serveur.fr > ods-signerd: No information yet for key 4b4c987253a6545d36f0600d5bbebd33 > ods-signerd: Generating DNSKEY RR for 4b4c987253a6545d36f0600d5bbebd33 > ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/get_class -f > /var/lib/opendnssec/tmp/demo-serveur.fr.sorted' > ods-signerd: create_dnskey stderr: Error initializing libhsm > ods-signerd: create_dnskey status: 3 > ods-signerd: equality: False > ods-signerd: Error: could not find key 4b4c987253a6545d36f0600d5bbebd33 > > I could not find any information except "return(3)" after "hsm_open()" > in the source code, and don't know what to check next. > I don't understand why the enforcer was able to open the hsm (obviously > the keys were created) but the signer was not. Do they not share the > same conf.xml ? > > I am running Ubuntu 10.10 (the production server will hopefully be > running a Debian but I don't have it yet). > > Any advice is welcome. > Thanks ! > > Laurent > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJM07kDAAoJEA8yVCPsQCW5uAoH/iDorL7LgVKOuwN/iBV1JkxQ AJrD/phmR5OQXEf/hLYOqPIfl9JnpNyotPHYeuipb45GvqOUK8ozmngqp/6Yg6jP jPVQSjvYXXfP/5FOkn8aiRUk3PNgSY/jqGwVCilCL4TBp5cl1jAbdPWkqYjiX+kN U0B0ODPazuV4kpREJtrXZKQ/l96iPNJrGvznWfAglqUzR6bVbP8ZaI3tyYgLBvH/ Ayd+5voC1uSVcUwoYMqo9LipA7c5QM92JuUkMn3xQAltUdas3kV57BSMhlH0dqqI xwTxLP+/OIJAD8zLGQKB4xTWZwooUE+aJdHWT31Cc+HQY3ystDA6ZVidw4Lsoao= =QTQj -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
