Good morning, I have a test environment with ODS 1.4.6 and Keyper HSM where signing zones was working until I decided to remove all keys and start from scratch. I removed all keys with "ods-hsmutil purge"\ reinitialized the HSM\ removed the single zone I used to sign\ reinitialized the database "ods-ksmutil setup"\ pregenerated new keys\ added a zone\ updated, restarted all services. Everything seems to worked well, but the signer does not find one of the keys to sign the zone, more specifically the KSK. I went the above process few times, always ending with:
Dec 16 09:40:27 debugsigner002 ods-signerd: [hsm] unable to get key: key f81e4b2cb33eec780320b6ceeb6f6bb8 not found Dec 16 09:40:27 debugsigner002 ods-signerd: [zone] unable to publish dnskeys for zone XXX: error creating dnskey Dec 16 09:40:27 debugsigner002 ods-signerd: [tools] unable to read zone XXX: failed to publish dnskeys (General error) Dec 16 09:40:27 debugsigner002 ods-signerd: [worker[4]] CRITICAL: failed to sign zone XXX: General error The key exist in both HSM and database. ods-hsmutil lists it: root@debugsigner002:~# ods-hsmutil list | grep f81e4b2cb33eec780320b6ceeb6f6bb8 Keyper f81e4b2cb33eec780320b6ceeb6f6bb8 RSA/2048 ods-ksmutil shows it: root@debugsigner002:~# ods-ksmutil key list -v Keys: Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag: XXX KSK active 2016-01-16 09:49:45 (retire) 2048 8 f81e4b2cb33eec780320b6ceeb6f6bb8 Keyper 6061 XXX ZSK active 2015-04-18 22:40:55 (retire) 1024 8 d2aa0ba9af0f41429d23ea387abb836a Keyper external tools - dnssec-keyfromlabel can use it. No other errors in the log. Any ideas what's wrong? Suggestions what else to try? Thanks. Emil
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
