On 4/7/20 10:47 AM, PASZTOR Miklos via Opendnssec-user wrote: > I am using OpenDNSSEC 2.1.3 with debian buster. > > There are some error messages, which I really do not understand. The > following > two types of message sequences appear frequently: > > 1. > Mar 31 12:33:16 node ods-signerd[20149]: [hsm] unable to get key: key > 8af4eb7fc6fd24ab45f87a1e485f00e1 not found > Mar 31 12:33:16 node ods-signerd[20149]: [hsm] error signing rrset with > libhsm > Mar 31 12:33:16 node ods-signerd[20149]: [rrset] unable to sign > RRset[2]: lhsm_sign() failed > Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] sign zone > example.hu failed: 3 RRsets failed > Mar 31 12:33:16 node ods-signerd[20149]: [worker[3]] CRITICAL: failed to > sign zone example.hu: General error > > The key in question is in softhsm, and is visible with 'ods-hsmutil > list'. When > this happens the zone is not signed. However after a minute the signer > retries > the operation, apparently finds the key, and signs the zone with success. > > 2. > Mar 31 14:36:09 node ods-signerd[20149]: [worker[1]] CRITICAL: failed to > sign zone example.hu: All OK > > It seems that besides these error messages zones are signed properly. > > Could someone please explain? > TIA.
Most of the times, this is due to permission problems. You might see the key with ods-hsmutil, however you might run this command as a different user (e.g. root), while OpenDNSSEC is running as a separate user (either started by a different user or in the configuration a User and or Group is specified to run as. This typically leads to not being able to find the key. OpenDNSSEC cannot see the permission set of the files. \Berry
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
