[Opendnssec-user] hsm unable to get key

Mon, 10 Apr 2023 14:36:30 -0700 

freebsd 13.1
opendnssec 2.1.10
softhsm 1.3.8

things running happily for months.  suddenly, i have logs full of

    Apr  9 21:22:12 rip ods-enforcerd[35513]: [hsm_key_factory_delete_key] 
looking for keys to purge from HSM
    Apr  9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: key 
c6ab03c6ecd8ca4e9d57eae9ccc79a69 not found
    Apr  9 21:22:15 rip ods-signerd[35519]: [hsm] hsm_get_dnskey(): Got NULL key
    Apr  9 21:22:15 rip ods-signerd[35519]: [hsm] unable to get key: hsm failed 
to create dnskey
    Apr  9 21:22:15 rip ods-signerd[35519]: [zone] unable to prepare signing 
keys for zone 150.180.198.in-addr.arpa: error getting dnskey
    Apr  9 21:22:15 rip ods-signerd[35519]: [worker[1]] CRITICAL: failed to 
sign zone 150.180.198.in-addr.arpa: General error

so i duckduckwent and found
https://opendnssec-user.opendnssec.narkive.com/w52YSVrG/signer-does-not-find-a-key
which seems to suggest a home directory has changed?  really?

https://issues.opendnssec.org/browse/SUPPORT-278 does not wnlighten me
much more; though maybe that's my fault.

reading
https://opendnssec-user.opendnssec.narkive.com/E5sZ0Wrt/missing-keys-and-various-other-problems-on-2-0
i tried

    # service opendnssec restart
    Stopping enforcer..
    Engine shut down.
    pid 35513
    Stopping signer engine...
    Engine shut down.pid 35519
    Starting enforcer...
    OpenDNSSEC key and signing policy enforcer version 2.1.10
    Engine running.
    Starting signer engine...
    OpenDNSSEC signer engine version 2.1.10
    Engine running.

https://www.mail-archive.com/opendnssec-user@lists.opendnssec.org/msg03958.html
and thread seem to say that restarting signerd should have worked.  we
have jokes about 'should' in my family.

rebooting the whole server did not help either.  sigh.

any more clues out there?

randy
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to