Discussion:
[Opendnssec-user] ods-enforcerd: [engine] Initialization: CKR_GENERAL_ERROR
Alarig Le Lay
2017-12-04 15:23:04 UTC
Permalink
Hi,

I’m trying to update to OpenDNSSEC 2.0.3 but I can’t start enforcerd
anymore.

Dec 4 15:46:31 morvan ods-enforcerd: [engine] running as pid 6227
Dec 4 15:46:31 morvan ods-enforcerd: [engine] enforcer started
Dec 4 15:46:31 morvan ods-enforcerd: [engine] Initialization: CKR_GENERAL_ERROR
Dec 4 15:46:31 morvan ods-enforcerd: [engine] enforcer shutdown
Dec 4 15:46:31 morvan ods-enforcerd: [engine] enforcerd (pid: 6227) stopped with exitcode 4

My configuration seems to be correct:

morvan ~ # ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
WARNING: In policy default, Y used in duration field for Keys/KSK Lifetime (P10Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
WARNING: In policy lab, Y used in duration field for Keys/KSK Lifetime (P1Y) in /etc/opendnssec/kasp.xml - this will be interpreted as 365 days
INFO: The XML in /etc/opendnssec/zonelist.xml is valid

I followed
https://github.com/opendnssec/opendnssec/tree/develop/enforcer/utils/1.4-2.0_db_convert
to migrate the DB (I’m using SQlite).

And, the only match on the wiki is
https://wiki.opendnssec.org/display/OpenDNSSEC/2.0+%28Enforcer+NG%29+Documentation?preview=%2F2621764%2F3342421%2Fcmp140to200.txt

So, I’m wondering what is causing 'CKR_GENERAL_ERROR'.

Thanks,
--
alarig
Yuri Schaeffer
2017-12-04 15:46:04 UTC
Permalink
Post by Alarig Le Lay
Dec 4 15:46:31 morvan ods-enforcerd: [engine] running as pid 6227
Dec 4 15:46:31 morvan ods-enforcerd: [engine] enforcer started
Dec 4 15:46:31 morvan ods-enforcerd: [engine] Initialization: CKR_GENERAL_ERROR
It seems like the Enforcer can't properly connect to your HSM. Please
review the HSM settings in conf.xml. Also raise the verbosity for the
enforcer in that file when retrying.

If you are using SoftHSM consider that the HSM files might not be
writable for the user opendnssec runs on. The SoftHSM configuration will
allow for enabling more logging.

//Yuri
Alarig Le Lay
2017-12-20 18:54:51 UTC
Permalink
Post by Yuri Schaeffer
It seems like the Enforcer can't properly connect to your HSM. Please
review the HSM settings in conf.xml. Also raise the verbosity for the
enforcer in that file when retrying.
If you are using SoftHSM consider that the HSM files might not be
writable for the user opendnssec runs on. The SoftHSM configuration will
allow for enabling more logging.
You were right, this was because of the migration from SoftHSM v1 to the
v2.

But, there is no example or explanation of the migration between the
versions on
https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v2
or on
https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v1

I found the command by browsing the git repo.

Thanks for the hint,
--
alarig
Loading...