File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 848, in install dns.install(False, False, options) File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 345, in install dnskeysyncd.create_instance(api.env.host, api.env.realm) File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 121, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 277, in __setup_replica_keys p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO) File "/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 837, in __init__ check_return_value(rv, "open session") File "/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 576, in check_return_value raise Error(errmsg) 2017-02-20T14:07:09Z DEBUG The ipa-server-install command failed, exception: Error: Error at open session: 0x3 2017-02-20T14:07:09Z ERROR Error at open session: 0x3
Error: 0x3 means that invalid slot was used
Note: softhsm is not release in fedora, but it is in ubuntu already. I tested on fedora and it is failing in the same way as on ubuntu
Metadata Update from @mbasti: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni: - Issue close_status updated to: None - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
Did you find any workaround/solution to this issue @mbasti ? I'm faced with the same problem while installing freeipa 4.4.3 on ubuntu Zesty (17.04)...
Not yet, workaround is to downgrade to older version of softhsm (2.1.0)
Metadata Update from @mbasti: - Issue assigned to mbasti (was: someone)
Seems that it doesn't work even with standard tools, so proabbly there is no issue in IPA code.
# FreeIPA installed with DNS # softhsm 2.1.0 export SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf pkcs11-list -p 5Po2ILa3LMRVSNc6eoOxvJnDeN4kdl -s 0 -m /usr/lib64/pkcs11/libsofthsm2.so object[0]: handle 2 class 3 label[53] 'dnssec-replica:vm-126.example.com.' id[16] 0x0972b9b341a4fdf6... E:never object[1]: handle 3 class 2 label[53] 'dnssec-replica:vm-126.example.com.' id[16] 0x0972b9b341a4fdf6... # Upgrade to softhsm 2.2.0 on the same server, no changes to FreeIPA pkcs11-list -p 5Po2ILa3LMRVSNc6eoOxvJnDeN4kdl -s 0 -m /usr/lib64/pkcs11/libsofthsm2.so Unrecoverable error initializing PKCS#11: not found Unrecoverable error initializing PKCS#11: not found python2 /usr/lib/python2.*/site-packages/ipaserver/dnssec/localhsm.py ipaserver.p11helper.Error: Error at open session: 0x3
Opened SOFTHSM upstream issue https://github.com/opendnssec/SoftHSMv2/issues/298
Metadata Update from @mbasti: - Custom field external_tracker adjusted to https://github.com/opendnssec/SoftHSMv2/issues/298
It looks that this was a planned change and now softhsm tokens doesn't keep slot with the same numbers but, slots must be determined dynamically by using labels.
https://github.com/opendnssec/SoftHSMv2/pull/199
Thanks @mbasti for your work on this - much appreciated :)
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.4.5
ipa-4-4:
ipa-4-5:
master:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.