#6692 ipa-dnskeysyncd: is failing with softhsm 2.2.0 (Error at open session: 0x3)
Closed: fixed 5 years ago Opened 5 years ago by mbasti.

  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 848, in install
    dns.install(False, False, options)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dns.py", line 345, in install
    dnskeysyncd.create_instance(api.env.host, api.env.realm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 121, in create_instance
    self.start_creation()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 423, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 413, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py", line 277, in __setup_replica_keys
    p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
  File "/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 837, in __init__
    check_return_value(rv, "open session")
  File "/usr/lib/python2.7/site-packages/ipaserver/p11helper.py", line 576, in check_return_value
    raise Error(errmsg)

2017-02-20T14:07:09Z DEBUG The ipa-server-install command failed, exception: Error: Error at open session: 0x3

2017-02-20T14:07:09Z ERROR Error at open session: 0x3

Error: 0x3 means that invalid slot was used

Note: softhsm is not release in fedora, but it is in ubuntu already. I tested on fedora and it is failing in the same way as on ubuntu


Metadata Update from @mbasti:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

5 years ago

Metadata Update from @pvoborni:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

5 years ago

Did you find any workaround/solution to this issue @mbasti ? I'm faced with the same problem while installing freeipa 4.4.3 on ubuntu Zesty (17.04)...

Not yet, workaround is to downgrade to older version of softhsm (2.1.0)

Metadata Update from @mbasti:
- Issue assigned to mbasti (was: someone)

5 years ago

Seems that it doesn't work even with standard tools, so proabbly there is no issue in IPA code.

# FreeIPA installed with DNS
# softhsm 2.1.0
export SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf

pkcs11-list -p 5Po2ILa3LMRVSNc6eoOxvJnDeN4kdl -s 0 -m /usr/lib64/pkcs11/libsofthsm2.so
object[0]: handle 2 class 3 label[53] 'dnssec-replica:vm-126.example.com.' id[16] 0x0972b9b341a4fdf6... E:never
object[1]: handle 3 class 2 label[53] 'dnssec-replica:vm-126.example.com.' id[16] 0x0972b9b341a4fdf6...

# Upgrade to softhsm 2.2.0 on the same server, no changes to FreeIPA

pkcs11-list -p 5Po2ILa3LMRVSNc6eoOxvJnDeN4kdl -s 0 -m /usr/lib64/pkcs11/libsofthsm2.so
Unrecoverable error initializing PKCS#11: not found
Unrecoverable error initializing PKCS#11: not found

python2 /usr/lib/python2.*/site-packages/ipaserver/dnssec/localhsm.py
ipaserver.p11helper.Error: Error at open session: 0x3

Metadata Update from @mbasti:
- Custom field external_tracker adjusted to https://github.com/opendnssec/SoftHSMv2/issues/298

5 years ago

It looks that this was a planned change and now softhsm tokens doesn't keep slot with the same numbers but, slots must be determined dynamically by using labels.

https://github.com/opendnssec/SoftHSMv2/pull/199

Thanks @mbasti for your work on this - much appreciated :)

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.4.5

5 years ago

ipa-4-4:

ipa-4-5:

master:

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata