Hello everyone! So, this probably originated with me experimenting with DNSSEC. Things didn’t really work out, so I disabled it following these instructions [1].
Now every couple of minutes I see in my logs ipa-dnskeysync-replica crash on both replicas:
replica1:
ipa-dnskeysync-replica: DEBUG Got TGT ipa-dnskeysync-replica: DEBUG Connecting to LDAP ipa-dnskeysync-replica: DEBUG Connected ipapython.ipaldap: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HQ-MITTELAB-ORG.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fe957f6e8d0> ipa-dnskeysync-replica: DEBUG master keys in local HSM: {’<hex code 1>'} ipa-dnskeysync-replica: DEBUG master keys in LDAP HSM: {’<hex code 2>', '<hex code 1>'} ipa-dnskeysync-replica: DEBUG new master keys in LDAP HSM: {'<hex code 2>'} Traceback (most recent call last): File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 181, in <module> ldap2replica_master_keys_sync(ldapkeydb, localhsm) File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 90, in ldap2replica_master_keys_sync "for master key 0x%s" % str_hexlify(mkey_id) ValueError: Local HSM does not contain suitable unwrapping key for master key <hex code 1>
Replica2:
ipa-dnskeysync-replica: DEBUG Got TGT ipa-dnskeysync-replica: DEBUG Connecting to LDAP ipa-dnskeysync-replica: DEBUG Connected ipapython.ipaldap: DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HQ-MITTELAB-ORG.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f7f3bc2f860> ipa-dnskeysync-replica: DEBUG master keys in local HSM: {’<hex code 2>'} ipa-dnskeysync-replica: DEBUG master keys in LDAP HSM: {'<hex code 1>', '<hex code 2>'} ipa-dnskeysync-replica: DEBUG new master keys in LDAP HSM: {'<hex code 1>'} Traceback (most recent call last): File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 181, in <module> ldap2replica_master_keys_sync(ldapkeydb, localhsm) File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 78, in ldap2replica_master_keys_sync str_hexlify(mkey_id) ValueError: Master key <hex code 1> in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute
Is this a leftover from the DNSSEC configuration? Can I clean that out?
Thanks, Aljaž
[1]: https://www.freeipa.org/page/Howto/DNSSEC#Disable_current_DNSSEC_key_master
-- Aljaž Srebrnič a.k.a g5pw My public key: https://g5pw.me/key Key fingerprint = 2109 8131 60CA 01AF 75EC 01BF E140 E1EE A54E E677
freeipa-users@lists.fedorahosted.org