<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 26/10/14 21:39, John Obaterspok
wrote:<br>
</div>
<blockquote
cite="mid:CAOscVdJbWH9M_eyNarX4yvbbOKu1gH6Pgyyw6kjSYC+FZpoArg@mail.gmail.com"
type="cite">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I enabled mkosek-freeipa repo for F20 and updated
freeipa-server from 3.3.5 to 4.1. The yum update reported just
a single error:</div>
<div><br>
</div>
<div>Could not load host key: /etc/ssh/ssh_host_dsa_key</div>
<div><br>
</div>
<div>After reboot I had 3 services that failed to start:</div>
<div>ipa, kadmin, named-pkcs11<br>
</div>
<div><br>
</div>
<div>Doing "strace -f named-pkcs11 -u named -f -g" I can see:</div>
<div>
<div> "/var/lib/softhsm/tokens/" => -1 EACCES (Permission
denied)</div>
<div> initializing DST: PKCS#11 initialization failed</div>
<div> exiting (due to fatal error)</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>For kadmin the error is due to not being able to connect to
sldap</div>
<div><br>
</div>
<div>I noticed that softhsm2-util --show-slots reported "ERROR:
Could not initialize the library." But that seemed to be
because wasn't part of the update. After that I could show
the default slot and then I manually called following (as
root):</div>
<div><br>
</div>
<div>"/usr/bin/softhsm2-util --init-token --slot 0 --label
ipaDNSSEC --pin XXXXXXXX --so-pin XXXXXXXX"<br>
</div>
<div><br>
</div>
<div>But the problems won't go away. Any clues?</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
1)<br>
can you share your /var/log/ipaupgrade.log ?<br>
<br>
2)<br>
your issue with softhsm can be caused by missing enviroment variable<br>
IPA internally uses <br>
<br>
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<br>
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf softhsm2-util
--show-slots, and let me know if it works<br>
<br>
same with named-pkcs11,<br>
<br>
3)<br>
can you share journalctl -u named-pkcs11 output?<br>
<br>
4)<br>
I'm not aware of that we need, krb5-libs/openssl, I was getting this
error if tokens directory doesnt exists, but IPA uses own
configuration (see 2) not default.<br>
<br>
Martin^2<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>