<div dir="ltr">Hello Martin,<div><br></div><div>Still no go.</div><div><br></div><div>I installed the softhsm-devel package (that only contains header files), removed the token directory, reinstalled the bind & bind-pkcs11, did ipa-dns-install that completed ok (I guess):</div><div><br></div><div><div>To accept the default shown in brackets, press the Enter key.</div><div><br></div><div>Existing BIND configuration detected, overwrite? [no]: yes</div><div>Directory Manager password:</div></div><div><br></div><div># ipa-upgradeconfig</div><div>[Verifying that root certificate is published]</div><div><b><font color="#cc0000">Failed to backup CS.cfg: no magic attribute 'dogtag'</font></b></div><div>[Migrate CRL publish directory]</div><div>CRL tree already moved</div><div>[Verifying that CA proxy configuration is correct]</div><div>[Verifying that KDC configuration is using ipa-kdb backend]</div><div>[Fixing trust flags in /etc/httpd/alias]</div><div>Trust flags already processed</div><div>[Fix DS schema file syntax]</div><div>Syntax already fixed</div><div>[Removing RA cert from DS NSS database]</div><div>RA cert already removed</div><div>[Removing self-signed CA]</div><div>[Checking for deprecated KDC configuration files]</div><div>[Checking for deprecated backups of Samba configuration files]</div><div>[Setting up Firefox extension]</div><div>[Add missing CA DNS records]</div><div>IPA CA DNS records already processed</div><div>[Removing deprecated DNS configuration options]</div><div>[Ensuring minimal number of connections]</div><div>[Enabling serial autoincrement in DNS]</div><div>[Updating GSSAPI configuration in DNS]</div><div>[Updating pid-file configuration in DNS]</div><div>[Masking named]</div><div>Changes to named.conf have been made, restart named</div><div><b><font color="#cc0000">Failed to restart named: Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1</font></b></div><div>[Verifying that CA service certificate profile is updated]</div><div>[Update certmonger certificate renewal configuration to version 2]</div><div>[Enable PKIX certificate path discovery and validation]</div><div>PKIX already enabled</div><div>The ipa-upgradeconfig command was successful</div><div><br></div><div><br></div><div># systemctl restart named-pkcs11 && journalctl -xn</div><div><div>19:38:54 named-pkcs11[838]: ObjectStore.cpp(59): Failed to enumerate object store in /var/lib/ipa/dnssec/tokens</div><div>19:38:54 named-pkcs11[838]: SoftHSM.cpp(437): Could not load the object store</div><div>19:38:54 named-pkcs11[838]: initializing DST: PKCS#11 initialization failed</div><div>19:38:54 named-pkcs11[838]: exiting (due to fatal error)</div><div>19:38:54 systemd[1]: named-pkcs11.service: control process exited, code=exited status=1</div><div>19:38:54 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.</div></div><div><br></div><div><br></div><div>It seems the problem is now there are no tokens:</div><div><div># ll /var/lib/ipa/dnssec/</div><div>total 4.0K</div><div>-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin</div></div><div><br></div><div>Any ideas?</div><div><br></div><div>-- john</div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-10-27 19:05 GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 27/10/14 18:53, John Obaterspok
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2014-10-27 12:19 GMT+01:00 Martin
Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
<div>On 26/10/14 21:39, John Obaterspok wrote:<br>
</div>
</span>
<blockquote type="cite">
<div dir="ltr"><span>Hi,
<div><br>
</div>
<div>I enabled mkosek-freeipa repo for F20 and
updated freeipa-server from 3.3.5 to 4.1. The
yum update reported just a single error:</div>
<div><br>
</div>
<div>Could not load host key:
/etc/ssh/ssh_host_dsa_key</div>
<div><br>
</div>
<div>After reboot I had 3 services that failed to
start:</div>
<div>ipa, kadmin, named-pkcs11<br>
</div>
<div><br>
</div>
<div>Doing "strace -f named-pkcs11 -u named -f -g"
I can see:</div>
<div>
<div> "/var/lib/softhsm/tokens/" => -1
EACCES (Permission denied)</div>
<div> initializing DST: PKCS#11 initialization
failed</div>
<div> exiting (due to fatal error)</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div>For kadmin the error is due to not being able
to connect to sldap</div>
<div><br>
</div>
</span>
<div>I noticed that softhsm2-util --show-slots
reported "ERROR: Could not initialize the
library." But that seemed to be because wasn't
part of the update. After that I could show the
default slot and then I manually called following
(as root):</div>
<span>
<div><br>
</div>
<div>"/usr/bin/softhsm2-util --init-token --slot 0
--label ipaDNSSEC --pin XXXXXXXX --so-pin
XXXXXXXX"<br>
</div>
<div><br>
</div>
<div>But the problems won't go away. Any clues?</div>
<div><br>
</div>
<div>-- john</div>
<div><br>
</div>
<div><br>
</div>
</span></div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
Hello, <br>
<br>
1)<br>
can you share your /var/log/ipaupgrade.log ?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Unfortunatly I removed the original ipaupgrade.log file
when I did I retry to install freeipa-server. The current
ipaupgrade.log has two errors:</div>
<div>First)</div>
<div><br>
</div>
<div>
<div>2014-10-26T12:45:15Z DEBUG Live 1, updated 1</div>
<div>2014-10-26T12:45:15Z DEBUG Unhandled LDAPError:
OPERATIONS_ERROR: {'desc': 'Operations error'}</div>
<div>2014-10-26T12:45:15Z ERROR Update failed: Operations
error:</div>
<div>2014-10-26T12:45:15Z INFO Updating existing entry:
cn=MemberOf Plugin,cn=plugins,cn=config</div>
<div>2014-10-26T12:45:15Z DEBUG
---------------------------------------------</div>
</div>
</div>
</div>
</div>
</blockquote></div></div>
Are there some information about entry which is updated above?<div><div class="h5"><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<div>Second) It complains about not being able to start
named-pkcs11 service.</div>
<div> </div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 2)<br>
your issue with softhsm can be caused by missing
enviroment variable<br>
IPA internally uses <br>
<br>
SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf <br>
please try SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots, and let me know if it works<br>
<br>
same with named-pkcs11,<br>
<br>
</div>
</blockquote>
<div><br>
</div>
<div>The filestamps for softhsm_pin & tokens match the
time I did the original update</div>
<div><br>
</div>
<div>
<div># ll /var/lib/ipa/dnssec/</div>
<div>-rwxrwx---. 1 ods named 30 Oct 26 10:35 softhsm_pin</div>
<div>drwxrws---. 2 ods named 4.0K Oct 26 10:35 tokens</div>
<div><br>
</div>
<div># ll /var/lib/ipa/dnssec/tokens/</div>
<div>total 0</div>
<div><br>
</div>
<div># SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf
softhsm2-util --show-slots</div>
<div>Available slots:</div>
<div>Slot 0</div>
<div> Slot info:</div>
<div> Description: SoftHSM slot 0</div>
<div> Manufacturer ID: SoftHSM project</div>
<div> Hardware version: 2.0</div>
<div> Firmware version: 2.0</div>
<div> Token present: yes</div>
<div> Token info:</div>
<div> Manufacturer ID: SoftHSM project</div>
<div> Model: SoftHSM v2</div>
<div> Hardware version: 2.0</div>
<div> Firmware version: 2.0</div>
<div> Serial number:</div>
<div> Initialized: no</div>
<div> User PIN init.: no</div>
<div> Label:</div>
</div>
</div>
</div>
</div>
</blockquote></div></div>
Slot was not initialized by IPA<span class=""><br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 3)<br>
can you share journalctl -u named-pkcs11 output?<br>
</div>
</blockquote>
<div><br>
</div>
<div>
<div>10:35:48 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>10:35:48 systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.</div>
<div>10:35:48 systemd[1]: Unit named-pkcs11.service
entered failed state.</div>
<div>10:35:48 systemd[1]: Stopped Berkeley Internet Name
Domain (DNS) with native PKCS#11.</div>
<div>-- Reboot --</div>
<div>10:58:05 named-pkcs11[1496]: initializing DST: no
PKCS#11 provider</div>
<div>10:58:05 named-pkcs11[1496]: exiting (due to fatal
error)</div>
<div>10:58:05 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>10:58:05 systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.</div>
<div>10:58:05 systemd[1]: Unit named-pkcs11.service
entered failed state.</div>
<div>10:58:05 systemd[1]: Stopped Berkeley Internet Name
Domain (DNS) with native PKCS#11.</div>
<div><br>
</div>
<div>... After some fiddeling a restart says this:</div>
<div><br>
</div>
<div>19:26:21 named-pkcs11[8807]: sha1.c:92: fatal error:</div>
<div>19:26:21 named-pkcs11[8807]:
RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST,
isc_boolean_true, isc_boolean_false, isc_bo</div>
<div>19:26:21 named-pkcs11[8807]: exiting (due to fatal
error in library)</div>
<div>19:26:21 systemd[1]: named-pkcs11.service: control
process exited, code=exited status=1</div>
<div>19:26:21 systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS) with native PKCS#11.</div>
<div>19:26:21 systemd[1]: Unit named-pkcs11.service
entered failed state. </div>
</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> 4)<br>
I'm not aware of that we need, krb5-libs/openssl, I was
getting this error if tokens directory doesnt exists,
but IPA uses own configuration (see 2) not default.<br>
</div>
</blockquote>
<div><br>
</div>
<div> ok</div>
</div>
</div>
</div>
</blockquote>
<br></span>
I took a deeper look, and I found there some packaging errors with
softhsm.<br>
You was right with missing dependency.<br>
<br>
Please install softhsm-devel package, remove
/var/lib/ipa/dnssec/tokens directory, then reinstall DNS,
ipa-dns-install (requires running directory server)<br>
<br>
Or if you have snapshot, install softhsm-devel before upgrading ipa<br>
<br>
HTH<br>
Martin^2<span class="HOEnZb"><font color="#888888"><br>
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div>