initially our main FreeIPA has been installed with DNSSEC but at the moment I have issues with it as the ipa-ods-exporter is failing. I've tried the following:
- ipa-dns-install --no-dnssec-validation - at the moment this is exiting with the following errors in 6/7 step - creating replica keys
2023-11-06T12:07:32Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 686, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.9/site-packages/ipaserver/install/service.py", line 672, in run_step
method()
File "/usr/lib/python3.9/site-packages/ipaserver/install/dnskeysyncinstance.py", line 320, in __setup_replica_keys
p11 = _ipap11helper.P11_Helper(
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 882, in __init__
check_return_value(rv, "log in")
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 609, in check_return_value
raise Error(errmsg)
ipaserver.p11helper.Error: Error at log in: 0xa0
- ipa-dns-install --dnssec-master --kasp-db /var/opendnssec/kasp.db - this commands fails with
2023-11-06T12:15:28Z DEBUG stderr=ipa-dnskeysync-replica: INFO To increase debugging set debug=True in dns.conf See default.conf(5) for details
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 179, in <module>
localhsm = LocalHSM(
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 96, in __init__
self.p11 = _ipap11helper.P11_Helper(label, pin, library)
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 882, in __init__
check_return_value(rv, "log in")
File "/usr/lib/python3.9/site-packages/ipaserver/p11helper.py", line 609, in check_return_value
raise Error(errmsg)
ipaserver.p11helper.Error: Error at log in: 0xa0
Exception ignored in: <function LocalHSM.__del__ at 0x7fef464364c0>
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 99, in __del__
self.p11.finalize()
AttributeError: 'LocalHSM' object has no attribute 'p11'
Can someone advice how to regenerate everything from scratch so DNSSEC is again available for the configured zones
Best Regards