Hi guys.
This is from a box which I recently updated - I mailed
earliel the list about pki* rpm packages issue - but also,
for other reasons, I did fresh installation of IPA/replica
on that box.
...
ipa-dnskeysync-replica: DEBUG master keys in local HSM: set()
ipa-dnskeysync-replica: DEBUG master keys in LDAP HSM:
{'0x89cb5ca422df63e9a', '0x4191a795f83cd3367607f'}
ipa-dnskeysync-replica: DEBUG new master keys in LDAP
HSM: {'0x89cb5d8ca422df63e9a', '0x4191a7953367607f'}
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 189,
in <module>
ldap2replica_master_keys_sync(ldapkeydb, localhsm)
File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 90,
in ldap2replica_master_keys_sync
raise ValueError(
ValueError: Local HSM does not contain suitable unwrapping
key for master key 0x4191a795f83ade7634ec01cd3367607f
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-dnskeysyncd", line 113, in
<module>
while ldap_connection.syncrepl_poll(all=1,
msgid=ldap_search):
File
"/usr/lib64/python3.9/site-packages/ldap/syncrepl.py", line
465, in syncrepl_poll
self.syncrepl_refreshdone()
File
"/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py",
line 126, in syncrepl_refreshdone
self.hsm_replica_sync()
File
"/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py",
line 192, in hsm_replica_sync
ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
File
"/usr/lib/python3.9/site-packages/ipapython/ipautil.py",
line 598, in run
raise CalledProcessError(
ipapython.ipautil.CalledProcessError:
CalledProcessError(Command
['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned
non-zero exit status 1: 'ipalib.plugable: DEBUG
...
DEBUG master keys in LDAP HSM: {\'0x89cb5d88042df63e9a\',
\'0x4191a795f83adecd3367607f\'}\nipa-dnskeysync-replica:
DEBUG new master keys in LDAP HSM:
{\'0x89cb5da422df63e9a\',
\'0x4191a795f83ade7634ec01cd3367607f\'}\nTraceback (most
recent call last):\n File
"/usr/libexec/ipa/ipa-dnskeysync-replica", line 189, in
<module>\n ldap2replica_master_keys_sync(ldapkeydb,
localhsm)\n File "/usr/libexec/ipa/ipa-dnskeysync-replica",
line 90, in ldap2replica_master_keys_sync\n raise
ValueError(\nValueError: Local HSM does not contain suitable
unwrapping key for master key 0x4191acd3367607f\n')
ipa-dnskeysyncd.service: Main process exited, code=exited,
status=1/FAILURE
...
Domain seems to function okey, IPA does not complain about
anything else except this 'ipa-dnskeysyncd.service'
I wonder if it's this one box having relevant/related
packages newer versions and other masters need updates to
"fix" the issue, or perhaps doing those updates on remaining
masters will make things worse..
or perhaps nature of the problems is altogether different.
All advises are much welcomed.
many thanks, L.
Show replies by date