Hi guys. This is from a box which I recently updated - I mailed earliel the list about pki* rpm packages issue - but also, for other reasons, I did fresh installation of IPA/replica on that box. ... ipa-dnskeysync-replica: DEBUG    master keys in local HSM: set() ipa-dnskeysync-replica: DEBUG    master keys in LDAP HSM: {'0x89cb5ca422df63e9a', '0x4191a795f83cd3367607f'} ipa-dnskeysync-replica: DEBUG    new master keys in LDAP HSM: {'0x89cb5d8ca422df63e9a', '0x4191a7953367607f'} Traceback (most recent call last):   File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 189, in <module>     ldap2replica_master_keys_sync(ldapkeydb, localhsm)   File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 90, in ldap2replica_master_keys_sync     raise ValueError( ValueError: Local HSM does not contain suitable unwrapping key for master key 0x4191a795f83ade7634ec01cd3367607f Traceback (most recent call last):   File "/usr/libexec/ipa/ipa-dnskeysyncd", line 113, in <module>     while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):   File "/usr/lib64/python3.9/site-packages/ldap/syncrepl.py", line 465, in syncrepl_poll     self.syncrepl_refreshdone()   File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py", line 126, in syncrepl_refreshdone     self.hsm_replica_sync()   File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/keysyncer.py", line 192, in hsm_replica_sync     ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])   File "/usr/lib/python3.9/site-packages/ipapython/ipautil.py", line 598, in run     raise CalledProcessError( ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/libexec/ipa/ipa-dnskeysync-replica'] returned non-zero exit status 1: 'ipalib.plugable: DEBUG ... DEBUG    master keys in LDAP HSM: {\'0x89cb5d88042df63e9a\', \'0x4191a795f83adecd3367607f\'}\nipa-dnskeysync-replica: DEBUG    new master keys in LDAP HSM: {\'0x89cb5da422df63e9a\', \'0x4191a795f83ade7634ec01cd3367607f\'}\nTraceback (most recent call last):\n  File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 189, in <module>\n ldap2replica_master_keys_sync(ldapkeydb, localhsm)\n  File "/usr/libexec/ipa/ipa-dnskeysync-replica", line 90, in ldap2replica_master_keys_sync\n    raise ValueError(\nValueError: Local HSM does not contain suitable unwrapping key for master key 0x4191acd3367607f\n') ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE ... Domain seems to function okey, IPA does not complain about anything else except this 'ipa-dnskeysyncd.service' I wonder if it's this one box having relevant/related packages newer versions and other masters need updates to "fix" the issue, or perhaps doing those updates on remaining masters will make things worse.. or perhaps nature of the problems is altogether different. All advises are much welcomed. many thanks, L.