What's the correct way to correct the cause of this error message?  There is no guidance online I can find.  I first saw it a few years ago, it's back.  ipa-ods-exporter emits this assertion, then quits. 

ipk11id length should not be 0

This system hosts the dnssec master db.  There is one replica.  That's it.

Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Scheduled restart job, restart counter is at 811.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: Stopped IPA OpenDNSSEC Signer replacement.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Consumed 2.876s CPU time.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]: Started IPA OpenDNSSEC Signer replacement.
Apr 07 08:12:09 registry1.1.quietfountain.com ipa-ods-exporter[857534]: ipa-ods-exporter: INFO     To increase debugging set debug=True in dns.conf See default.conf(5) for details
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: GSSAPI client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: Configuration.cpp(96): Missing log.level in configuration. Using default value: INFO
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: Configuration.cpp(96): Missing slots.mechanisms in configuration. Using default value: ALL
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]: Configuration.cpp(124): Missing slots.removable in configuration. Using default value: false
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: Traceback (most recent call last):
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:   File "/usr/libexec/ipa/ipa-ods-exporter", line 718, in <module>
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:     ldap2master_replica_keys_sync(ldapkeydb, localhsm)
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:   File "/usr/libexec/ipa/ipa-ods-exporter", line 295, in ldap2master_replica_keys_sync
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:     hex_set(localhsm.replica_pubkeys_wrap))
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:   File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 130, in replica_pubkeys_wrap
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:     self.find_keys(objclass=_ipap11helper.KEY_CLASS_PUBLIC_KEY,
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:   File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 114, in find_keys
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:     key = Key(self.p11, h)
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:   File "/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py", line 38, in __init__
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]:     assert len(cka_id) != 0, 'ipk11id length should not be 0'
Apr 07 08:12:11 registry1.1.quietfountain.com ipa-ods-exporter[857534]: AssertionError: ipk11id length should not be 0
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Main process exited, code=exited, status=1/FAILURE
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Failed with result 'exit-code'.
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]: ipa-ods-exporter.service: Consumed 2.938s CPU time.

on

[root@registry1 ~]# dnf info ipa-server
Last metadata expiration check: 3:19:38 ago on Sun 07 Apr 2024 04:55:29 AM CDT.
Installed Packages
Name         : ipa-server
Version      : 4.10.2
Release      : 8.el9_3.alma.1
Architecture : x86_64
Size         : 1.1 M
Source       : ipa-4.10.2-8.el9_3.alma.1.src.rpm
Repository   : @System
From repo    : appstream
Summary      : The IPA authentication server
5.14.0-362.24.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 20 04:52:13 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux

p11 tools has one entry that has no id, no label, RSA of 0 byte length, with also the 'wrap' flag.  There's no obvious way to track that back to a file-- if that's event the right path to explore.

It's pretty much dead until this is solved.