What's the correct way to correct the
cause of this error message? There is no guidance online I can
find. I first saw it a few years ago, it's back. ipa-ods-exporter emits this assertion, then
quits.
ipk11id length should not be 0
This system hosts the dnssec master db.
There is one replica. That's it.
Apr 07 08:12:08
registry1.1.quietfountain.com systemd[1]:
ipa-ods-exporter.service: Scheduled restart job, restart counter
is at 811.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]:
Stopped IPA OpenDNSSEC Signer replacement.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]:
ipa-ods-exporter.service: Consumed 2.876s CPU time.
Apr 07 08:12:08 registry1.1.quietfountain.com systemd[1]:
Started IPA OpenDNSSEC Signer replacement.
Apr 07 08:12:09 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: ipa-ods-exporter: INFO To increase
debugging set debug=True in dns.conf See default.conf(5) for
details
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]:
GSSAPI client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]:
GSSAPI client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]:
GSSAPI client step 1
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]:
Configuration.cpp(96): Missing log.level in configuration. Using
default value: INFO
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]:
Configuration.cpp(96): Missing slots.mechanisms in
configuration. Using default value: ALL
Apr 07 08:12:10 registry1.1.quietfountain.com python3[857534]:
Configuration.cpp(124): Missing slots.removable in
configuration. Using default value: false
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: Traceback (most recent call last):
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: File
"/usr/libexec/ipa/ipa-ods-exporter", line 718, in <module>
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]:
ldap2master_replica_keys_sync(ldapkeydb, localhsm)
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: File
"/usr/libexec/ipa/ipa-ods-exporter", line 295, in
ldap2master_replica_keys_sync
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]:
hex_set(localhsm.replica_pubkeys_wrap))
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: File
"/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py",
line 130, in replica_pubkeys_wrap
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]:
self.find_keys(objclass=_ipap11helper.KEY_CLASS_PUBLIC_KEY,
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: File
"/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py",
line 114, in find_keys
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: key = Key(self.p11, h)
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: File
"/usr/lib/python3.9/site-packages/ipaserver/dnssec/localhsm.py",
line 38, in __init__
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: assert len(cka_id) != 0, 'ipk11id
length should not be 0'
Apr 07 08:12:11 registry1.1.quietfountain.com
ipa-ods-exporter[857534]: AssertionError: ipk11id length should
not be 0
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]:
ipa-ods-exporter.service: Main process exited, code=exited,
status=1/FAILURE
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]:
ipa-ods-exporter.service: Failed with result 'exit-code'.
Apr 07 08:12:11 registry1.1.quietfountain.com systemd[1]:
ipa-ods-exporter.service: Consumed 2.938s CPU time.
on
[root@registry1
~]# dnf info ipa-server
Last metadata expiration check: 3:19:38 ago on Sun 07 Apr 2024
04:55:29 AM CDT.
Installed Packages
Name : ipa-server
Version : 4.10.2
Release : 8.el9_3.alma.1
Architecture : x86_64
Size : 1.1 M
Source : ipa-4.10.2-8.el9_3.alma.1.src.rpm
Repository : @System
From repo : appstream
Summary : The IPA authentication server
5.14.0-362.24.1.el9_3.x86_64
#1 SMP PREEMPT_DYNAMIC Wed Mar 20 04:52:13 EDT 2024 x86_64
x86_64 x86_64 GNU/Linux
p11 tools has one entry that has no id, no label, RSA of 0 byte length, with also the 'wrap' flag. There's no obvious way to track that back to a file-- if that's event the right path to explore.
It's pretty much dead until this is solved.