Created attachment 1824526 [details] Output of journalctl -xeu named.service Description of problem: ipa-server-install --setup-dns is broken with the recent rawhide update bind-9.16.21-1.fc36 Version-Release number of selected component (if applicable): bind-9.16.21-1.fc36 How reproducible: Always Steps to Reproduce: 1. reproduced on 1minutetup rawhide machine: 1MT-Fedora-36 2. dnf update -y 3. dnf install -y freeipa-server freeipa-server-dns 4. ipa-server-install --domain ipa.test --realm IPA.TEST --setup-dns --auto-forwarders -a Secret123 -p Secret123 -U Actual results: ipa-server-install fails with an error starting named service Expected results: ipa-server-install should complete successfully Additional info: Extract of the journal: Sep 20 03:49:08 server.ipa.test named[47048]: BIND 9 is maintained by Internet Systems Consortium, Sep 20 03:49:08 server.ipa.test named[47048]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Sep 20 03:49:08 server.ipa.test named[47048]: corporation. Support and training for BIND 9 are Sep 20 03:49:08 server.ipa.test named[47048]: available at https://www.isc.org/support Sep 20 03:49:08 server.ipa.test named[47048]: ---------------------------------------------------- Sep 20 03:49:08 server.ipa.test named[47048]: adjusted limit on open files from 524288 to 1048576 Sep 20 03:49:08 server.ipa.test named[47048]: found 1 CPU, using 1 worker thread Sep 20 03:49:08 server.ipa.test named[47048]: using 1 UDP listener per interface Sep 20 03:49:08 server.ipa.test named[47048]: using up to 21000 sockets Sep 20 03:49:08 server.ipa.test named[47048]: initializing DST: no engine Sep 20 03:49:08 server.ipa.test named[47048]: exiting (due to fatal error) Sep 20 03:49:08 server.ipa.test systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
Hmm, confirmed it does not work. Not issue on bind side however. No pkcs11 engine exists after switch to OpenSSL 3. Build of openssl-pkcs11 failed [1] on Fedora, yet it does not have own bug yet. It is still in side-tag and installed openssl-pkcs11-0.4.11-4.fc35.x86_64 is linked to OpenSSL 1.1. # openssl engine -vv pkcs11 00AC0538E57F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:118:filename(/usr/lib64/engines-3/pkcs11.so): /usr/lib64/engines-3/pkcs11.so: cannot open shared object file: No such file or directory 00AC0538E57F0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:162: 00AC0538E57F0000:error:13000084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:422: 00AC0538E57F0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:343:id=pkcs11 Cannot fix it until we have working openssl-pkcs11 for OpenSSL 3. 1. https://koji.fedoraproject.org/koji/taskinfo?taskID=75717780
It is not the new version, it did not change anything related. It was OpenSSL 3.0 rebuild, which was responsible. Version bind-9.16.20-4.fc36 has the same problem, it was just discovered when testing bind-dyndb-ldap plugin rebuild was tested. Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: starting BIND 9.16.20-RH (Extended Support Version> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: running on Linux x86_64 5.14.0-0.rc5.20210813gitf8> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: built with '--build=x86_64-redhat-linux-gnu' '--ho> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: running as: named -u named -c /etc/named.conf -E p> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled by GCC 11.2.1 20210728 (Red Hat 11.2.1-1) Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with OpenSSL version: OpenSSL 3.0.0 7 sep> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to OpenSSL version: OpenSSL 3.0.0 7 sep 2021 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with libxml2 version: 2.9.12 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to libxml2 version: 20912 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with json-c version: 0.15 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to json-c version: 0.15 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: compiled with zlib version: 1.2.11 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: linked to zlib version: 1.2.11 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: --------------------------------------------------> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: BIND 9 is maintained by Internet Systems Consortiu> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: corporation. Support and training for BIND 9 are Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: available at https://www.isc.org/support Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: --------------------------------------------------> Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: adjusted limit on open files from 524288 to 1048576 Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: found 1 CPU, using 1 worker thread Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: using 1 UDP listener per interface Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: using up to 21000 sockets Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: initializing DST: no engine Sep 20 06:09:11 ci-vm-10-0-137-247.hosted.upshift.rdu2.redhat.com named[59588]: exiting (due to fatal error)
It seems after installation of openssl-pkcs11 built for OpenSSL 3.0, it works again just fine. Need only to wait until new package is in repositories.