nope, still "WARNING - DNSSEC ERROR: We are low on entropy. Not generating new Keys for counter.party. Please consider installing package haveged." looking right now into /usr/lib/systemd/system/haveged.service for configuration of haveged. Should I install a GUI to allow for more entropy ? Talking of a workaround....
No, the entropy is fine if the value in /proc/sys/kernel/random/entropy_avail is higher than 200. I wonder why ISPConfig still reports it as being too low. Maybe you should consider as a workaround to create the zone without dnssec signing for now. is this server a virtual server and if yes, which virtualization do you use?
Disabling DNSSEC did the trick!! named.conf.local is now written and likely all tests will succeed now. My hoster says is KVM. Thanks a bunch for your time !! PS: Maybe increasing the entropy pool size would make it work. it seems it is capped to 256 Code: more /proc/sys/kernel/random/poolsize
KVM virtualization is fine. As I mentioned earlier, that's fine. ISPConfig tests if the entropy is below 200. Please create a file /tmp/test.php with this content: Code: <?php if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) echo "entropy too low\n"; echo file_get_contents('/proc/sys/kernel/random/entropy_avail'); then run: php /tmp/test.php and post the result.
Code: [email protected]:/home/djesys# cat /tmp/test.php <?php if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) echo "entropy too low\n"; echo file_get_contents('/proc/sys/kernel/random/entropy_avail'); [email protected]:/home/djesys# php /tmp/test.php 256 [email protected]:/home/djesys#
Hmm, ok. so the if part used in ispconfig bind plugin works, which is: Code: if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) { $app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR); echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n"; return false; } So I'm a bit out of ideas how you can still get that error message as entropy is fine and the code used to detect it seems to work too on your system
Maybe something is draining entropy quickly while server.sh runs? See if 'echo 4096 > /proc/sys/kernel/random/poolsize' changes anything.
The problem is that the bind plugin in ispconfig will test if entropy is less than 400. ipsconfig is not recognizing haveged as installed Debian changed entropy to 256 by default Operational system: Debian buster
You're right, the entropy test in ISPConfig BIND plugin is inconsistent. There is one test for entropy 200 (which I posted) and another one for entropy 400. I've added an issue report in our bug tracker.
@buhler Thanks! I had the same issue (ispconfig running on a proxmox guest) and could fix it by adapting the bind plugin file. @till I couldn't find the bug in https://git.ispconfig.org/ispconfig/ispconfig3/-/issues can you please point me to the right place so that I can subscribe and see when it is fixed. Thanks. UPDATE: I have found the issue tracked here: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6366
The fix has been implemented already and is in dev channel and daily builds available, it will be part of the upcoming 3.2.9 release.
