Skip to content

keymgr import-KEY file needs to be readable by knot

Problem

I migrated some keys from another server and used keymgr import-pem PEM_file [arguments...] to import the previous key. This constantly failed with the error message: Error (operation not permitted)

Solution

Using strace I figured out that the PEM file needs to be readable by the user knot. This was at first unexpected as I was running keymgr as root.

I guess this problem applies to other import key commands such as import-bind.

There is a hint to this problem in Knot DNS for BIND users which mentions the use of sudo -u knot keymgr ....

Suggestion

Please make a notice in the keymgr documentation that the to be imported key needs to be readable by the user knot. If not in the commands description (e.g. of import-pem) then a hint in the Examples section of the keymgr documentation would help as well.