So the fix is to add a more reasonable maxsessions to the autograph stage and prod app configs. It would be useful to capture the additional logs from https://bugzilla.mozilla.org/show_bug.cgi?id=1641103#c13 but those logs are coming from the cloudhsm library itself: ```console [gguthe@ip-172-31-22-191 ~]$ strings /opt/cloudhsm/lib/libcloudhsm_pkcs11.so | grep 'failed with error' %s failed with error %s : 0x%08lx Delete partition failed with error code [%d] !! Resize partition failed with error code [%d] !! Create partition failed with error code [%d]!! Validation of template is failed with error 0x%x [gguthe@ip-172-31-22-191 ~]$ strings /opt/cloudhsm/lib/libcloudhsm_pkcs11.so | grep 'HSM error' HSM error %lx: %s ``` There are some outdated headers on https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/tree/master/include/pkcs11/v2.40 but we'd probably have to go to cavium to find the source (if it's publicly available at all).
Bug 1641103 Comment 15 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
So the fix is to add a more reasonable maxsessions to the autograph stage and prod app configs. Additional links from debugging: * https://github.com/ThalesIgnite/crypto11/issues/36 * https://github.com/ThalesIgnite/crypto11/releases/tag/v0.1.0 * https://github.com/ThalesIgnite/crypto11/pull/59 Going forward it would be nice to: * upgrade a newer version of crypto11 * and capture the additional logs from https://bugzilla.mozilla.org/show_bug.cgi?id=1641103#c13 However, those logs are coming from the cloudhsm library itself so that doesn't look easy: ```console [gguthe@ip-172-31-22-191 ~]$ strings /opt/cloudhsm/lib/libcloudhsm_pkcs11.so | grep 'failed with error' %s failed with error %s : 0x%08lx Delete partition failed with error code [%d] !! Resize partition failed with error code [%d] !! Create partition failed with error code [%d]!! Validation of template is failed with error 0x%x [gguthe@ip-172-31-22-191 ~]$ strings /opt/cloudhsm/lib/libcloudhsm_pkcs11.so | grep 'HSM error' HSM error %lx: %s ``` There are some outdated headers on https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/tree/master/include/pkcs11/v2.40 but we'd probably have to go to cavium to find the source (if it's publicly available at all).
So the fix is to add a more reasonable maxsessions to the autograph stage and prod app configs. Additional links from debugging: * https://github.com/ThalesIgnite/crypto11/issues/36 * https://github.com/ThalesIgnite/crypto11/releases/tag/v0.1.0 * https://github.com/ThalesIgnite/crypto11/pull/59 * https://godoc.org/gopkg.in/ThalesIgnite/crypto11.v0 (v1.x at https://pkg.go.dev/github.com/ThalesIgnite/crypto11#hdr-Sessions_and_concurrency) * https://python-pkcs11.readthedocs.io/en/latest/applied.html#concepts-in-pkcs-11 Going forward it would be nice to: * upgrade a newer version of crypto11 * and capture the additional logs from https://bugzilla.mozilla.org/show_bug.cgi?id=1641103#c13 However, those logs are coming from the cloudhsm library itself so that doesn't look easy: ```console [gguthe@ip-172-31-22-191 ~]$ strings /opt/cloudhsm/lib/libcloudhsm_pkcs11.so | grep 'failed with error' %s failed with error %s : 0x%08lx Delete partition failed with error code [%d] !! Resize partition failed with error code [%d] !! Create partition failed with error code [%d]!! Validation of template is failed with error 0x%x [gguthe@ip-172-31-22-191 ~]$ strings /opt/cloudhsm/lib/libcloudhsm_pkcs11.so | grep 'HSM error' HSM error %lx: %s ``` There are some outdated headers on https://github.com/aws-samples/aws-cloudhsm-pkcs11-examples/tree/master/include/pkcs11/v2.40 but we'd probably have to go to cavium to find the source (if it's publicly available at all).