no /certs/signing-key.pem file

asked 2016-07-20 06:52:34 -0500

mgte gravatar image

updated 2016-07-21 20:03:18 -0500

I just did a fresh netinstall of Fedora 24 Server for i686. The initial kernel installed was the PAE version, probably not surprisingly given it is a server. Why the server edition? I am trying to build an Asterisk phone system. Following the build from source instructions to install Asterisk, I ran into a problem with having to have the kernel-devel and kernel-headers packages for it to build. For whatever reason, I could not get those packages, the PAE kernel and Asterisk to play well, so I ended up installing the non-PAE kernel using dnf install. Successfully got the kernel installed, it appeared in grub, booted to the non-PAE Fedora 24 kernel (don't have the exact name here), and deleted the PAE version of the kernel (dnf remove). The problems with missing source etc went away.

Got through the Astrisk build and started configuring, but when I went to start the dahdi service (for the telco interface hardware), Fedora said it could not find the service. There was no reference to dahdi in /etc/init.d. Tried service start dahdi and got a dahdi.service not found. Started debugging and in that process found this article:

link text

Which seems to be where I am at. I do not have a certs/signing_key.pem in the kernel directory. While the linked article implies that not having the file should not be an issue, and the OP said that they finally got it to work, but does not really say how.

So my questions: 1) When one installs a kernel (using dnf) should there be a certs/signing_key.pem file? If so, how is it created? Based on what little I have found on the topic, it almost seems that there should be a certs/signing_key.pem file provided by Fedora in the package. Is there a special way of installing the certs/signing_key.pem file? Is there a standard way to create a "standard" certs/signing_key.pem?

2) The linked article discusses setting enforcemodulesig FALSE on the kernel command line as a potential way around the signing problem (lack of certs/signing_key.pem). Can this be accomplished from grub? Or is this an option that must be incoporated during the install of the kernel?

3) Any other suggestions to work around this problem?


mgte 2)

edit retag flag offensive close merge delete


Well I have build Asterisk many times on Fedora, so here is my questions and advice. Why i686 you should use x86_64 if it is a server, unless it is an old hardware, specially if you have over 4G of RAM. Fedora Include asterisk in its repository you could install Asterisk and you will have no issue with it, except because it is split on many packages but that way you install the modules that you need. You can also install DAHDI tools, but you still need to compile kernel module for DAHDI. The cert requirement is probably that you do not have installed openssl and openssl-devel

aeperezt gravatar imageaeperezt ( 2016-07-20 10:44:27 -0500 )edit


Yes, old HW and less than 4G of RAM. Hence the i686 route. Basically recycling some old hardware for a home project.

The whole cert issue came up trying to get the DAHDI service started. Best I could tell the DAHDI kernel modules were not being signed and therefore the kernel would not allow them to run.

If I understand you correctly, the /cert/signing-key.pem in the the kernel folder is dependent on openssl and openssl-devel being installed - very interesting! I will investigate that tonight and report back.



mgte gravatar imagemgte ( 2016-07-21 12:54:03 -0500 )edit

Well, opensll was installed, but openssl-devel was not. Installed & tried rebuilding DAHDI. Same problem complaining about missing signing_key.pem. Did not try to build a key as concerned about my own key for kernel signing causing issues with installation of main stream packages.

aeperezt -- If you happen to check in, I would like to tap your Asterisk experience. Have I made my life more difficult than it could be by installing F24 server (& kernel change)? Should I just go with F24 Workstation? Your advice would be appreciated! Thanks! mgte

mgte gravatar imagemgte ( 2016-07-21 20:12:32 -0500 )edit

So you have UEFI secure boot on that machine is so disable it.

aeperezt gravatar imageaeperezt ( 2016-07-21 22:32:31 -0500 )edit

The machine is a Pentium 4 w/ 1G RAM, so UEFI should not be an issue as it is not supported. Unless the F24 install is somehow expecting it, but I would have expected the installer would have tailored the install to the HW.

mgte gravatar imagemgte ( 2016-07-22 13:51:02 -0500 )edit