Key Was Rejected by Service

Q: How to fix Linux / POSIX EKEYREJECTED Key Was Rejected by Service?

Debug the key instantiation service: The rejection comes from the instantiation service; check its logs and configuration.

Production Risk

Investigate the key instantiation service (DNS, Kerberos, etc.) for errors.

What this means

EKEYREJECTED (errno 129) is returned when a key was rejected by the service that was supposed to instantiate it — typically a user-space key instantiation program returned a failure.

Why it happens

1The key instantiation callout program returned an error
2DNS resolver or Kerberos service rejected the credential
3Key type's update_or_lookup handler rejected the key

How to reproduce

request_key() where instantiation fails.

trigger — this will error

// Key lookup triggers a callout that fails
key_serial_t key = request_key("dns_resolver", "example.com", NULL, 0);
// Returns -1, errno = EKEYREJECTED if DNS lookup fails

expected output

request_key: Key was rejected by service (EKEYREJECTED)

Fix

Debug the key instantiation service

WHEN When EKEYREJECTED is returned

Debug the key instantiation service

# For DNS resolver keys, check name resolution
host example.com
# Check /etc/request-key.conf for instantiation rules
cat /etc/request-key.conf
# Check system logs for instantiation errors
journalctl -k | grep key

Why this works

The rejection comes from the instantiation service; check its logs and configuration.

Sources

Official documentation ↗

Linux Programmer Manual keyrings(7)

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformLinux errno Codes

CodeEKEYREJECTED

ClassSecurity

SeverityERROR

TierNotable

ConfidenceHIGH

← All Linux / POSIX errors