Failed akmods-keygen unit after upgrade to CoreOS 41 image

Hello,

I just upgraded to the latest coreOS image, and am getting this every time I bring up a terminal:

Failed Units: 1
  akmods-keygen@akmods-keygen.service

Here is the output of systemctl status:

Dec 20 13:23:46 my-pc kmodgenca[1540]:     /etc/pki/akmods/private/my-pc-4218448284.priv
Dec 20 13:23:46 my-pc kmodgenca[1540]:     /etc/pki/akmods/private/my-pc-2072618505.priv
Dec 20 13:23:46 my-pc kmodgenca[1540]: ERROR: BROKEN SYMLINK(S) TO THE DEFAULT KEY PAIR!
Dec 20 13:23:46 my-pc kmodgenca[1540]: Valid symlinks to a public and private key must exist.
Dec 20 13:23:46 my-pc kmodgenca[1540]: /etc/pki/akmods/certs/public_key.der: BROKEN
Dec 20 13:23:46 my-pc kmodgenca[1540]: /etc/pki/akmods/private/private_key.priv: WORKING
Dec 20 13:23:46 my-pc kmodgenca[1540]: Quitting.
Dec 20 13:23:46 my-pc systemd[1]: akmods-keygen@akmods-keygen.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Dec 20 13:23:46 my-pc systemd[1]: akmods-keygen@akmods-keygen.service: Failed with result 'exit-code'.
Dec 20 13:23:46 my-pc systemd[1]: Failed to start akmods-keygen@akmods-keygen.service - Akmods Secure boot MOK Key Generation.

What has happened, and how can I fix it? Thanks

Could you share the output of the sudo rpm-ostree status command?

State: idle
AutomaticUpdates: disabled
Deployments:
● fedora:fedora/x86_64/coreos/stable (index: 0)
                  Version: 41.20241122.3.0 (2024-12-16T21:04:43Z)
               BaseCommit: c81a94e71f7bbb4a7eaf1aa2162183d1c63fda4e5b7fb8a3054f42ff9607d8a1
                           └─ fedora-coreos-pool (2024-12-16T18:59:38Z)
                   Commit: 94b9e6f8dbc480c1e8af2bbd9bf3d577849bb89f1dd351f14586cdac88072afb
                           ├─ fedora (2024-10-24T13:55:59Z)
                           ├─ fedora-cisco-openh264 (2024-03-11T19:22:31Z)
                           ├─ nvidia-container-toolkit (2024-12-04T12:02:48Z)
                           ├─ rpmfusion-free (2024-10-27T07:49:25Z)
                           ├─ rpmfusion-free-updates (2024-12-17T11:11:36Z)
                           ├─ rpmfusion-nonfree (2024-10-27T07:58:23Z)
                           ├─ rpmfusion-nonfree-updates (2024-12-17T11:30:28Z)
                           ├─ updates (2024-12-20T13:31:04Z)
                           └─ updates-archive (2024-12-20T13:56:56Z)
                   Staged: no
                StateRoot: fedora-coreos
             GPGSignature: 1 signature
                           Signature made Tue Dec 17 07:06:19 2024 using RSA key ID D0622462E99D6AD1
                           Good signature from "Fedora <fedora-41-primary@fedoraproject.org>"
      RemovedBasePackages: nfs-utils-coreos 1:2.8.1-1.rc1.fc41
         InactiveRequests: bash-completion bsdtar socat wireguard-tools
          LayeredPackages: adwaita-cursor-theme akmod-nvidia alacritty alsa-utils aria2
                           bemenu binutils cargo chromium ddcutil drm-utils dunst egl-gbm
                           ffmpeg firefox flatpak fzf gimp git google-noto-emoji-fonts
                           google-noto-sans-cjk-fonts google-noto-sans-fonts
                           google-noto-sans-mono-fonts google-roboto-fonts grim
                           igt-gpu-tools ImageMagick imv intel-media-driver iotop kanshi
                           levien-inconsolata-fonts lftp libdisplay-info libva-utils lz4
                           mako man-db man-pages mesa-dri-drivers mesa-va-drivers
                           mesa-vulkan-drivers moreutils mpv neovim netcat nfs-utils
                           numix-gtk-theme numix-icon-theme numix-icon-theme-circle
                           numix-icon-theme-square nvidia-container-toolkit-base p7zip
                           parallel parted pass pavucontrol pinentry-tty pipewire
                           pipewire-alsa pipewire-pulseaudio pipewire-utils
                           pulseaudio-utils remmina remmina-plugins-rdp remmina-plugins-vnc
                           ripgrep rpmfusion-free-release rpmfusion-nonfree-release rust
                           rust-src samba slurp strace sway swaybg swayidle swaylock
                           tcpdump thunar tmux virt-manager vulkan-tools waypipe wayvnc
                           wf-recorder wget wireplumber wl-clipboard wlopm
                           xdg-desktop-portal-wlr xeyes xorg-x11-drv-nvidia
                           xorg-x11-drv-nvidia-cuda xorg-x11-server-Xwayland yambar zathura
                           zathura-pdf-mupdf

  fedora:fedora/x86_64/coreos/stable (index: 1)
                  Version: 40.20241019.3.0 (2024-10-26T12:34:27Z)
               BaseCommit: 6df70065620571076f242857b9080d747891e2279dff3ed1756270f6889731ce
                           └─ fedora-coreos-pool (2024-10-25T20:48:29Z)
                   Commit: 6293cbff4bdc26dfdc50f834e99d08340b32a50cabf208f9a62e8381016999ae
                           ├─ fedora (2024-04-14T18:51:11Z)
                           ├─ fedora-cisco-openh264 (2024-03-12T11:45:42Z)
                           ├─ nvidia-container-toolkit (2024-11-09T02:28:15Z)
                           ├─ rpmfusion-free (2024-04-20T12:11:51Z)
                           ├─ rpmfusion-free-updates (2024-11-04T00:01:20Z)
                           ├─ rpmfusion-nonfree (2024-04-20T12:18:23Z)
                           ├─ rpmfusion-nonfree-updates (2024-11-04T00:19:19Z)
                           ├─ updates (2024-11-08T04:05:04Z)
                           └─ updates-archive (2024-11-09T03:00:45Z)
                StateRoot: fedora-coreos
             GPGSignature: 1 signature
                           Signature made Sat Oct 26 22:36:19 2024 using RSA key ID 0727707EA15B79CC
                           Good signature from "Fedora <fedora-40-primary@fedoraproject.org>"
      RemovedBasePackages: nfs-utils-coreos 1:2.7.1-0.fc40
         InactiveRequests: bash-completion bsdtar socat wireguard-tools
          LayeredPackages: adwaita-cursor-theme akmod-nvidia alacritty alsa-utils aria2
                           bemenu binutils cargo chromium ddcutil drm-utils dunst egl-gbm
                           ffmpeg firefox flatpak fzf gimp git google-noto-emoji-fonts
                           google-noto-sans-cjk-fonts google-noto-sans-fonts
                           google-noto-sans-mono-fonts google-roboto-fonts grim
                           igt-gpu-tools ImageMagick imv intel-media-driver iotop kanshi
                           levien-inconsolata-fonts lftp libdisplay-info libva-utils lz4
                           mako man-db man-pages mesa-dri-drivers mesa-va-drivers
                           mesa-vulkan-drivers moreutils mpv neovim netcat nfs-utils
                           numix-gtk-theme numix-icon-theme numix-icon-theme-circle
                           numix-icon-theme-square nvidia-container-toolkit-base p7zip
                           parallel parted pass pavucontrol pinentry-tty pipewire
                           pipewire-alsa pipewire-pulseaudio pipewire-utils
                           pulseaudio-utils remmina remmina-plugins-rdp remmina-plugins-vnc
                           ripgrep rpmfusion-free-release rpmfusion-nonfree-release rust
                           rust-src samba slurp strace sway swaybg swayidle swaylock
                           tcpdump thunar tmux virt-manager vulkan-tools waypipe wayvnc
                           wf-recorder wget wireplumber wl-clipboard wlopm
                           xdg-desktop-portal-wlr xeyes xorg-x11-drv-nvidia
                           xorg-x11-drv-nvidia-cuda xorg-x11-server-Xwayland yambar zathura
                           zathura-pdf-mupdf
                   Pinned: yes

Secure Boot signed NVIDIA kernel modules require some manual setup. See: Akmods does not sign compiled module when using rpm-ostree · Issue #499 · fedora-silverblue/issue-tracker · GitHub

Looks like you are using Fedora CoreOS as a desktop. You should probably take a look at Fedora Sway Atomic.

Thanks, I have looked at that issue and related ones, but I’m still not sure how to fix this. Can you please spell it out for me a little more? Secure Boot has always been disabled on this computer.

I had considered it, but felt that too many things were pre-installed on Sway Atomic that I did not need or use.

If you need support for the NVIDIA driver then I recommend looking at the Universal Blue images.