Skip to main content
Sign in

CloudLinux Knowledge Base

  1. CloudLinux
  2. KernelCare
  3. Troubleshooting

KernelCare insmod: ERROR: could not insert module

Anna
  • Updated

Issue

  • KernelCare update failed

    kcarectl --update
Downloading updates
The insmod: ERROR: could not insert module
/lib/modules/*kernel_version*/extra/kcare.ko: Required key not available

  • Secure boot enabled

    # mokutil --sb-state
SecureBoot enabled

Environment

  • CloudLinux OS
  • KernelCare

Solution

Option 1: Automated setup (recommended)

Requires KernelCare Agent version 3.0-2 or later. The setup uses a Microsoft-signed helper binary that automatically injects the KernelCare certificate into the Secure Boot trust chain at boot time.

Run as root:

/usr/share/kcare/secure_boot/setup_kcare_certs.sh

Supported on RPM-based distributions (RHEL, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, CloudLinux, Amazon Linux) with EFI boot, shim installed, and Secure Boot enabled.

 

Option 2: Manual MOK enrollment

For systems that support the standard UEFI Secure Boot shim/MOK flow. This option requires shim and MOK support on the system.

The certificate is installed at:

/usr/libexec/kcare/kernelcare_pub.der

If it's missing, download it:

curl -o /usr/libexec/kcare/kernelcare_pub.der https://patches.kernelcare.com/kernelcare_pub.der

Enroll it:

mokutil --import /usr/libexec/kcare/kernelcare_pub.der

You'll be prompted to set a one-time password. Reboot the server and complete the MOK enrollment via the blue MokManager screen at boot. The certificate is enrolled into the trust chain after a successful reboot and MokManager confirmation.

 

Option 3: Disable Secure Boot (last resort)

If MOK enrollment is not possible on your platform, disabling Secure Boot in BIOS/UEFI may allow kcare.ko to load. This is a fallback and should be used only when enrollment is not available.

Verification:

After completing enrollment (either method), check that the certificate appears in the enrolled keys:

mokutil --list-enrolled | egrep -i 'SHA1|Issuer'

If the certificate does not appear in `mokutil`, check `dmesg` for certificate-loading messages.

To confirm KernelCare loads and patches successfully:

kcarectl --update

Note: `kcarectl --update` verifies that KernelCare functions correctly but does not confirm certificate enrollment on its own. Use `mokutil` or `dmesg` for enrollment verification.

 

Cause

UEFI Secure Boot is enabled on the server and the KernelCare signing certificate has not been enrolled into the Secure Boot trust chain, so the kernel rejects kcare.ko at load time.

References

https://docs.tuxcare.com/live-patching-services/#uefi-secure-boot-support 

 

 

Comments

0 comments

Please sign in to leave a comment.

Related articles