Bug#927435: upgrade-reports: Buster upgrade: had to re-create unbound certs/keys
clone 927435 -1
reassign 927435 unbound
retitle 927435 unbound: Small control keys makes it fail to start
severity 927435 important
reassign -1 release-notes
retitle -1 release-notes: Document how to handle openssls new defaults
thanks
John Eikenberry:
> Package: upgrade-reports
> Severity: normal
>
> After upgrading to buster, unbound-control would fail to run with this error..
>
> error: Error setting up SSL_CTX client cert
> 139765110753216:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:
>
> To fix this I had to regenerate the certs and keys by removing the old ones and
> running unbound-control-setup, then restarting unbound. This fixed the issue.
>
> $ cd /etc/unbound/
> $ sudo rm *.key *.pem
> $ sudo unbound-control-setup
> $ sudo systemctl restart unbound
>
> Note that with unbound-control broken, that broke `systemctl reload unbound` as
> it depends on unbound-control.
>
> [...]
>
Hi John,
Thanks for filing this bug.
I have split it into two bugs:
* One for unbound in case there is something in unbound that need to
change (e.g. key generation instructions or/and a NEWS entry to
notify upgraders of potential issues and how to resolve it)
* One for the release-notes because the stricter defaults in OpenSSL
affects multiple programs (I have seen similar issues from e.g.
wpa_supplicant). At this point, we should probably document the
knobs involved[1].
Thanks,
~Niels
[1] I believe the alternative is to update /etc/ssl/openssl.cnf, finding
"""
[system_default_sect]
...
CipherString = DEFAULT@SECLEVEL=2
"""
And change that SECLEVEL=2 to SECLEVEL=1. Obviously, this has
system-wide effects and reduces the minimum key size for all things that
do not set their own CipherString (e.g. webservers have configuration to
do that and wpa_supplicant overrides the new default as well as most
WiFi have small keys).
Reply to: