Bug#946938: postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade
On Wed, Dec 18, 2019 at 10:51:06AM +0100, Christoph Berg wrote:
> Control: reassign -1 ssl-cert
> Control: affects -1 postgresql-common
>
> Re: Julian Gilbey 2019-12-18 <157666085037.520017.6645946659722479335.reportbug@erdos.d-and-j.net>
> > I've just tried upgrading postgresql from version 11 to version 12,
> > following the instructions in README.Debian.
>
> Hi,
>
> did you upgrade the OS at the same time?
Hi Christoph,
Thanks for the quick response!
I had recently done an apt upgrade, and it is possible that an ssl
package was upgraded in the process. I've repeated the exercise on a
different machine, though, and that worked fine.
I had a look at the snake-oil keys, and the "broken" machine's one was
dated 2010, whereas the other machine's was dated 2013. So I've just
recreated the ssl-cert-snakeoil.pem on the "broken" using the command
make-ssl-cert generate-default-snakeoil --force-overwrite
and now the pg_upgradecluster works (almost) fine.
> > 2019-12-18 08:55:15.323 GMT [520011] FATAL: could not load server certificate file "/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small
>
> This isn't a PostgreSQL problem, the snakeoil certificate will be
> rejected by any other daemon as well.
>
> The ssl-cert package should regenerate the keys if the openssl package
> upgrades the key requirements.
So indeed, this seems to be one of the issues - well identified! I'll
send a separate bug report about the other weirdness.
Best wishes,
Julian
Reply to: