Bug#924881: postgresql: buster upgrade breaks older postgresql (9.6) and newer postgresql (11) is also inoperative
Control: tag -1 - moreinfo
On Thu, Mar 21, 2019 at 11:39:10AM +0100, Christoph Berg wrote:
> Re: Boyd Stephen Smith Jr. 2019-03-17 <155286006298.75575.15027661784880447919.reportbug@localhost.localdomain>
> > Mar 17 11:57:22 monster postgresql@9.6-main[1380]: The PostgreSQL server failed to start. Please check the log output:
> > Mar 17 11:57:22 monster postgresql@9.6-main[1380]: 2019-03-17 16:57:21 GMT FATAL: could not load server certificate file "/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small
>
> Hi Boyd,
>
> that error message is directly from openssl, so unrelated to
> PostgreSQL. What size is the snakeoil key? Could you post the output
> of that command?
>
> openssl x509 -text -noout < /etc/ssl/certs/ssl-cert-snakeoil.pem
I ran into the same thing.
$ openssl x509 -text -noout < /etc/ssl/certs/ssl-cert-snakeoil.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c9:0e:e4:2c:5b:bd:4e:9f
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN = riva.pelham.vpn.ucam.org
Validity
Not Before: Jan 20 12:49:46 2009 GMT
Not After : Jan 18 12:49:46 2019 GMT
Subject: CN = riva.pelham.vpn.ucam.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (1024 bit)
Modulus:
00:cc:fc:c8:fe:5f:b7:24:80:74:94:47:88:82:b0:
5b:44:42:77:54:22:9e:3f:d5:c0:30:21:08:80:8e:
54:1c:1a:2f:4a:96:84:eb:f5:24:96:03:fc:81:46:
22:39:a3:10:32:32:d2:61:ec:e9:fe:2a:62:12:e3:
e6:4a:d0:c1:92:f3:86:7d:c9:58:c9:d9:57:f1:68:
9a:d8:61:27:af:51:12:68:68:2e:9e:6b:e4:74:ce:
95:1a:3b:c7:96:c6:32:24:89:f6:00:a8:6b:74:74:
46:82:92:d1:dd:18:d5:16:ff:4c:0e:55:e6:5b:d7:
81:91:ab:e7:8e:39:6b:07:01
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
7d:41:0b:ac:14:a4:b3:f0:0d:5a:b6:6c:e2:9e:a9:60:81:70:
5b:08:c7:f4:c2:6e:7c:c0:ae:0d:d9:80:43:5a:e7:6b:78:48:
00:3e:a9:2b:45:a4:36:a9:8f:13:2c:b9:ec:42:38:1a:77:ba:
1b:87:ca:b9:cf:8e:01:a5:e2:ec:29:a4:e9:f5:ec:8a:e1:be:
85:dd:a6:65:5f:98:8f:bc:cf:9c:ee:0c:78:83:00:98:0f:5e:
45:71:66:e4:20:ec:3e:40:8f:01:00:2f:68:af:97:d5:c7:cd:
8c:17:a1:a4:74:c6:ae:91:9b:ba:29:f0:e4:5a:bb:39:e6:49:
71:20
(So not only small by modern standards, but also expired.)
> My guess would be that the snakeoil key was generated a very long time
> ago, when the key size defaults were less than they are today, and
> buster's libssl is now rejecting the key.
This one is certainly old:
$ ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 664 Jan 20 2009 /etc/ssl/certs/ssl-cert-snakeoil.pem
"sudo make-ssl-cert generate-default-snakeoil --force-overwrite" as
suggested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924881#15
fixed this for me as well.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Reply to: