Bug#924881: postgresql: buster upgrade breaks older postgresql (9.6) and newer postgresql (11) is also inoperative

[Colin Watson <cjwatson@debian.org>]

Control: tag -1 - moreinfo

On Thu, Mar 21, 2019 at 11:39:10AM +0100, Christoph Berg wrote:
> Re: Boyd Stephen Smith Jr. 2019-03-17 <155286006298.75575.15027661784880447919.reportbug@localhost.localdomain>
> > Mar 17 11:57:22 monster postgresql@9.6-main[1380]: The PostgreSQL server failed to start. Please check the log output:
> > Mar 17 11:57:22 monster postgresql@9.6-main[1380]: 2019-03-17 16:57:21 GMT FATAL:  could not load server certificate file "/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small
> 
> Hi Boyd,
> 
> that error message is directly from openssl, so unrelated to
> PostgreSQL. What size is the snakeoil key? Could you post the output
> of that command?
> 
>   openssl x509 -text -noout < /etc/ssl/certs/ssl-cert-snakeoil.pem

I ran into the same thing.

  $ openssl x509 -text -noout < /etc/ssl/certs/ssl-cert-snakeoil.pem
  Certificate:
      Data:
          Version: 1 (0x0)
          Serial Number:
              c9:0e:e4:2c:5b:bd:4e:9f
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: CN = riva.pelham.vpn.ucam.org
          Validity
              Not Before: Jan 20 12:49:46 2009 GMT
              Not After : Jan 18 12:49:46 2019 GMT
          Subject: CN = riva.pelham.vpn.ucam.org
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  RSA Public-Key: (1024 bit)
                  Modulus:
                      00:cc:fc:c8:fe:5f:b7:24:80:74:94:47:88:82:b0:
                      5b:44:42:77:54:22:9e:3f:d5:c0:30:21:08:80:8e:
                      54:1c:1a:2f:4a:96:84:eb:f5:24:96:03:fc:81:46:
                      22:39:a3:10:32:32:d2:61:ec:e9:fe:2a:62:12:e3:
                      e6:4a:d0:c1:92:f3:86:7d:c9:58:c9:d9:57:f1:68:
                      9a:d8:61:27:af:51:12:68:68:2e:9e:6b:e4:74:ce:
                      95:1a:3b:c7:96:c6:32:24:89:f6:00:a8:6b:74:74:
                      46:82:92:d1:dd:18:d5:16:ff:4c:0e:55:e6:5b:d7:
                      81:91:ab:e7:8e:39:6b:07:01
                  Exponent: 65537 (0x10001)
      Signature Algorithm: sha1WithRSAEncryption
           7d:41:0b:ac:14:a4:b3:f0:0d:5a:b6:6c:e2:9e:a9:60:81:70:
           5b:08:c7:f4:c2:6e:7c:c0:ae:0d:d9:80:43:5a:e7:6b:78:48:
           00:3e:a9:2b:45:a4:36:a9:8f:13:2c:b9:ec:42:38:1a:77:ba:
           1b:87:ca:b9:cf:8e:01:a5:e2:ec:29:a4:e9:f5:ec:8a:e1:be:
           85:dd:a6:65:5f:98:8f:bc:cf:9c:ee:0c:78:83:00:98:0f:5e:
           45:71:66:e4:20:ec:3e:40:8f:01:00:2f:68:af:97:d5:c7:cd:
           8c:17:a1:a4:74:c6:ae:91:9b:ba:29:f0:e4:5a:bb:39:e6:49:
           71:20

(So not only small by modern standards, but also expired.)

> My guess would be that the snakeoil key was generated a very long time
> ago, when the key size defaults were less than they are today, and
> buster's libssl is now rejecting the key.

This one is certainly old:

  $ ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem
  -rw-r--r-- 1 root root 664 Jan 20  2009 /etc/ssl/certs/ssl-cert-snakeoil.pem

"sudo make-ssl-cert generate-default-snakeoil --force-overwrite" as
suggested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924881#15
fixed this for me as well.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]