[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#946938: marked as done (postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade)

Your message dated Mon, 28 Dec 2020 14:40:15 +0000
with message-id <E1ktth1-0001QL-Kh@fasolo.debian.org>
and subject line Bug#924881: fixed in ssl-cert 1.1.0
has caused the Debian Bug report #924881,
regarding postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

924881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924881
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: postgresql-common
Version: 210
Severity: important


I've just tried upgrading postgresql from version 11 to version 12,
following the instructions in README.Debian.  (Incidentally, the
example of upgrading from version 9.6 no longer works, as the minor
version should no longer be specified on recent versions.)  Here's
what happens to me:

erdos:~ # pg_dropcluster 12 main --stop
erdos:~ # pg_upgradecluster 11 main
Restarting old cluster with restricted connections...
Notice: extra pg_ctl/postgres options given, bypassing systemctl for start operation
Creating new PostgreSQL cluster 12/main ...
/usr/lib/postgresql/12/bin/initdb -D /var/lib/postgresql/12/main --auth-local peer --auth-host md5 --encoding UTF8 --lc-collate en_GB.UTF-8 --lc-ctype en_GB.UTF-8
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_GB.UTF-8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/12/main ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Europe/London
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

Success. You can now start the database server using:

    pg_ctlcluster 12 main start

Ver Cluster Port Status Owner    Data directory              Log file
12  main    5433 down   postgres /var/lib/postgresql/12/main /var/log/postgresql/postgresql-12-main.log

Starting new cluster...
Notice: extra pg_ctl/postgres options given, bypassing systemctl for start operation
Error: /usr/lib/postgresql/12/bin/pg_ctl /usr/lib/postgresql/12/bin/pg_ctl start -D /var/lib/postgresql/12/main -l /var/log/postgresql/postgresql-12-main.log -s -o  -c config_file="/etc/postgresql/12/main/postgresql.conf" -c hba_file=/tmp/pg_hba._zoYwU.conf exited with status 1:
2019-12-18 08:55:15.323 GMT [520011] FATAL:  could not load server certificate file "/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small
2019-12-18 08:55:15.323 GMT [520011] LOG:  database system is shut down
pg_ctl: could not start server
Examine the log output.
Error: Could not start target cluster
erdos:~ #

At this point, the postgres process needs to be manually killed.

I'm not sure at which point the check on ee key size was introduced,
but the default settings of switching ssl on and using the snake oil
certificate no longer works.

If I modify /etc/postgresql-common/createcluster.conf to say ssl =
off, then the upgrade part works smoothly.

It would be very helpful, though, for the instruction:

   Success. You can now start the database server using:
       pg_ctlcluster 12 main start

to appear at the end of the output, rather than buried in the middle
of it.

Anyway, following this upgrade, "pg_ctlcluster 12 main start"
successfully starts the postgresql service.  However,
/etc/init.d/postgresql start fails: for some reason, there is no
longer a postgresql@12-main.service file for systemd.  I can't figure
out where this file should have been created, but it hasn't been :/.

Best wishes,


-- System Information:
Debian Release: bullseye/sid
  APT prefers stretch
  APT policy: (500, 'stretch'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages postgresql-common depends on:
ii  adduser                   3.118
ii  debconf [debconf-2.0]     1.5.73
ii  lsb-base                  11.1.0
ii  perl                      5.30.0-9
ii  postgresql-client-common  210
ii  procps                    2:3.3.15-2+b1
ii  ssl-cert                  1.0.39
ii  ucf                       3.0038+nmu1

Versions of packages postgresql-common recommends:
ii  e2fsprogs  1.45.4-1
ii  logrotate  3.15.1-2

Versions of packages postgresql-common suggests:
ii  libjson-perl  4.02000-1

-- Configuration Files:
/etc/postgresql-common/createcluster.conf changed:
ssl = on
cluster_name = '%v/%c'
stats_temp_directory = '/var/run/postgresql/%v-%c.pg_stat_tmp'
log_line_prefix = '%%m [%%p] %%q%%u@%%d '
add_include_dir = 'conf.d'
include_dir '/etc/postgresql-common/createcluster.d'

-- debconf information:
  postgresql-common/ssl: true
* postgresql-common/obsolete-major:

--- End Message ---
--- Begin Message ---
Source: ssl-cert
Source-Version: 1.1.0
Done: Stefan Fritsch <sf@debian.org>

We believe that the bug you reported is fixed in the latest version of
ssl-cert, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924881@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Stefan Fritsch <sf@debian.org> (supplier of updated ssl-cert package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)

Hash: SHA512

Format: 1.8
Date: Mon, 28 Dec 2020 15:20:52 +0100
Source: ssl-cert
Architecture: source
Version: 1.1.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Stefan Fritsch <sf@debian.org>
Closes: 924881
 ssl-cert (1.1.0) unstable; urgency=medium
   [ Stefan Fritsch ]
   * Remove obsolete openssl-blacklist suggests.
   * Add some autopkgtests. LP: #1679405
   * Create correct hash symlink. LP: #1324897
   * Automatically re-create the default snakeoil certificate if its key
     length is below 2048 bits or if the signature algorithm is not sha256.
     Closes: #924881
   [ Bryce Harrington ]
   * Refactor make-ssl-cert a bit, add usage message.
   * Add --expiration-days option. LP: #1853021
 9a259a81cadd448c8a96eef290f142352e6a7abd 1645 ssl-cert_1.1.0.dsc
 b6f21c5f3e445a7b69a14f5dab56d1c6f94aad73 31336 ssl-cert_1.1.0.tar.xz
 2fa7a4809455515c6f7b8595dbd0536b9331ba07 6778 ssl-cert_1.1.0_source.buildinfo
 ce2bc71d68fce2fd571e5d718ac3060adb39703e2e11baada67e9386c8fb6386 1645 ssl-cert_1.1.0.dsc
 02afb973963cc7e5a45ccbf4393349a2cfb90a279378b2803f0068eaee207bce 31336 ssl-cert_1.1.0.tar.xz
 fb49256e65dd57e5fddbc6b8e47feb7de962a161a4834620d133be62ad4fb208 6778 ssl-cert_1.1.0_source.buildinfo
 e003b2bdc814672a48588de9aace3483 1645 utils optional ssl-cert_1.1.0.dsc
 00a64e367fe616b41083756757d58362 31336 utils optional ssl-cert_1.1.0.tar.xz
 6895627bf093117b312637a02d315789 6778 utils optional ssl-cert_1.1.0_source.buildinfo



--- End Message ---

Reply to: