Description Felix Botner 2022-02-23 13:48:08 CET

By default our postgresql config/server uses "/etc/ssl/certs/ssl-cert-snakeoil.pem/key" as "ssl_cert_file/ssl_key_file".

This certificate is created during the installation of the ssl-cert package.

Now i have a very old system, with a very old ssl-cert-snakeoil.pem cert (see attachments). This is a UCS 4.4-8 with postgresql 9.4. During the update i had to migrate to postgresql 9.6.

After the update to 5.0-1 postgresql refuses to start with:

Feb 23 10:56:10 master systemd[1]: Starting PostgreSQL Cluster 9.6-main...
Feb 23 10:56:11 master postgresql@9.6-main[6510]: The PostgreSQL server failed to start. Please check the log output:
Feb 23 10:56:11 master postgresql@9.6-main[6510]: 2022-02-23 10:56:10 CET [6514-1] FATAL:  konnte Serverzertifikatsdatei »/etc/ssl/certs/ssl-cert-snakeoil.pem« nicht laden: ee key too small
Feb 23 10:56:11 master postgresql@9.6-main[6510]: 2022-02-23 10:56:10 CET [6514-2] LOG:  Datenbanksystem ist heruntergefahren
Feb 23 10:56:11 master systemd[1]: postgresql@9.6-main.service: Can't open PID file /run/postgresql/9.6-main.pid (yet?) after start: No such file or directory
Feb 23 10:56:11 master systemd[1]: postgresql@9.6-main.service: Failed with result 'protocol'.
Feb 23 10:56:11 master systemd[1]: Failed to start PostgreSQL Cluster 9.6-main.

After regenerating the certificate with

-> make-ssl-cert generate-default-snakeoil --force-overwrite

everything was fine.

So we better should not use this snakeoil certificate in postgresql (or any other service), or we should at least check if the certificate is still valid.