Univention Bugzilla – Bug 54482
PostgreSQL 9.6 does not start after update to 5.0-1 with old ssl-cert-snakeoil.pem
Last modified: 2022-02-24 18:14:57 CET
By default our postgresql config/server uses "/etc/ssl/certs/ssl-cert-snakeoil.pem/key" as "ssl_cert_file/ssl_key_file". This certificate is created during the installation of the ssl-cert package. Now i have a very old system, with a very old ssl-cert-snakeoil.pem cert (see attachments). This is a UCS 4.4-8 with postgresql 9.4. During the update i had to migrate to postgresql 9.6. After the update to 5.0-1 postgresql refuses to start with: Feb 23 10:56:10 master systemd[1]: Starting PostgreSQL Cluster 9.6-main... Feb 23 10:56:11 master postgresql@9.6-main[6510]: The PostgreSQL server failed to start. Please check the log output: Feb 23 10:56:11 master postgresql@9.6-main[6510]: 2022-02-23 10:56:10 CET [6514-1] FATAL: konnte Serverzertifikatsdatei »/etc/ssl/certs/ssl-cert-snakeoil.pem« nicht laden: ee key too small Feb 23 10:56:11 master postgresql@9.6-main[6510]: 2022-02-23 10:56:10 CET [6514-2] LOG: Datenbanksystem ist heruntergefahren Feb 23 10:56:11 master systemd[1]: postgresql@9.6-main.service: Can't open PID file /run/postgresql/9.6-main.pid (yet?) after start: No such file or directory Feb 23 10:56:11 master systemd[1]: postgresql@9.6-main.service: Failed with result 'protocol'. Feb 23 10:56:11 master systemd[1]: Failed to start PostgreSQL Cluster 9.6-main. After regenerating the certificate with -> make-ssl-cert generate-default-snakeoil --force-overwrite everything was fine. So we better should not use this snakeoil certificate in postgresql (or any other service), or we should at least check if the certificate is still valid.
Created attachment 10921 [details] ssl-cert-snakeoil.key
Created attachment 10922 [details] ssl-cert-snakeoil.pem