Your message dated Sun, 13 Jan 2019 22:49:22 +0000
with message-id <e1giozg-0000ni...@fasolo.debian.org>
and subject line Bug#898969: fixed in dnssec-trigger 0.17+repack-1
has caused the Debian Bug report #898969,
regarding dnssec-trigger: fails with OpenSSL 1.1.1 due to too-small key and
unknown ca
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
898969: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898969
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dnssec-trigger
Version: 0.15+repack-1
Severity: important
I have two existing installations of dnssec-trigger that have 1536-bit
client and server keys. I'm using the OpenSSL from experimental, which
rejects keys of less than 2048 bits in size, as they are presently
considered too weak. Consequently, dnssec-trigger fails to start:
May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15
dnssec-triggerd[721856] error: Error for server-cert-file:
/etc/dnssec-trigger/dnssec_trigger_server.pem
May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15
dnssec-triggerd[721856] error: Error in SSL_CTX use_certificate_file crypto
error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15
dnssec-triggerd[721856] error: cannot setup SSL context
May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15
dnssec-triggerd[721856] fatal error: could not init server
I noticed the current version of dnssec-trigger uses 3072 bit keys. To
ensure upgrades continue to work, dnssec-trigger probably needs to
regenerate the keys if they are too small.
As a potentially relevant note, I noticed the
dnssec-triggerd-keygen.service creates the keys in /etc, not
/etc/dnssec-trigger.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dnssec-trigger depends on:
ii gir1.2-nm-1.0 1.10.8-1
ii libc6 2.27-3
ii libgdk-pixbuf2.0-0 2.36.11-2
ii libglib2.0-0 2.56.1-2
ii libgtk2.0-0 2.24.32-1
ii libldns2 1.7.0-3+b1
ii libssl1.1 1.1.1~~pre6-2
ii python3 3.6.5-3
ii python3-gi 3.28.2-1
ii python3-lockfile 1:0.12.2-2
ii unbound 1.6.7-1
dnssec-trigger recommends no packages.
dnssec-trigger suggests no packages.
-- Configuration Files:
/etc/dnssec-trigger/dnssec-trigger.conf changed:
url: "http://fedoraproject.org/static/hotspot.txt OK"
url: "http://ster.nlnetlabs.nl/hotspot.txt OK"
tcp80: 185.49.140.67
tcp80: 2a04:b900::10:0:0:67
ssl443: 185.49.140.67
7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
ssl443: 2a04:b900::10:0:0:67
7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
-- no debconf information
--
brian m. carlson: Houston, Texas, US
OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: dnssec-trigger
Source-Version: 0.17+repack-1
We believe that the bug you reported is fixed in the latest version of
dnssec-trigger, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 898...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Diane Trout <di...@ghic.org> (supplier of updated dnssec-trigger package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Jan 2019 13:10:28 -0800
Source: dnssec-trigger
Binary: dnssec-trigger
Architecture: source
Version: 0.17+repack-1
Distribution: unstable
Urgency: medium
Maintainer: dnssec-trigger packagers <dnssec-trig...@packages.debian.org>
Changed-By: Diane Trout <di...@ghic.org>
Description:
dnssec-trigger - reconfiguration tool to make DNSSEC work
Closes: 898969
Changes:
dnssec-trigger (0.17+repack-1) unstable; urgency=medium
.
* New upstream release
* Refresh patches
* Remove 0001-dnssec-trigger-openssl-1.1.0-fixup.patch
* Remove 0007-use-libnm.patch, resolved upstream
* Delete some test artifacts that weren't being cleaned
* Refresh reproducible-build.patch
* Enable with-forward-zones-support
* Add build and install dependency on sensible-utils.
* Add libcmocka-dev dependency, needed for some of upstreams test code
* Require that libssl 1.1 is installed before we upgrade.
* Regnerate control keys that are too small on startup (Closes: #898969)
* Test to see if #779298 was fixed
* Test that #898969 is fixed
* Add patch dont-delete-unknown-names.patch
* Update Standards-Version to 4.3.0. No changes needed
* Change breaks: to conflicts: resolvconf
Checksums-Sha1:
e669ad0abd1ab8b880c0617167508dfa9de10cfd 2330 dnssec-trigger_0.17+repack-1.dsc
e730cecd2c5721b9412fea8d535b9c307bfd6050 338888
dnssec-trigger_0.17+repack.orig.tar.xz
010f756227de605f96633355a2e85547328bdf90 14592
dnssec-trigger_0.17+repack-1.debian.tar.xz
7cfc6ee5ece1f160338d199de4eb66004f70a1df 11578
dnssec-trigger_0.17+repack-1_source.buildinfo
Checksums-Sha256:
1096b1797ec97f30d7e88a8d5f3a4bdbe0436aadb0f538c4dbf2dac55a55575b 2330
dnssec-trigger_0.17+repack-1.dsc
80fd1a3063f5cb90da28f8f2277ab17f25c006e07e59fc661c2d9202068a70df 338888
dnssec-trigger_0.17+repack.orig.tar.xz
ee98341e7b938ecdba7a5266c839103e8ec2e47b2741aaeaffa0ef9e75ddce49 14592
dnssec-trigger_0.17+repack-1.debian.tar.xz
48ec20355c61159117d9feffcf8e202977c442a7ff459f92b4622fc11abdc1ea 11578
dnssec-trigger_0.17+repack-1_source.buildinfo
Files:
18dbad4477092c8d02266e240b744489 2330 net optional
dnssec-trigger_0.17+repack-1.dsc
51281ec86b65dbf3cecbd601c6e78602 338888 net optional
dnssec-trigger_0.17+repack.orig.tar.xz
b626521f5e9fac6ee1c7ab9115730412 14592 net optional
dnssec-trigger_0.17+repack-1.debian.tar.xz
b7175eeffd9a5384382858aa3bf2b5a8 11578 net optional
dnssec-trigger_0.17+repack-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQVcMeSBIEX5AQ11mQ04NnM013AFAlw7u9MACgkQmQ04NnM0
13D2QQ/+NnaUQ4qj1Qp6cY6qTag+VbRk9cFS95SX8XJN9okLTKyN1pYpZQyGGYjt
kWzKuR4yZJ/kedD/FprnllGPoG9dSsSxVnNITEEoLqvNxKj/V3mlWQXcwxRETJ6s
y4GYnqU7jdHWPeN8oornGNkQyUtHVtgXdLS31AGM66pGNF8Fu6NKgvh6quUd7LCP
KwOuc9IiWr21fgtN1zVktTUGCgr45hn9ccQldJqVd8MOwqZGlnCqrgTQzvDjjwEq
mZ56A+h7gkhCpED970PY7iOymIkrsuUUWZPTNiAZsv5an9i0Fww9x+fzk7ZVFdsr
arKQiMH0fAkxMKnfiNKvaON1mqYQX+55wudMSpkAr6Jt3URcHRi5tgdhFkFv+v7k
3PUeFXTFCg9LcvTovMqIqjF08on35Wyr5Hf/qIUGdBn26vppqDbdopoLnIWre/8b
iedBj7W/FLftkanpWS+mzqMpDlXxPq2/Cxa0SHMGQs0py3Fp5J8SQevL8MbQMwgB
En3xTmd8e13eWErYYMqZgyt6qrxptabF/jUtdL7DKBsjgkGaqJgGPlJf2MwKHYJD
y7m8H69G+0VThmilyZsuSCL+utnFxwwiFLn5XmhZ6zoF87gqEKZjHPY/sX2YlgCE
cGlAkYgV9dIDJSgidYFTjY6xuEKAa+dMtK8Cbbmgc3m3o09jmJg=
=LSY3
-----END PGP SIGNATURE-----
--- End Message ---
