Hi,
in the course of looking into the upgrade failure, I ended up purging
dnssec-trigger and then installed it again. I notice this creates keys
and config files in both /etc/ and /etc/dnssec-trigger?! Different to
Alex, I get traceback in the middle of the log (also for subsequent
attempts to 'apt-get install -f' etc):
Jan 14 20:51:32 thinkpad systemd[1]: Starting Generate keys and certificates
for dnssec-trigger...
Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: setup in directory
/etc
Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: generating
dnssec_trigger_server.key
Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]: Generating RSA
private key, 3072 bit long modulus (2 primes)
Jan 14 20:51:32 thinkpad dnssec-trigger-control-setup[6806]:
.............................................................++++
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]:
..........................................................................................................................................................................++++
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: e is 65537
(0x010001)
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: generating
dnssec_trigger_control.key
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Generating RSA
private key, 3072 bit long modulus (2 primes)
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: ...........++++
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]:
.................................................................................................................................++++
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: e is 65537
(0x010001)
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: create
dnssec_trigger_server.pem (self signed certificate)
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: create
dnssec_trigger_control.pem (signed client certificate)
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Signature ok
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: subject=CN =
dnssec-trigger-control
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Getting CA Private
Key
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: Setup success.
Certificates created.
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: run this script
again with -i to:
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: #011- enable
remote-control in unbound.conf
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: #011- start
unbound-control-setup
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: #011- add root
trust anchor to unbound.conf
Jan 14 20:51:33 thinkpad dnssec-trigger-control-setup[6806]: if you have not
done this already
Jan 14 20:51:33 thinkpad systemd[1]: Started Generate keys and certificates for
dnssec-trigger.
Jan 14 20:51:33 thinkpad systemd[1]: Starting Reconfigure local DNSSEC resolver
on connectivity changes...
Jan 14 20:51:33 thinkpad dnssec-trigger-script[6819]: Backing up
/etc/resolv.conf as /run/dnssec-trigger/resolv.conf.backup...
Jan 14 20:51:33 thinkpad dnssec-triggerd: [6822] info: dnssec-trigger 0.17 start
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: Traceback (most recent call
last):
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File
"/usr/lib/dnssec-trigger/dnssec-trigger-script", line 774, in <module>
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: main()
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File
"/usr/lib/dnssec-trigger/dnssec-trigger-script", line 761, in main
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: Application(sys.argv).run()
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File
"/usr/lib/dnssec-trigger/dnssec-trigger-script", line 472, in run
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: self.method()
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File
"/usr/lib/dnssec-trigger/dnssec-trigger-script", line 556, in run_setup
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]:
self._unbound_set_negative_cache_ttl(UNBOUND_MAX_NEG_CACHE_TTL)
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File
"/usr/lib/dnssec-trigger/dnssec-trigger-script", line 641, in
_unbound_set_negative_cache_ttl
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: subprocess.check_call(CMD,
stdout=DEVNULL, stderr=DEVNULL)
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: File
"/usr/lib/python3.7/subprocess.py", line 347, in check_call
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: raise
CalledProcessError(retcode, cmd)
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: subprocess.CalledProcessError:
Command '['unbound-control', 'set_option', 'cache-max-negative-ttl:', '5']'
returned non-zero exit status 1.
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: chattr: Datei oder Verzeichnis
nicht gefunden beim Auslesen des Status von /etc/resolv.conf
Jan 14 20:51:34 thinkpad dnssec-triggerd: [6822] error: chmod(/etc/resolv.conf)
failed: No such file or directory
Jan 14 20:51:34 thinkpad dnssec-triggerd: [6822] error: cannot open
/var/run/dnssec-trigger/zones: No such file or directory
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX
client cert
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]:
139691302409536:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too
small:../ssl/ssl_rsa.c:310:
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX
client cert
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]:
140634252199232:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too
small:../ssl/ssl_rsa.c:310:
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX
client cert
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]:
139941692548416:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too
small:../ssl/ssl_rsa.c:310:
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX
client cert
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]:
140564896728384:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too
small:../ssl/ssl_rsa.c:310:
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]: error: Error setting up SSL_CTX
client cert
Jan 14 20:51:34 thinkpad dnssec-triggerd[6822]:
139702998553920:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too
small:../ssl/ssl_rsa.c:310:
Jan 14 20:51:34 thinkpad kernel: [51521.772186] traps: dnssec-triggerd[6822]
general protection ip:563bc6d85c90 sp:7fff2c281de0 error:0 in
dnssec-triggerd[563bc6d76000+18000]
Jan 14 20:51:34 thinkpad systemd[1]: Started Session c26 of user root.
Jan 14 20:51:34 thinkpad systemd[1]: dnssec-triggerd.service: Main process
exited, code=dumped, status=11/SEGV
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: Running update all with
these connections:
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: {
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "connections": [
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: {
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "default":
true,
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "servers": [
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]:
"192.168.178.1",
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]:
"fd00::224:feff:fe7e:9c62"
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: ],
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "type":
"wifi",
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: "zones": [
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]:
"fritz.box"
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: ]
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: }
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: ]
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6823]: }
Jan 14 20:51:34 thinkpad systemd[1]: session-c26.scope: Succeeded.
Jan 14 20:51:34 thinkpad systemd[1]: dnssec-triggerd.service: New main PID 6822
does not exist or is a zombie.
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6859]: Recovering
/etc/resolv.conf...
Jan 14 20:51:34 thinkpad dnssec-trigger-script[6859]: Cannot connect to unbound.
Jan 14 20:51:34 thinkpad systemd[1]: dnssec-triggerd.service: Failed with
result 'core-dump'.
Jan 14 20:51:34 thinkpad systemd[1]: Failed to start Reconfigure local DNSSEC
resolver on connectivity changes.
Florian
