Hi Diane,
Diane Trout wrote:
> Was dnssec-triggerd running before the upgrade?
I think so.
> Was there then an
> upgrade to openssl 1.1.1? and then finally it wouldn't start?
That one was much earlier IIRC, like weeks ago.
Anyway, I've now got a second machine with the same symptoms, just now
with sysvinit instead of systemd:
Setting up dnssec-trigger (0.17+repack-1) ...
Installing new version of config file
/etc/NetworkManager/dispatcher.d/01-dnssec-trigger ...
Configuration file '/etc/dnssec-trigger/dnssec-trigger.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** dnssec-trigger.conf (Y/I/N/O/D/Z) [default=N] ? d
--- /etc/dnssec-trigger/dnssec-trigger.conf 2017-01-15 19:10:09.588308480
+0100
+++ /etc/dnssec-trigger/dnssec-trigger.conf.dpkg-new 2019-01-13
22:10:28.000000000 +0100
@@ -22,12 +22,10 @@
# the domain example.com line (if any) to add to resolv.conf(5). default none.
# domain: ""
-domain: deuxchevaux.org
# domain name search path to add to resolv.conf(5). default none.
# the search path from DHCP is not picked up, it could be used to misdirect.
# search: ""
-search: kub.deuxchevaux.org deuxchevaux.org noone.org debian.org ethz.ch
lugs.ch
# the command to run to open login pages on hot spots, a web browser.
# empty string runs no command.
@@ -50,7 +48,7 @@
# control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem"
# check for updates, download and ask to install them (for Windows, OSX).
-# check-updates:
+# check-updates: no
# webservers that are probed to see if internet access is possible.
# They serve a simple static page over HTTP port 80. It probes a random url:
@@ -65,6 +63,7 @@
url: "http://fedoraproject.org/static/hotspot.txt OK"
# fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443.
+# These relay incoming DNS traffic on the other port numbers to the usual DNS
# the ssl443 adds an ssl server IP, you may also specify one or more hashes
# the following on one line: ssl443:<space><IP>{<space><HASHoutput>}
# hash is output of openssl x509 -sha256 -fingerprint -in server.pem
@@ -77,3 +76,12 @@
ssl443: 185.49.140.67
7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
ssl443: 2a04:b900::10:0:0:67
7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+# Use VPN servers for all traffic
+# use-vpn-forwarders: no
+
+# Forward RFC 1918 private addresses to global forwarders
+# use-private-addresses: yes
+
+# Add domains provided by VPN connections into Unbound forward zones
+# add-wifi-provided-zones: no
+
Configuration file '/etc/dnssec-trigger/dnssec-trigger.conf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** dnssec-trigger.conf (Y/I/N/O/D/Z) [default=N] ? n
[....] Restarting : dnssec-triggerdJan 14 21:10:59 dnssec-triggerd[12444]
error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem
Jan 14 21:10:59 dnssec-triggerd[12444] error: Error in SSL_CTX
use_certificate_file crypto error:140AB18F:SSL
routines:SSL_CTX_use_certificate:ee key too small
Jan 14 21:10:59 dnssec-triggerd[12444] error: cannot setup SSL context
Jan 14 21:10:59 dnssec-triggerd[12444] fatal error: could not init server
failed!
On this machine, OpenSSL 1.1.1 was installed in August 2018, i.e.
about half a year ago.
> The error message looks like your openssl keys are too small and all
> attempts to control dnssec-triggerd will fail. I modified dnssec-
> trigger-control-setup to check the key size and delete it if it was too
> small. Did the certificates in /etc/dnssec-trigger get regenerated?
Clearly not. They're from 2016 (on the second machine, the other one
is currently sleeping in my backpack):
/etc/dnssec-trigger # ls -l
total 36
-rw-r--r-- 1 root root 3115 Jan 15 2017 dnssec-trigger.conf
-rw-r--r-- 1 root root 3338 Jan 13 22:10 dnssec-trigger.conf.dpkg-dist
-rw-r--r-- 1 root root 3095 Oct 4 2016 dnssec-trigger.conf~
-rw-r--r-- 1 root root 4640 Dec 20 2016 dnssec.conf
-rw-r--r-- 1 root root 1277 May 28 2016 dnssec_trigger_control.key
-rw-r--r-- 1 root root 822 May 28 2016 dnssec_trigger_control.pem
-rw-r----- 1 root root 1277 May 28 2016 dnssec_trigger_server.key
-rw-r--r-- 1 root root 810 May 28 2016 dnssec_trigger_server.pem
> See dnssec-trigger/debian/patches/remove-small-keys.patch for the
> implementation.
/etc/dnssec-trigger # openssl x509 -in dnssec_trigger_control.pem -text | grep
'Public-Key:' | awk 'match($0,/[0-9]+/) {print substr($0, RSTART, RLENGTH)}';
1536
/etc/dnssec-trigger # openssl x509 -in dnssec_trigger_server.pem -text | grep
'Public-Key:' | awk 'match($0,/[0-9]+/) {print substr($0, RSTART, RLENGTH)}';
1536
Regards, Axel
--
,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
