Hi Diane, Diane Trout wrote: > Was dnssec-triggerd running before the upgrade?
I think so. > Was there then an > upgrade to openssl 1.1.1? and then finally it wouldn't start? That one was much earlier IIRC, like weeks ago. Anyway, I've now got a second machine with the same symptoms, just now with sysvinit instead of systemd: Setting up dnssec-trigger (0.17+repack-1) ... Installing new version of config file /etc/NetworkManager/dispatcher.d/01-dnssec-trigger ... Configuration file '/etc/dnssec-trigger/dnssec-trigger.conf' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** dnssec-trigger.conf (Y/I/N/O/D/Z) [default=N] ? d --- /etc/dnssec-trigger/dnssec-trigger.conf 2017-01-15 19:10:09.588308480 +0100 +++ /etc/dnssec-trigger/dnssec-trigger.conf.dpkg-new 2019-01-13 22:10:28.000000000 +0100 @@ -22,12 +22,10 @@ # the domain example.com line (if any) to add to resolv.conf(5). default none. # domain: "" -domain: deuxchevaux.org # domain name search path to add to resolv.conf(5). default none. # the search path from DHCP is not picked up, it could be used to misdirect. # search: "" -search: kub.deuxchevaux.org deuxchevaux.org noone.org debian.org ethz.ch lugs.ch # the command to run to open login pages on hot spots, a web browser. # empty string runs no command. @@ -50,7 +48,7 @@ # control-cert-file: "/etc/dnssec-trigger/dnssec_trigger_control.pem" # check for updates, download and ask to install them (for Windows, OSX). -# check-updates: +# check-updates: no # webservers that are probed to see if internet access is possible. # They serve a simple static page over HTTP port 80. It probes a random url: @@ -65,6 +63,7 @@ url: "http://fedoraproject.org/static/hotspot.txt OK" # fallback open DNSSEC resolvers that run on TCP port 80 and TCP port 443. +# These relay incoming DNS traffic on the other port numbers to the usual DNS # the ssl443 adds an ssl server IP, you may also specify one or more hashes # the following on one line: ssl443:<space><IP>{<space><HASHoutput>} # hash is output of openssl x509 -sha256 -fingerprint -in server.pem @@ -77,3 +76,12 @@ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF +# Use VPN servers for all traffic +# use-vpn-forwarders: no + +# Forward RFC 1918 private addresses to global forwarders +# use-private-addresses: yes + +# Add domains provided by VPN connections into Unbound forward zones +# add-wifi-provided-zones: no + Configuration file '/etc/dnssec-trigger/dnssec-trigger.conf' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** dnssec-trigger.conf (Y/I/N/O/D/Z) [default=N] ? n [....] Restarting : dnssec-triggerdJan 14 21:10:59 dnssec-triggerd[12444] error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem Jan 14 21:10:59 dnssec-triggerd[12444] error: Error in SSL_CTX use_certificate_file crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small Jan 14 21:10:59 dnssec-triggerd[12444] error: cannot setup SSL context Jan 14 21:10:59 dnssec-triggerd[12444] fatal error: could not init server failed! On this machine, OpenSSL 1.1.1 was installed in August 2018, i.e. about half a year ago. > The error message looks like your openssl keys are too small and all > attempts to control dnssec-triggerd will fail. I modified dnssec- > trigger-control-setup to check the key size and delete it if it was too > small. Did the certificates in /etc/dnssec-trigger get regenerated? Clearly not. They're from 2016 (on the second machine, the other one is currently sleeping in my backpack): /etc/dnssec-trigger # ls -l total 36 -rw-r--r-- 1 root root 3115 Jan 15 2017 dnssec-trigger.conf -rw-r--r-- 1 root root 3338 Jan 13 22:10 dnssec-trigger.conf.dpkg-dist -rw-r--r-- 1 root root 3095 Oct 4 2016 dnssec-trigger.conf~ -rw-r--r-- 1 root root 4640 Dec 20 2016 dnssec.conf -rw-r--r-- 1 root root 1277 May 28 2016 dnssec_trigger_control.key -rw-r--r-- 1 root root 822 May 28 2016 dnssec_trigger_control.pem -rw-r----- 1 root root 1277 May 28 2016 dnssec_trigger_server.key -rw-r--r-- 1 root root 810 May 28 2016 dnssec_trigger_server.pem > See dnssec-trigger/debian/patches/remove-small-keys.patch for the > implementation. /etc/dnssec-trigger # openssl x509 -in dnssec_trigger_control.pem -text | grep 'Public-Key:' | awk 'match($0,/[0-9]+/) {print substr($0, RSTART, RLENGTH)}'; 1536 /etc/dnssec-trigger # openssl x509 -in dnssec_trigger_server.pem -text | grep 'Public-Key:' | awk 'match($0,/[0-9]+/) {print substr($0, RSTART, RLENGTH)}'; 1536 Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE