Bug#919256: dnssec-trigger: Failed to upgrade: installed dnssec-trigger package post-installation script subprocess returned error exit status 1

Tue, 15 Jan 2019 23:58:12 -0800 

Control: reopen -1
Control: found -1 0.17+repack-2

Hi Diane,

Diane Trout wrote:
> I found the place that was causing the segfault on installation, made a
> patch, it worked for me, and I pushed a new release.

Thanks for caring and looking into it.

> Please let me know if dnssec-trigger-0.17+repack-2 works for you.

Unfortuantely not:

Preparing to unpack .../dnssec-trigger_0.17+repack-2_amd64.deb ...
Unpacking dnssec-trigger (0.17+repack-2) over (0.17+repack-1) ...
Setting up dnssec-trigger (0.17+repack-2) ...
[....] Restarting : dnssec-triggerdJan 16 08:36:03 dnssec-triggerd[31539] 
error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem
Jan 16 08:36:03 dnssec-triggerd[31539] error: Error in SSL_CTX 
use_certificate_file crypto error:140AB18F:SSL 
routines:SSL_CTX_use_certificate:ee key too small
Jan 16 08:36:03 dnssec-triggerd[31539] error: cannot setup SSL context
Jan 16 08:36:03 dnssec-triggerd[31539] fatal error: could not init server
 failed!

So the service start still failed, but the package upgraded now
properly (which I don't think happened before, but IMHO shouldn't
happen in this case anyway) while still failing to start, also on the
commandline:

# service dnssec-triggerd start
Jan 16 08:46:36 dnssec-triggerd[32323] error: Error for server-cert-file: 
/etc/dnssec-trigger/dnssec_trigger_server.pem
Jan 16 08:46:36 dnssec-triggerd[32323] error: Error in SSL_CTX 
use_certificate_file crypto error:140AB18F:SSL 
routines:SSL_CTX_use_certificate:ee key too small
Jan 16 08:46:36 dnssec-triggerd[32323] error: cannot setup SSL context
Jan 16 08:46:36 dnssec-triggerd[32323] fatal error: could not init server
#

Reason seems to be at least in this case that
dnssec-trigger-control-setup (which you patched for the key length
check) is never called in my case.

>From the postinst script:

# summary of how this script can be called:
#        * <postinst> `configure' <most-recently-configured-version>
[...]
case "$1" in
    configure)
        # configure the control channel if run for the first time
        if [ -z "$2" ]; then
            dnssec-trigger-control-setup
        fi
    ;;

So as I read it, dnssec-trigger-control-setup is only called if there
was no previously configured version installed and is hence never
called when upgrading the package and hence never removes, the too
small old keys on upgrade.

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Reply via email to