Control: reopen -1 Control: found -1 0.17+repack-2 Hi Diane,
Diane Trout wrote: > I found the place that was causing the segfault on installation, made a > patch, it worked for me, and I pushed a new release. Thanks for caring and looking into it. > Please let me know if dnssec-trigger-0.17+repack-2 works for you. Unfortuantely not: Preparing to unpack .../dnssec-trigger_0.17+repack-2_amd64.deb ... Unpacking dnssec-trigger (0.17+repack-2) over (0.17+repack-1) ... Setting up dnssec-trigger (0.17+repack-2) ... [....] Restarting : dnssec-triggerdJan 16 08:36:03 dnssec-triggerd[31539] error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem Jan 16 08:36:03 dnssec-triggerd[31539] error: Error in SSL_CTX use_certificate_file crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small Jan 16 08:36:03 dnssec-triggerd[31539] error: cannot setup SSL context Jan 16 08:36:03 dnssec-triggerd[31539] fatal error: could not init server failed! So the service start still failed, but the package upgraded now properly (which I don't think happened before, but IMHO shouldn't happen in this case anyway) while still failing to start, also on the commandline: # service dnssec-triggerd start Jan 16 08:46:36 dnssec-triggerd[32323] error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem Jan 16 08:46:36 dnssec-triggerd[32323] error: Error in SSL_CTX use_certificate_file crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small Jan 16 08:46:36 dnssec-triggerd[32323] error: cannot setup SSL context Jan 16 08:46:36 dnssec-triggerd[32323] fatal error: could not init server # Reason seems to be at least in this case that dnssec-trigger-control-setup (which you patched for the key length check) is never called in my case. >From the postinst script: # summary of how this script can be called: # * <postinst> `configure' <most-recently-configured-version> [...] case "$1" in configure) # configure the control channel if run for the first time if [ -z "$2" ]; then dnssec-trigger-control-setup fi ;; So as I read it, dnssec-trigger-control-setup is only called if there was no previously configured version installed and is hence never called when upgrading the package and hence never removes, the too small old keys on upgrade. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE