Thank you for the detailed bug report. I'll need to think a bit about the maintainer script...
On Fri, 2018-05-18 at 01:27 +0000, brian m. carlson wrote: > Package: dnssec-trigger > Version: 0.15+repack-1 > Severity: important > > I have two existing installations of dnssec-trigger that have 1536- > bit > client and server keys. I'm using the OpenSSL from experimental, > which > rejects keys of less than 2048 bits in size, as they are presently > considered too weak. Consequently, dnssec-trigger fails to start: > > May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 > dnssec-triggerd[721856] error: Error for server-cert-file: > /etc/dnssec-trigger/dnssec_trigger_server.pem > May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 > dnssec-triggerd[721856] error: Error in SSL_CTX use_certificate_file > crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too > small > May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 > dnssec-triggerd[721856] error: cannot setup SSL context > May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 > dnssec-triggerd[721856] fatal error: could not init server > > I noticed the current version of dnssec-trigger uses 3072 bit > keys. To > ensure upgrades continue to work, dnssec-trigger probably needs to > regenerate the keys if they are too small. > > As a potentially relevant note, I noticed the > dnssec-triggerd-keygen.service creates the keys in /etc, not > /etc/dnssec-trigger. > > -- System Information: > Debian Release: buster/sid > APT prefers unstable-debug > APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, > 'stable'), (1, 'experimental-debug'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages dnssec-trigger depends on: > ii gir1.2-nm-1.0 1.10.8-1 > ii libc6 2.27-3 > ii libgdk-pixbuf2.0-0 2.36.11-2 > ii libglib2.0-0 2.56.1-2 > ii libgtk2.0-0 2.24.32-1 > ii libldns2 1.7.0-3+b1 > ii libssl1.1 1.1.1~~pre6-2 > ii python3 3.6.5-3 > ii python3-gi 3.28.2-1 > ii python3-lockfile 1:0.12.2-2 > ii unbound 1.6.7-1 > > dnssec-trigger recommends no packages. > > dnssec-trigger suggests no packages. > > -- Configuration Files: > /etc/dnssec-trigger/dnssec-trigger.conf changed: > url: "http://fedoraproject.org/static/hotspot.txt OK" > url: "http://ster.nlnetlabs.nl/hotspot.txt OK" > tcp80: 185.49.140.67 > tcp80: 2a04:b900::10:0:0:67 > ssl443: 185.49.140.67 > 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8: > 2E:C0:43:D4:77:5A:71:8A:CF > ssl443: 2a04:b900::10:0:0:67 > 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8: > 2E:C0:43:D4:77:5A:71:8A:CF > > > -- no debconf information >
signature.asc
Description: This is a digitally signed message part
