Control: reassign -1 ssl-cert Re: Boyd Stephen Smith Jr. 2019-03-23 <2814398.NhXIpRQrxM@monster> > > My guess would be that the snakeoil key was generated a very long time > > ago, when the key size defaults were less than they are today, and > > buster's libssl is now rejecting the key. > > Yes, I was able to run: > > sudo make-ssl-cert generate-default-snakeoil --force-overwrite > > to resolve the issue. Note the `--force-overwrite`, which is not used by the > various postinst scripts. > > It would be nice if the buster upgrade could so this for the user, but I > don't > know if that's reasonable for all Debian installations. IMO, It would be a > good buster release note. In any case, it's not a *PostgreSQL* bug.
Looking at ssl-cert's postinst script (where make-ssl-cert is from), there is no code that would upgrade snakeoil certificates that have been created using outdated standards. ssl-cert maintainers: Please consider adding something that regenerates "small" certificates, or at least informs the user that something needs to be done. (If you think this is not a bug, please close it.) Thanks, Christoph
