Your message dated Mon, 28 Dec 2020 14:40:15 +0000 with message-id <[email protected]> and subject line Bug#924881: fixed in ssl-cert 1.1.0 has caused the Debian Bug report #924881, regarding postgresql-common: pg_upgradecluster woes: fails to upgrade to v12 because ee key too small; postgres also fails to restart after upgrade to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 924881: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924881 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: postgresql-common Version: 210 Severity: important Hi, I've just tried upgrading postgresql from version 11 to version 12, following the instructions in README.Debian. (Incidentally, the example of upgrading from version 9.6 no longer works, as the minor version should no longer be specified on recent versions.) Here's what happens to me: ******** erdos:~ # pg_dropcluster 12 main --stop erdos:~ # pg_upgradecluster 11 main Restarting old cluster with restricted connections... Notice: extra pg_ctl/postgres options given, bypassing systemctl for start operation Creating new PostgreSQL cluster 12/main ... /usr/lib/postgresql/12/bin/initdb -D /var/lib/postgresql/12/main --auth-local peer --auth-host md5 --encoding UTF8 --lc-collate en_GB.UTF-8 --lc-ctype en_GB.UTF-8 The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locale "en_GB.UTF-8". The default text search configuration will be set to "english". Data page checksums are disabled. fixing permissions on existing directory /var/lib/postgresql/12/main ... ok creating subdirectories ... ok selecting dynamic shared memory implementation ... posix selecting default max_connections ... 100 selecting default shared_buffers ... 128MB selecting default time zone ... Europe/London creating configuration files ... ok running bootstrap script ... ok performing post-bootstrap initialization ... ok syncing data to disk ... ok Success. You can now start the database server using: pg_ctlcluster 12 main start Ver Cluster Port Status Owner Data directory Log file 12 main 5433 down postgres /var/lib/postgresql/12/main /var/log/postgresql/postgresql-12-main.log Starting new cluster... Notice: extra pg_ctl/postgres options given, bypassing systemctl for start operation Error: /usr/lib/postgresql/12/bin/pg_ctl /usr/lib/postgresql/12/bin/pg_ctl start -D /var/lib/postgresql/12/main -l /var/log/postgresql/postgresql-12-main.log -s -o -c config_file="/etc/postgresql/12/main/postgresql.conf" -c hba_file=/tmp/pg_hba._zoYwU.conf exited with status 1: 2019-12-18 08:55:15.323 GMT [520011] FATAL: could not load server certificate file "/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small 2019-12-18 08:55:15.323 GMT [520011] LOG: database system is shut down pg_ctl: could not start server Examine the log output. Error: Could not start target cluster erdos:~ # ******** At this point, the postgres process needs to be manually killed. I'm not sure at which point the check on ee key size was introduced, but the default settings of switching ssl on and using the snake oil certificate no longer works. If I modify /etc/postgresql-common/createcluster.conf to say ssl = off, then the upgrade part works smoothly. It would be very helpful, though, for the instruction: Success. You can now start the database server using: pg_ctlcluster 12 main start to appear at the end of the output, rather than buried in the middle of it. Anyway, following this upgrade, "pg_ctlcluster 12 main start" successfully starts the postgresql service. However, /etc/init.d/postgresql start fails: for some reason, there is no longer a [email protected] file for systemd. I can't figure out where this file should have been created, but it hasn't been :/. Best wishes, Julian -- System Information: Debian Release: bullseye/sid APT prefers stretch APT policy: (500, 'stretch'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages postgresql-common depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.73 ii lsb-base 11.1.0 ii perl 5.30.0-9 ii postgresql-client-common 210 ii procps 2:3.3.15-2+b1 ii ssl-cert 1.0.39 ii ucf 3.0038+nmu1 Versions of packages postgresql-common recommends: ii e2fsprogs 1.45.4-1 ii logrotate 3.15.1-2 Versions of packages postgresql-common suggests: ii libjson-perl 4.02000-1 -- Configuration Files: /etc/postgresql-common/createcluster.conf changed: ssl = on cluster_name = '%v/%c' stats_temp_directory = '/var/run/postgresql/%v-%c.pg_stat_tmp' log_line_prefix = '%%m [%%p] %%q%%u@%%d ' add_include_dir = 'conf.d' include_dir '/etc/postgresql-common/createcluster.d' -- debconf information: postgresql-common/ssl: true * postgresql-common/obsolete-major: postgresql-common/catversion-bump:
--- End Message ---
--- Begin Message ---Source: ssl-cert Source-Version: 1.1.0 Done: Stefan Fritsch <[email protected]> We believe that the bug you reported is fixed in the latest version of ssl-cert, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Stefan Fritsch <[email protected]> (supplier of updated ssl-cert package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 28 Dec 2020 15:20:52 +0100 Source: ssl-cert Architecture: source Version: 1.1.0 Distribution: unstable Urgency: medium Maintainer: Debian Apache Maintainers <[email protected]> Changed-By: Stefan Fritsch <[email protected]> Closes: 924881 Changes: ssl-cert (1.1.0) unstable; urgency=medium . [ Stefan Fritsch ] * Remove obsolete openssl-blacklist suggests. * Add some autopkgtests. LP: #1679405 * Create correct hash symlink. LP: #1324897 * Automatically re-create the default snakeoil certificate if its key length is below 2048 bits or if the signature algorithm is not sha256. Closes: #924881 . [ Bryce Harrington ] * Refactor make-ssl-cert a bit, add usage message. * Add --expiration-days option. LP: #1853021 Checksums-Sha1: 9a259a81cadd448c8a96eef290f142352e6a7abd 1645 ssl-cert_1.1.0.dsc b6f21c5f3e445a7b69a14f5dab56d1c6f94aad73 31336 ssl-cert_1.1.0.tar.xz 2fa7a4809455515c6f7b8595dbd0536b9331ba07 6778 ssl-cert_1.1.0_source.buildinfo Checksums-Sha256: ce2bc71d68fce2fd571e5d718ac3060adb39703e2e11baada67e9386c8fb6386 1645 ssl-cert_1.1.0.dsc 02afb973963cc7e5a45ccbf4393349a2cfb90a279378b2803f0068eaee207bce 31336 ssl-cert_1.1.0.tar.xz fb49256e65dd57e5fddbc6b8e47feb7de962a161a4834620d133be62ad4fb208 6778 ssl-cert_1.1.0_source.buildinfo Files: e003b2bdc814672a48588de9aace3483 1645 utils optional ssl-cert_1.1.0.dsc 00a64e367fe616b41083756757d58362 31336 utils optional ssl-cert_1.1.0.tar.xz 6895627bf093117b312637a02d315789 6778 utils optional ssl-cert_1.1.0_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOpiNza8JqByyYYsxxodfNUHO/eAFAl/p6nQACgkQxodfNUHO /eCGIA/8CUigG3D78p4cc2xQUMHyjqFxcpGzBpQBr2ruza8mJhCct7i1wYmwIm7z kcSRPHMHRbWpvi6ZUdDIdzo/+ztMpwxehKeJi90CRzO61B/HGi25pZeJJt0PmbiY gPF1mITUNgqrUaWzx+QGikWMZ1SdRPwID6Nl61lvdijSlADIvr2bUOaSo3EJDtB4 4aTv+8LGBpSxOSPig9f9kkXf5ywHrkVFLXPiIYZEqiVZ9N5uZCohw6KGm6nvYVpG rCf46uFaaQg8hvvqBrIS7MD1C5tjxg7t2SdP2UEMIL40ET/QNW+rBExo8JbBFQpL CYb3ETY8RmsjER/E6Rb8G9hGCgZDBLiuVqeXr36S7YKwXd3gNL444QFHBXe7kLeL 6X48dLcIwW9nDSGiTSkvlxg9sd/X/lMZd3og0rlWJScqrXjrOZyUfgXpXH7bQy30 e0JoIQTZsM4h78qr0tAXAS5BHMM3jpJDaQWAFAaX3F8iqkBfp6bq28gT5N/ce1Kl UP7U9Iux7LE0BDynlp0o18EGVR0Q5yAVjrFb5iYstDFqmzn3kVrmsr7nCaexqjQk E1fpFlXXT3jNXbHss74yCqu2O9XGgTPGCnqenVOyq28GoLDxMilA3Zj9RFjbzZf7 d1mFAk3y6xlOcCMTRNWVbwq6gPY8RHbHmdowbORTF9gS0wHyUW8= =hsxZ -----END PGP SIGNATURE-----
--- End Message ---
