On Wed, Dec 18, 2019 at 10:51:06AM +0100, Christoph Berg wrote: > Control: reassign -1 ssl-cert > Control: affects -1 postgresql-common > > Re: Julian Gilbey 2019-12-18 > <157666085037.520017.6645946659722479335.report...@erdos.d-and-j.net> > > I've just tried upgrading postgresql from version 11 to version 12, > > following the instructions in README.Debian. > > Hi, > > did you upgrade the OS at the same time?
Hi Christoph, Thanks for the quick response! I had recently done an apt upgrade, and it is possible that an ssl package was upgraded in the process. I've repeated the exercise on a different machine, though, and that worked fine. I had a look at the snake-oil keys, and the "broken" machine's one was dated 2010, whereas the other machine's was dated 2013. So I've just recreated the ssl-cert-snakeoil.pem on the "broken" using the command make-ssl-cert generate-default-snakeoil --force-overwrite and now the pg_upgradecluster works (almost) fine. > > 2019-12-18 08:55:15.323 GMT [520011] FATAL: could not load server > > certificate file "/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small > > This isn't a PostgreSQL problem, the snakeoil certificate will be > rejected by any other daemon as well. > > The ssl-cert package should regenerate the keys if the openssl package > upgrades the key requirements. So indeed, this seems to be one of the issues - well identified! I'll send a separate bug report about the other weirdness. Best wishes, Julian
