On Mon, 2019-01-14 at 14:35 +0100, Axel Beckert wrote: > Hi, > > Axel Beckert wrote: > > The syslog shows again this: > > > > Jan 14 07:18:59 c-cactus2 dnssec-triggerd[22039]: Jan 14 07:18:59 > > dnssec-triggerd[22039] error: Error in SSL_CTX use_certificate_file > > crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key > > too small > > Attached the output of "fgrep dnssec /var/log/syslog" from the time > of > the package upgrade. > > Regards, Axel
Was dnssec-triggerd running before the upgrade? Was there then an upgrade to openssl 1.1.1? and then finally it wouldn't start? The error message looks like your openssl keys are too small and all attempts to control dnssec-triggerd will fail. I modified dnssec- trigger-control-setup to check the key size and delete it if it was too small. Did the certificates in /etc/dnssec-trigger get regenerated? See dnssec-trigger/debian/patches/remove-small-keys.patch for the implementation. Diane
signature.asc
Description: This is a digitally signed message part
