Bug 1985918

Summary: postfix now asks for PEM pass phrase during installation, hangs kickstarted installations
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: postfixAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED CURRENTRELEASE QA Contact: František Hrdina <fhrdina>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.0CC: fweimer, jjaburek, jpazdziora, sujj5
Target Milestone: betaKeywords: Patch, Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: postfix-3.5.9-12.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:44:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1984045    
Bug Blocks: 1990008    
Attachments:
Description Flags
Fedora proposed fix none

Description Jan Pazdziora (Red Hat) 2021-07-26 09:03:30 UTC 
Description of problem:

When installing postfix package, it now asks

  Enter PEM pass phrase:

and waits for the interactive input. That might be doable on dnf command line but when postfix is listed in kickstart file, provisioning the OS hangs.

Version-Release number of selected component (if applicable):

postfix-3.5.9-9.el9.s390x
openssl-3.0.0-0.beta1.4.el9.s390x

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y postfix

Actual results:

Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:00:08 ago on Mon 26 Jul 2021 05:02:38 AM EDT.
Dependencies resolved.
================================================================================
 Package        Architecture Version              Repository               Size
================================================================================
Installing:
 postfix        s390x        2:3.5.9-9.el9        beaker-AppStream        1.4 M

Transaction Summary
================================================================================
Install  1 Package

Total size: 1.4 M
Installed size: 4.3 M
Downloading Packages:
[SKIPPED] postfix-3.5.9-9.el9.s390x.rpm: Already downloaded                    
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: postfix-2:3.5.9-9.el9.s390x                            1/1 
  Installing       : postfix-2:3.5.9-9.el9.s390x                            1/1 
  Running scriptlet: postfix-2:3.5.9-9.el9.s390x                            1/1 
Enter PEM pass phrase:

Expected results:

Installation finishes without any interactive prompt.

Additional info:

This might be related to the upgrade of openssl to openssl-3.0.0-0.beta1.4.el9.
Comment 2 Jan Pazdziora (Red Hat) 2021-07-26 09:06:20 UTC 
For comparison, /usr/lib/systemd/system/httpd-init.service calls

ExecStart=/usr/libexec/httpd-ssl-gencerts

which in turn calls sscg and that passes.
Comment 3 Jan Pazdziora (Red Hat) 2021-07-26 09:30:47 UTC 
When dnf install -y postfix is run in environment where it does not have terminal, the dnf transaction will finish but with messages

Enter PEM pass phrase:
000003FF9D472710:error:1400006B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:544:while reading strings
000003FF9D472710:error:0480006D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:62:
000003FF9D472710:error:07880109:common libcrypto routines:do_ui_passphrase:interrupted or cancelled:crypto/passphrase.c:175:
000003FF9D472710:error:1C80009F:Provider routines:p8info_to_encp8:unable to get passphrase:providers/implementations/encode_decode/encode_key2any.c:116:
chmod: cannot access '/etc/pki/tls/certs/postfix.pem': No such file or directory

  Verifying        : postfix-2:3.5.9-9.el9.s390x                            1/2 
  Verifying        : libicu-67.1-7.el9.s390x                                2/2 
Installed products updated.

Installed:
  libicu-67.1-7.el9.s390x              postfix-2:3.5.9-9.el9.s390x             

Complete!
Comment 4 Jan Pazdziora (Red Hat) 2021-07-26 09:31:55 UTC 
The man openssl-genrsa(1ossl) also says

DESCRIPTION
       This command has been deprecated.  The openssl-genpkey(1) command
       should be used instead.

and

HISTORY
       This command was deprecated in OpenSSL 3.0.
Comment 6 Jaroslav Škarvada 2021-07-30 00:24:15 UTC 
Created attachment 1809190 [details]
Fedora proposed fix
Comment 7 苏佳 2021-08-02 02:06:32 UTC 
*** Bug 1986706 has been marked as a duplicate of this bug. ***
Comment 8 Jaroslav Škarvada 2021-08-02 22:22:52 UTC 
Fix commited into c9s, but the build is blocked by bug 1984045. Waiting for qa_ack.