1886172 – old control and server keys rejected by default F33 security policy after upgrade

Bug 1886172 - old control and server keys rejected by default F33 security policy after upgrade

Summary: old control and server keys rejected by default F33 security policy after upg...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dnssec-trigger
Sub Component:
Version:	33
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Paul Wouters
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	https://fedoraproject.org/wiki/Common...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-10-07 19:40 UTC by Dominik 'Rathann' Mierzejewski
Modified:	2021-11-30 19:11 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-11-30 19:11:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dominik 'Rathann' Mierzejewski 2020-10-07 19:40:23 UTC

Description of problem:
After upgrading one of my F32 machines to F33, dnssec-trigger stopped working due to too weak TLS keys. The machine was installed in 2014 and system-upgraded all the way to F32, so the dnssec-trigger keys and certificates were generated in 2014, too.

Version-Release number of selected component (if applicable):
dnssec-trigger-0.15-13.fc33.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Upgrade an older Fedora with 1536-bit RSA dnssec-triggerd keys and certificates to F33.
2. dnssec-trigger-control status

Actual results:
Oct 07 18:54:04 dnssec-trigger-control[4557] fatal error: Error setting up SSL_CTX client key and cert error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

Expected results:
$ dnssec-trigger-control status
at 2020-10-07 18:55:15
...
state: cache secure

Additional info:
dnssec-triggerd.service log:
Oct 07 18:53:54 systemd[1]: Starting Reconfigure local DNSSEC resolver on connectivity changes...
Oct 07 18:53:55 dnssec-triggerd[4462]: Oct 07 18:53:55 dnssec-triggerd[4462] error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem
Oct 07 18:53:55 dnssec-triggerd[4462]: Oct 07 18:53:55 dnssec-triggerd[4462] error: Error in SSL_CTX use_certificate_file crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
Oct 07 18:53:55 dnssec-triggerd[4462]: Oct 07 18:53:55 dnssec-triggerd[4462] error: cannot setup SSL context
Oct 07 18:53:55 dnssec-triggerd[4462]: Oct 07 18:53:55 dnssec-triggerd[4462] fatal error: could not init server
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Main process exited, code=exited, status=1/FAILURE
Oct 07 18:53:55 dnssec-trigger-script[4463]: Cannot connect to dnssec-trigger.
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Can't open PID file /run/dnssec-triggerd.pid (yet?) after start-post: Operation not permitted
Oct 07 18:53:55 dnssec-trigger-script[4469]: Recovering /etc/resolv.conf...
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Failed with result 'exit-code'.
Oct 07 18:53:55 systemd[1]: Failed to start Reconfigure local DNSSEC resolver on connectivity changes.
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Scheduled restart job, restart counter is at 1.
Oct 07 18:53:55 systemd[1]: Stopped Reconfigure local DNSSEC resolver on connectivity changes.
Oct 07 18:53:55 systemd[1]: Starting Reconfigure local DNSSEC resolver on connectivity changes...
Oct 07 18:53:55 dnssec-triggerd[4482]: Oct 07 18:53:55 dnssec-triggerd[4482] error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem
Oct 07 18:53:55 dnssec-triggerd[4482]: Oct 07 18:53:55 dnssec-triggerd[4482] error: Error in SSL_CTX use_certificate_file crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
Oct 07 18:53:55 dnssec-triggerd[4482]: Oct 07 18:53:55 dnssec-triggerd[4482] error: cannot setup SSL context
Oct 07 18:53:55 dnssec-triggerd[4482]: Oct 07 18:53:55 dnssec-triggerd[4482] fatal error: could not init server
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Main process exited, code=exited, status=1/FAILURE
Oct 07 18:53:55 dnssec-trigger-script[4483]: Cannot connect to dnssec-trigger.
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Can't open PID file /run/dnssec-triggerd.pid (yet?) after start-post: Operation not permitted
Oct 07 18:53:55 dnssec-trigger-script[4489]: Recovering /etc/resolv.conf...
Oct 07 18:53:55 systemd[1]: dnssec-triggerd.service: Failed with result 'exit-code'.

Indeed:
# certtool -k </etc/dnssec-trigger/dnssec_trigger_control.key | head -n 3
Public Key Info:
	Public Key Algorithm: RSA
	Key Security Level: Legacy (1536 bits)
# certtool -k </etc/dnssec-trigger/dnssec_trigger_server.key | head -n 3
Public Key Info:
	Public Key Algorithm: RSA
	Key Security Level: Legacy (1536 bits)
# certtool -i </etc/dnssec-trigger/dnssec_trigger_server.pem| grep Algorithm
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: High (3072 bits)
	Signature Algorithm: RSA-SHA256
# certtool -i </etc/dnssec-trigger/dnssec_trigger_control.pem| grep Algorithm
	Subject Public Key Algorithm: RSA
	Algorithm Security Level: High (3072 bits)
	Signature Algorithm: RSA-SHA256

After moving the above away and restarting dnssec-triggerd-keygen.service, I get new keys and certificates generated, which makes the service work again.

Perhaps it would be worth checking the key strength and regenerating them upon upgrade to prevent this issue?

Comment 1 Fedora Admin user for bugzilla script actions 2021-04-26 12:12:24 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 2 Ben Cotton 2021-11-04 13:42:28 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Ben Cotton 2021-11-04 14:11:59 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 4 Ben Cotton 2021-11-04 15:09:30 UTC

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Ben Cotton 2021-11-30 19:11:04 UTC

Fedora 33 changed to end-of-life (EOL) status on 2021-11-30. Fedora 33 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.