1985918 – postfix now asks for PEM pass phrase during installation, hangs kickstarted installations

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1985918 - postfix now asks for PEM pass phrase during installation, hangs kickstarted installations

Summary: postfix now asks for PEM pass phrase during installation, hangs kickstarted i...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	postfix
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Jaroslav Škarvada
QA Contact:	František Hrdina
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1986706 (view as bug list)
Depends On:	1984045
Blocks:	1990008
TreeView+	depends on / blocked

Reported:	2021-07-26 09:03 UTC by Jan Pazdziora
Modified:	2021-12-07 21:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:	postfix-3.5.9-12.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-12-07 21:44:43 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Fedora proposed fix (1.07 KB, patch) 2021-07-30 00:24 UTC, Jaroslav Škarvada	no flags	Details \| Diff
View All

Description Jan Pazdziora 2021-07-26 09:03:30 UTC

Description of problem:

When installing postfix package, it now asks

  Enter PEM pass phrase:

and waits for the interactive input. That might be doable on dnf command line but when postfix is listed in kickstart file, provisioning the OS hangs.

Version-Release number of selected component (if applicable):

postfix-3.5.9-9.el9.s390x
openssl-3.0.0-0.beta1.4.el9.s390x

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y postfix

Actual results:

Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:00:08 ago on Mon 26 Jul 2021 05:02:38 AM EDT.
Dependencies resolved.
================================================================================
 Package        Architecture Version              Repository               Size
================================================================================
Installing:
 postfix        s390x        2:3.5.9-9.el9        beaker-AppStream        1.4 M

Transaction Summary
================================================================================
Install  1 Package

Total size: 1.4 M
Installed size: 4.3 M
Downloading Packages:
[SKIPPED] postfix-3.5.9-9.el9.s390x.rpm: Already downloaded                    
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: postfix-2:3.5.9-9.el9.s390x                            1/1 
  Installing       : postfix-2:3.5.9-9.el9.s390x                            1/1 
  Running scriptlet: postfix-2:3.5.9-9.el9.s390x                            1/1 
Enter PEM pass phrase:

Expected results:

Installation finishes without any interactive prompt.

Additional info:

This might be related to the upgrade of openssl to openssl-3.0.0-0.beta1.4.el9.

Comment 2 Jan Pazdziora 2021-07-26 09:06:20 UTC

For comparison, /usr/lib/systemd/system/httpd-init.service calls

ExecStart=/usr/libexec/httpd-ssl-gencerts

which in turn calls sscg and that passes.

Comment 3 Jan Pazdziora 2021-07-26 09:30:47 UTC

When dnf install -y postfix is run in environment where it does not have terminal, the dnf transaction will finish but with messages

Enter PEM pass phrase:
000003FF9D472710:error:1400006B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:544:while reading strings
000003FF9D472710:error:0480006D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:62:
000003FF9D472710:error:07880109:common libcrypto routines:do_ui_passphrase:interrupted or cancelled:crypto/passphrase.c:175:
000003FF9D472710:error:1C80009F:Provider routines:p8info_to_encp8:unable to get passphrase:providers/implementations/encode_decode/encode_key2any.c:116:
chmod: cannot access '/etc/pki/tls/certs/postfix.pem': No such file or directory

  Verifying        : postfix-2:3.5.9-9.el9.s390x                            1/2 
  Verifying        : libicu-67.1-7.el9.s390x                                2/2 
Installed products updated.

Installed:
  libicu-67.1-7.el9.s390x              postfix-2:3.5.9-9.el9.s390x             

Complete!

Comment 4 Jan Pazdziora 2021-07-26 09:31:55 UTC

The man openssl-genrsa(1ossl) also says

DESCRIPTION
       This command has been deprecated.  The openssl-genpkey(1) command
       should be used instead.

and

HISTORY
       This command was deprecated in OpenSSL 3.0.

Comment 6 Jaroslav Škarvada 2021-07-30 00:24:15 UTC

Created attachment 1809190 [details]
Fedora proposed fix

Comment 7 苏佳 2021-08-02 02:06:32 UTC

*** Bug 1986706 has been marked as a duplicate of this bug. ***

Comment 8 Jaroslav Škarvada 2021-08-02 22:22:52 UTC

Fix commited into c9s, but the build is blocked by bug 1984045. Waiting for qa_ack.

Note You need to log in before you can comment on or make changes to this bug.