Bug 1985918 - postfix now asks for PEM pass phrase during installation, hangs kickstarted installations
Summary: postfix now asks for PEM pass phrase during installation, hangs kickstarted i...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: postfix
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: beta
: ---
Assignee: Jaroslav Škarvada
QA Contact: František Hrdina
URL:
Whiteboard:
: 1986706 (view as bug list)
Depends On: 1984045
Blocks: 1990008
TreeView+ depends on / blocked
 
Reported: 2021-07-26 09:03 UTC by Jan Pazdziora
Modified: 2021-12-07 21:46 UTC (History)
4 users (show)

Fixed In Version: postfix-3.5.9-12.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-07 21:44:43 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
Fedora proposed fix (1.07 KB, patch)
2021-07-30 00:24 UTC, Jaroslav Škarvada
no flags Details | Diff

Description Jan Pazdziora 2021-07-26 09:03:30 UTC
Description of problem:

When installing postfix package, it now asks

  Enter PEM pass phrase:

and waits for the interactive input. That might be doable on dnf command line but when postfix is listed in kickstart file, provisioning the OS hangs.

Version-Release number of selected component (if applicable):

postfix-3.5.9-9.el9.s390x
openssl-3.0.0-0.beta1.4.el9.s390x

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y postfix

Actual results:

Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 0:00:08 ago on Mon 26 Jul 2021 05:02:38 AM EDT.
Dependencies resolved.
================================================================================
 Package        Architecture Version              Repository               Size
================================================================================
Installing:
 postfix        s390x        2:3.5.9-9.el9        beaker-AppStream        1.4 M

Transaction Summary
================================================================================
Install  1 Package

Total size: 1.4 M
Installed size: 4.3 M
Downloading Packages:
[SKIPPED] postfix-3.5.9-9.el9.s390x.rpm: Already downloaded                    
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: postfix-2:3.5.9-9.el9.s390x                            1/1 
  Installing       : postfix-2:3.5.9-9.el9.s390x                            1/1 
  Running scriptlet: postfix-2:3.5.9-9.el9.s390x                            1/1 
Enter PEM pass phrase:

Expected results:

Installation finishes without any interactive prompt.

Additional info:

This might be related to the upgrade of openssl to openssl-3.0.0-0.beta1.4.el9.

Comment 2 Jan Pazdziora 2021-07-26 09:06:20 UTC
For comparison, /usr/lib/systemd/system/httpd-init.service calls

ExecStart=/usr/libexec/httpd-ssl-gencerts

which in turn calls sscg and that passes.

Comment 3 Jan Pazdziora 2021-07-26 09:30:47 UTC
When dnf install -y postfix is run in environment where it does not have terminal, the dnf transaction will finish but with messages

Enter PEM pass phrase:
000003FF9D472710:error:1400006B:UI routines:UI_process:processing error:crypto/ui/ui_lib.c:544:while reading strings
000003FF9D472710:error:0480006D:PEM routines:PEM_def_callback:problems getting password:crypto/pem/pem_lib.c:62:
000003FF9D472710:error:07880109:common libcrypto routines:do_ui_passphrase:interrupted or cancelled:crypto/passphrase.c:175:
000003FF9D472710:error:1C80009F:Provider routines:p8info_to_encp8:unable to get passphrase:providers/implementations/encode_decode/encode_key2any.c:116:
chmod: cannot access '/etc/pki/tls/certs/postfix.pem': No such file or directory

  Verifying        : postfix-2:3.5.9-9.el9.s390x                            1/2 
  Verifying        : libicu-67.1-7.el9.s390x                                2/2 
Installed products updated.

Installed:
  libicu-67.1-7.el9.s390x              postfix-2:3.5.9-9.el9.s390x             

Complete!

Comment 4 Jan Pazdziora 2021-07-26 09:31:55 UTC
The man openssl-genrsa(1ossl) also says

DESCRIPTION
       This command has been deprecated.  The openssl-genpkey(1) command
       should be used instead.

and

HISTORY
       This command was deprecated in OpenSSL 3.0.

Comment 6 Jaroslav Škarvada 2021-07-30 00:24:15 UTC
Created attachment 1809190 [details]
Fedora proposed fix

Comment 7 苏佳 2021-08-02 02:06:32 UTC
*** Bug 1986706 has been marked as a duplicate of this bug. ***

Comment 8 Jaroslav Škarvada 2021-08-02 22:22:52 UTC
Fix commited into c9s, but the build is blocked by bug 1984045. Waiting for qa_ack.


Note You need to log in before you can comment on or make changes to this bug.