Fedora Account System
Red Hat Associate
Red Hat Customer
# dnssec-trigger-control status error: could not SSL_write Reproducible: Always Steps to Reproduce: 1. systemctl restart dnssec-triggerd 2. dnssec-trigger-control status 3. cd /etc/dnssec-trigger && openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem Actual Results: error: could not SSL_write in logs: error: remote control failed ssl crypto error:0A000086:SSL routines::certificate verify failed Expected Results: no error, just status It still works on F39, with openssl-libs-3.1.4-3.fc39.x86_64. openssl-libs-3.2.2-5.fc41.x86_64 in current rawhide does not work. Question is, whether 3072 bits key is okay. Signature Algorithm: sha256WithRSAEncryption should be okay. In F39: # openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem dnssec_trigger_control.pem: OK Chain: depth=0: CN = dnssec-trigger-control (untrusted) depth=1: CN = dnssec-trigger # openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem dnssec_trigger_control.pem: OK Chain: depth=0: CN = dnssec-trigger-control (untrusted) depth=1: CN = dnssec-trigger In F41 rawhide: # openssl verify -show_chain -CAfile dnssec_trigger_server.pem dnssec_trigger_control.pem CN=dnssec-trigger error 79 at 1 depth lookup: invalid CA certificate error dnssec_trigger_control.pem: verification failed
Strange is the same version in both certs. # for F in *.pem; do echo "# $F"; openssl x509 -text -noout -in $F; done # dnssec_trigger_control.pem Certificate: Data: Version: 3 (0x2) Serial Number: 6d:f7:fb:12:43:50:29:88:58:85:9d:fb:29:85:c6:50:c4:05:79:9d Signature Algorithm: sha256WithRSAEncryption Issuer: CN=dnssec-trigger Validity Not Before: Sep 10 11:14:28 2024 GMT Not After : May 28 11:14:28 2044 GMT Subject: CN=dnssec-trigger-control Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:a3:26:1b:3f:bf:28:74:87:04:2e:47:95:6c:2b: 6f:6a:31:d3:74:57:f3:2f:a0:3f:3d:c4:9e:ae:d2: 09:22:26:2a:2a:a1:98:40:4d:1a:b7:c9:2d:5c:b8: fd:62:29:a3:76:38:4d:78:e1:05:16:fb:83:4a:f0: fe:0d:86:57:b1:b0:9e:ac:1a:37:72:02:29:08:6a: a5:20:01:8f:fb:1f:c8:50:4e:2a:3f:5b:6a:e0:68: 3f:08:85:e4:e7:34:c4:b3:b0:8f:08:0d:6f:57:56: a9:d1:5b:c2:28:23:a4:c4:4f:ce:0e:51:d3:dd:e8: bd:ce:ce:73:e6:66:1e:da:7a:9f:35:1c:d0:6f:7b: 26:e1:79:78:ec:46:61:af:24:80:b5:88:be:1a:ba: a7:a7:11:9b:05:7c:dd:68:d5:0b:82:50:ae:64:6f: f4:4a:fc:32:1e:00:e9:1a:f4:e4:c3:83:75:49:bd: c8:b3:f8:1d:18:1f:3b:c4:aa:68:3f:7a:ae:ed:81: 6d:c7:2a:bb:ae:8e:38:56:16:84:c1:0f:85:73:03: 4d:f7:8b:1b:e0:2a:7b:0e:ba:ba:d2:04:20:8f:5d: 72:d7:db:10:8f:f0:df:6b:f0:e0:c6:3b:0b:68:99: dd:14:ff:d5:0d:ae:95:7c:db:14:cd:2f:cb:ad:49: ad:fa:03:f8:70:0a:31:59:00:5c:1b:fd:60:f7:00: 3f:90:80:b0:e7:dc:ec:9a:ed:dc:94:cb:68:f1:e6: 29:36:5d:0e:30:45:77:6d:db:15:b9:7f:65:fe:b1: 45:b0:b2:ae:f9:0a:9b:37:88:77:a7:a8:86:8a:c4: d9:7a:45:e6:45:6b:c3:b4:72:26:51:ec:91:36:cc: f5:2a:55:b6:2d:9a:03:3c:7c:21:20:e1:f4:ca:6f: f3:df:24:97:70:39:eb:14:91:f8:e6:5f:07:30:c6: a3:ad:78:30:3c:d3:04:c2:f8:f2:5a:b0:f6:1e:8d: b4:1d:31:ea:4e:25:2b:f6:b0:f5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 11:D9:63:4C:3E:90:6D:20:26:50:6C:75:2B:D6:A6:FA:C7:DF:58:CC X509v3 Authority Key Identifier: 55:A2:06:CA:74:5B:8A:C2:B7:AF:B1:5C:F8:17:38:4C:5A:F3:FD:DD Signature Algorithm: sha256WithRSAEncryption Signature Value: 48:86:08:b5:5b:9e:d5:fa:ea:a1:34:0f:f9:9d:fe:b7:02:b9: ca:ae:e6:ee:2e:7f:0b:62:47:1f:0a:82:a2:22:10:18:94:78: 41:7e:b1:1e:c7:fb:ee:fc:7c:2d:07:99:70:2b:8a:cc:e7:cd: eb:48:99:31:59:60:20:21:7f:36:cc:21:81:41:41:f2:ae:2a: d2:69:b6:bf:b0:c5:00:4a:f2:42:70:57:b4:16:b0:05:99:3a: 30:af:2d:76:1a:1e:69:37:3d:a1:6f:12:95:11:0e:b2:98:33: e7:2a:36:43:a2:85:b0:f3:81:b2:d5:f8:25:c5:c9:f2:4c:20: 2f:08:f9:45:b4:1c:00:24:ac:9e:01:9a:f0:7d:8d:c3:e0:ff: 3b:79:02:36:0b:04:e4:b1:c5:6d:4a:77:97:d0:ba:a4:b6:3c: 24:25:18:fd:67:96:71:e7:07:db:2a:13:ca:01:99:56:ad:12: 53:61:63:a5:c8:3d:06:31:2e:36:82:08:bf:ff:e6:c0:f0:ca: 44:2b:f9:38:cf:03:c3:41:8c:4e:73:68:27:f2:0d:76:3c:9e: 0d:db:04:98:39:09:ac:95:e3:e3:97:9c:f7:37:fe:3b:bf:c7: 96:46:71:86:82:f2:9d:64:cd:a3:25:53:df:b6:f0:91:20:a5: 46:b5:1a:cb:14:10:26:4a:cb:77:cc:63:df:ba:bd:7c:3f:35: b3:41:5c:ae:05:e1:60:78:df:09:eb:82:af:ab:c1:c1:dd:25: 8a:9a:49:84:9f:0d:ad:e1:7a:62:52:c2:04:0e:fe:26:3f:bc: 56:65:11:92:3f:2a:62:12:cf:40:24:a4:84:99:4d:41:5a:b6: b3:65:87:5c:f2:d1:4d:ea:25:84:ca:5a:63:05:9a:ad:f2:b0: 93:32:2d:5c:57:fd:3b:53:b1:3a:df:6d:a5:26:e9:ed:85:42: 39:ed:b4:bc:05:d8:58:4f:75:14:c9:5d:d8:e9:f0:5f:1b:14: c1:43:e7:21:3d:d0 # dnssec_trigger_server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 49:a6:63:37:6e:e7:f2:1d:58:69:e3:7b:2a:4c:c9:6f:d7:6d:9f:e8 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=dnssec-trigger Validity Not Before: Sep 10 11:14:28 2024 GMT Not After : May 28 11:14:28 2044 GMT Subject: CN=dnssec-trigger Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:e2:92:66:96:0e:b9:5f:25:1c:cf:05:af:1c:0a: 7a:17:2a:47:02:38:59:d3:5d:d4:ba:7f:7a:9f:97: f8:86:09:87:3c:bd:7b:e9:28:50:9e:44:8d:92:4c: 1f:0a:18:c1:68:28:49:f3:80:2d:33:bd:e8:21:b9: 9d:02:71:46:93:d4:ee:3b:ca:bc:67:5c:e3:f5:41: d1:d9:13:6b:2a:2c:cc:2c:5c:63:7e:f2:2a:1a:71: e3:92:ae:a1:a1:9c:ea:32:80:19:87:af:a3:51:36: af:89:34:7f:6c:24:de:be:a0:0c:a4:f3:cb:4d:bf: 86:c1:b5:a2:b6:b5:f5:18:3d:b6:9c:aa:64:44:80: bc:fc:96:17:1e:27:e3:76:b8:22:09:f4:e1:54:f8: 04:59:4c:46:14:d5:30:bd:e5:f4:26:7d:50:4f:eb: ea:0e:75:b0:c5:bb:54:8e:57:01:9d:7a:c6:51:0b: e4:62:38:4b:0f:61:30:04:d3:89:d7:00:38:98:14: 0b:99:db:27:14:a2:92:f7:1c:37:f0:4e:7d:10:82: b3:96:e5:1d:79:b9:3f:80:ea:e2:55:c7:6f:42:cc: 5f:ee:47:da:01:1e:b2:06:09:4d:c8:3c:1f:7a:61: 69:ae:d4:e5:1e:68:9e:39:29:6a:2a:62:81:1d:8f: ce:f3:41:3f:1f:ce:f7:5b:71:bf:27:59:ab:1f:56: 40:cd:b1:5d:d8:38:a4:99:8e:7e:23:03:46:b9:d7: 49:a2:91:1f:64:17:1f:40:27:65:84:af:3d:ee:27: d2:19:ef:0f:d7:dd:43:b0:ef:3f:c3:a1:81:e9:9d: af:3b:c6:d6:40:f6:60:46:82:7f:f6:74:26:68:1b: 24:c9:b4:78:a3:89:35:8e:8e:90:33:3e:e4:a7:9f: 2e:2c:be:6c:6a:6c:9b:9e:1c:dd:58:a1:48:a4:d3: 2d:dc:a6:c7:e1:77:9e:37:ad:c8:da:a3:f7:f0:72: 6a:8c:b0:fc:a3:b3:55:02:65:8d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 55:A2:06:CA:74:5B:8A:C2:B7:AF:B1:5C:F8:17:38:4C:5A:F3:FD:DD Signature Algorithm: sha256WithRSAEncryption Signature Value: c0:a6:70:b3:e2:6c:9d:f9:da:14:44:e0:46:23:6f:1f:25:32: 69:38:0e:60:c7:fd:42:8d:1d:a6:9f:9c:9a:c4:65:8e:1f:21: e7:fa:91:66:9d:f9:9f:9e:e9:50:32:61:74:5b:6d:88:29:df: 1f:71:a1:60:08:b1:76:cf:a6:f8:96:b5:37:f0:73:91:00:aa: 01:70:c1:53:40:3d:41:47:de:c7:7a:b1:dc:91:8d:61:9b:ec: d9:36:18:df:98:83:41:31:9e:41:a0:00:47:7b:ea:dc:2d:2e: 4e:41:cf:04:e0:7d:97:ea:f1:1d:31:0c:3d:d4:d0:bc:e7:77: 66:17:fa:69:b7:c5:19:42:e5:01:d1:79:40:1e:42:0a:06:0d: fc:fe:7e:b1:b3:53:83:17:2a:f2:76:25:ec:ad:a9:39:fe:39: 98:93:9f:76:3e:14:07:80:c5:7f:bd:0d:5b:ff:17:f8:10:ef: 45:8a:5c:cd:0b:61:f8:26:95:30:46:2a:98:07:32:8d:d3:a2: 34:07:38:93:56:ac:ba:9f:c5:5b:d1:82:b9:6e:7c:1b:50:b2: 53:df:6e:60:2f:65:c6:bc:23:0b:4d:98:cc:ce:fc:ad:92:14: 81:11:6a:5a:b5:88:12:f3:9b:74:76:64:f7:3e:09:69:50:52: 34:2e:51:a7:60:bd:46:3e:b2:f0:82:ba:69:b7:25:be:37:70: 4c:62:b0:6f:c5:8a:c5:ad:37:d8:06:f7:6e:ae:d8:3c:a5:6b: c5:de:58:f6:a8:09:80:e7:a7:be:dc:89:74:e5:74:6d:32:6e: ca:74:69:fc:66:b3:8d:83:ed:47:62:b6:ce:72:71:b5:21:fe: 1b:a5:09:16:01:4d:bb:2e:80:b9:f4:9c:17:57:15:0a:7b:c8: 6a:e7:da:b9:5d:3d:df:8a:ad:f8:43:f5:f5:83:92:a1:11:17: 67:ef:2b:10:80:9d:28:76:09:5a:f3:27:ad:7f:84:a3:45:82: 98:df:8f:95:6a:18
Created attachment 2046102 [details] dnssec_trigger_server.pem
Created attachment 2046103 [details] dnssec_trigger_control.pem
I can reproduce this in rawhide: [root@952460bb418c /]# rpm -q dnssec-trigger dnssec-trigger-0.17-35.fc41.aarch64 [root@952460bb418c /]# /usr/sbin/dnssec-trigger-control-setup -d /etc/dnssec-trigger/ […] [root@952460bb418c /]# openssl verify -CAfile /etc/dnssec-trigger/dnssec_trigger_server.pem /etc/dnssec-trigger/dnssec_trigger_control.pem CN=dnssec-trigger error 79 at 1 depth lookup: invalid CA certificate error /etc/dnssec-trigger/dnssec_trigger_control.pem: verification failed The problem vanishes if I make sure the CA has a valid X509v3 BasicConstraints extension that marks it as a CA: [root@952460bb418c /]# rm -rf /etc/dnssec-trigger [root@952460bb418c /]# dnf reinstall -y dnssec-trigger […] [root@952460bb418c /]# diff -u /usr/sbin/dnssec-trigger-control-setup{.orig,} --- /usr/sbin/dnssec-trigger-control-setup.orig 2024-09-10 12:23:24.155394070 +0000 +++ /usr/sbin/dnssec-trigger-control-setup 2024-09-10 12:23:45.249706836 +0000 @@ -200,7 +200,7 @@ test -f request.cfg || error "could not create request.cfg" echo "create $SVR_BASE.pem (self signed certificate)" -openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" +openssl req -key $SVR_BASE.key -config request.cfg -new -x509 -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem" # create trusted usage pem openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem" [root@952460bb418c /]# /usr/sbin/dnssec-trigger-control-setup -d /etc/dnssec-trigger/ […] [root@952460bb418c /]# openssl verify -CAfile /etc/dnssec-trigger/dnssec_trigger_server.pem /etc/dnssec-trigger/dnssec_trigger_control.pem /etc/dnssec-trigger/dnssec_trigger_control.pem: OK
Thank you Clemens! Prepared test PR https://src.fedoraproject.org/rpms/dnssec-trigger/pull-request/11 There is some chaos with trying to use -addtrust wrong way. It may make sense to add into client key: -addext extendedKeyUsage=clientAuth -addext basicConstraints=critical,CA:FALSE" The question is after all, what is encryption used for? Client key is word readable, probably just unix socket would work the same way. Tuning of any certificates does not seem to be very useful. But until someone finds a time for its updates, it should work again. We are planning to use dnsconfd integrated with NetworkManager instead anyway, as a way to offer DNS over TLS.
FEDORA-2024-3545266a31 (dnssec-trigger-0.17-36.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-3545266a31
FEDORA-2024-862d1d8686 (dnssec-trigger-0.17-35.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-862d1d8686
FEDORA-2024-862d1d8686 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-862d1d8686` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-862d1d8686 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-3545266a31 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-3545266a31` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-3545266a31 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-3545266a31 (dnssec-trigger-0.17-36.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-862d1d8686 (dnssec-trigger-0.17-35.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.