Description of problem: After a recent update to some *ssl* packages in Mga7 my server stopped running httpd: [ssl:emerg] [pid 17516] SSL Library Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small AH00016: Configuration Failed The fix (thanks to Luigi12) was to increase the key length to 4096. For anyone in this situation the exact procedure was as follows:- 1. Edit /etc/sysconfig/ssl to read: KEY_LENGTH=4096 (was 2048) 2. Delete /etc/pki/tls/certs/httpd.pem Delete /etc/pki/tls/private/httpd.pem 3. Run: /usr/share/rpm-helper/create-ssl-certificate apache 1 httpd 4 Reboot The 2048 is hard coded into the script, so without the edit to /etc/sysconfig/ssl the script would fail to increase the length. The script needs updating in the rpm-helper package which needs admin access to update, apparently. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3.
Component: Others => RPM PackagesAssignee: sysadmin-bugs => bugsquadCC: sysadmin-bugs => (none)Product: Infrastructure => MageiaVersion: unspecified => 7
I'm guessing the sources for rpm-helper are in Mageia git, so we'll need a Mageia developer to update it.
CC: (none) => luigiwalserVersion: 7 => CauldronAssignee: bugsquad => mageiatoolsWhiteboard: (none) => MGA7TOO
We should add a blurb about this in the Mageia Release Notes too.
Update rpm-helper-0.24.17-5.1.mga7 uploaded by Jani, fixing this.
Assignee: mageiatools => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
Advisory: -------- The updated crypto-policies from the Firefox ESR 78 update no longer accept SSL private keys with a key length less than 4096. The rpm-helper package generated keys with a length of 2048. If you had previously edited the /etc/sysconfig/ssl file, you will need to update the KEY_LENGTH value to 4096 as this update does, and generate new keys and certificates. For example, to generate a new private key and certificate for the Apache web server, run the following commands as root: rm -f /etc/pki/tls/private/httpd.pem /etc/pki/tls/certs/httpd.pem /usr/share/rpm-helper/create-ssl-certificate apache 1 httpd
MGA7-64 Plasma on Lenovo B50 No installation issues. Checked the file /etc/sysconfig/ssl, it has the value 4096 now. But what this is really all about, I haven't a clue. I have a webserver running ommy desktop PC and that neer gave a problem(since I do not mingle with keys). Anyway, this server remains accessible from this laptop after the update, Leaving for someone else to do a sensible test.
CC: (none) => herman.viaene
Herman, have you restarted your web server since the update? That's when Barry saw the problem.
No, because the update has not been applied to that desktop PC, just to my testing laptop installation.
Blocks: (none) => 27358
What about this update?
CC: (none) => ouaurelien
It is a very simple change, please validate it.
Advisory pushed to SVN.
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2020-0217.html
Status: NEW => RESOLVEDResolution: (none) => FIXED