-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Copy snakeoil certificate and key instead of symlinking #629
Conversation
Same problem with debian jessie's postgresql-9.4.2-0+deb8u1. It seems that https://www.debian.org/security/2015/dsa-3270 and https://www.debian.org/security/2015/dsa-3269 made something more strict regarding the location of these keys & certs, but it doesn't really strike out in the annoucements. |
👍 |
👍 for that |
94d84d8
to
fc33172
Compare
👍 |
1 similar comment
👍 |
Here are some details about this issue: https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug nb: all distros would be affected, not only Debian/Ubuntu. Not sure how the default install looks like on other distros, maybe no specific action needs to be taken (ie: cert/key are already have the correct ownership/permission/location) |
Looks like a good fix to me. |
@mfournier while that may be true, we haven't implemented it on other platforms, so we couldn't have broken it. what i'm curious about now is: does that mean that a puppet installed/configured postgresql on rhel platforms doesn't support ssl connections? |
The result of the test was: FAIL I am a beta ci bot. I am probably lying to you. |
We add this really annoying problem more than 3 weeks ago and nobody else complained... I'd be curious to know if we are the only one with this problem... @DavidS could you please review this PR? |
@mcanevet the fix looks straight-forward enough. I'd suggest using 0600 permissions for the key, though, unless you have an overriding need for allowing group members to read the key. If you're in there, please also fix the comment to not refer to linking. Please ping me for merge. |
Since postgresql-9.1_9.1.16-0+deb7u1 on wheezy, postgresql can't read snakeoil certificate as symlink anymore, so server does not restart. This patch copies cert and key instead of symlinking so that it works again.
@DavidS ping |
Copy snakeoil certificate and key instead of symlinking
brilliant. thanks! |
Since postgresql-9.1_9.1.16-0+deb7u1 on wheezy, postgresql can't read
snakeoil certificate as symlink anymore, so server does not restart.
This patch copies cert and key instead of symlinking so that it works
again.