Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Copy snakeoil certificate and key instead of symlinking #629

Merged
merged 1 commit into from
Jun 19, 2015
Merged

Copy snakeoil certificate and key instead of symlinking #629

merged 1 commit into from
Jun 19, 2015

Conversation

mcanevet
Copy link
Contributor

Since postgresql-9.1_9.1.16-0+deb7u1 on wheezy, postgresql can't read
snakeoil certificate as symlink anymore, so server does not restart.
This patch copies cert and key instead of symlinking so that it works
again.

@mfournier
Copy link

Same problem with debian jessie's postgresql-9.4.2-0+deb8u1. It seems that https://www.debian.org/security/2015/dsa-3270 and https://www.debian.org/security/2015/dsa-3269 made something more strict regarding the location of these keys & certs, but it doesn't really strike out in the annoucements.

@igalic
Copy link
Contributor

igalic commented May 26, 2015

👍

@bastelfreak
Copy link
Collaborator

👍 for that

@mcanevet mcanevet force-pushed the fix/cert branch 2 times, most recently from 94d84d8 to fc33172 Compare May 26, 2015 13:30
@dougneal
Copy link

👍

1 similar comment
@saimonn
Copy link
Contributor

saimonn commented May 26, 2015

👍

@mfournier
Copy link

Here are some details about this issue: https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug

nb: all distros would be affected, not only Debian/Ubuntu. Not sure how the default install looks like on other distros, maybe no specific action needs to be taken (ie: cert/key are already have the correct ownership/permission/location)

@raphink
Copy link
Contributor

raphink commented May 27, 2015

Looks like a good fix to me.

@igalic
Copy link
Contributor

igalic commented May 27, 2015

@mfournier while that may be true, we haven't implemented it on other platforms, so we couldn't have broken it.

what i'm curious about now is: does that mean that a puppet installed/configured postgresql on rhel platforms doesn't support ssl connections?

@puppet-community-ci
Copy link

The result of the test was: FAIL
Details at http://planck.nibalizer.com/buildlogs/puppetlabs+puppetlabs-postgresql+629+1433152471+FAIL

I am a beta ci bot. I am probably lying to you.
You can contact nibalizer for more details.

@mcanevet
Copy link
Contributor Author

We add this really annoying problem more than 3 weeks ago and nobody else complained... I'd be curious to know if we are the only one with this problem...

@DavidS could you please review this PR?

@DavidS
Copy link
Contributor

DavidS commented Jun 19, 2015

@mcanevet the fix looks straight-forward enough. I'd suggest using 0600 permissions for the key, though, unless you have an overriding need for allowing group members to read the key.

If you're in there, please also fix the comment to not refer to linking.

Please ping me for merge.

@mcanevet
Copy snakeoil certificate and key instead of symlinking
6dbbb6a 
Since postgresql-9.1_9.1.16-0+deb7u1 on wheezy, postgresql can't read
snakeoil certificate as symlink anymore, so server does not restart.
This patch copies cert and key instead of symlinking so that it works
again.
@mcanevet
Copy link
Contributor Author

@DavidS ping

DavidS added a commit that referenced this pull request Jun 19, 2015
@DavidS
Merge pull request #629 from mcanevet/fix/cert
4b1196b 
Copy snakeoil certificate and key instead of symlinking
@DavidS DavidS merged commit 4b1196b into puppetlabs:master Jun 19, 2015
@DavidS
Copy link
Contributor

DavidS commented Jun 19, 2015

brilliant. thanks!

@mcanevet mcanevet deleted the fix/cert branch June 19, 2015 12:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
maintenance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@mcanevet @mfournier @igalic @bastelfreak @dougneal @saimonn @raphink @puppet-community-ci @DavidS @Ramesh7