https://bugzilla.redhat.com/show_bug.cgi?id=1901486
Bug ID: 1901486
Summary: Release notes should mention fixes for older systems
impacted by security tightening in F33
Product: Fedora Documentation
Version: devel
Status: NEW
Component: release-notes
Assignee: pbokoc(a)redhat.com
Reporter: russ+bugzilla-redhat(a)gloomytrousers.co.uk
QA Contact: docs-qa(a)lists.fedoraproject.org
CC: relnotes(a)fedoraproject.org, wb8rcr(a)arrl.net,
zach(a)oglesby.co
Target Milestone: ---
Classification: Fedora
Description of problem:
On booting my system after upgrade from F31 to F33, neither httpd nor dovecot
would start. This system is quite an old one that's been upgraded through many
versions of Fedora. This appears to be a result of "Strong Crypto Settings -
Phase 2" mentioned on
https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/sysadmin/Secu…
The relevant errors were:
* Apache (/var/log/httpd/error_log):
[Mon Nov 23 11:44:11.517501 2020] [ssl:emerg] [pid 13680:tid 13680] AH02562:
Failed to configure certificate gigalith.gloomytrousers.co.uk:443:0 (with
chain), check /etc/pki/tls/certs/localhost.crt
[Mon Nov 23 11:44:11.517525 2020] [ssl:emerg] [pid 13680:tid 13680] SSL Library
Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
This cert was 1024 bit, first generated in 2010. The fix was to remove
/etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key then
run /usr/libexec/httpd-ssl-gencerts.
* Dovecot (journal):
Nov 23 12:35:27 gigalith.gloomytrousers.co.uk dovecot[31160]: config: Warning:
please set ssl_dh=</etc/dovecot/dh.pem
Nov 23 12:35:27 gigalith.gloomytrousers.co.uk dovecot[31160]: config: Warning:
You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1
skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
/etc/dovecot/dh.pem was present, dating from from 2013. The recommended fix did
NOT work (I recall having run this in the past) - it just generated an
identical file. The actual fix (stumbled across in bug 1882939) was to
regenerate the DH params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
(this took 32 mins on my machine!)
I suspect Exim might also have similar problems for some people, although I
didn't have a problem (my cert was 2048 bit from 2010, although I think I
generated this in a non-default way at the time). The fix in this case would be
to remove /etc/pki/tls/certs/exim.pem and /etc/pki/tls/private/exim.pem then
run /usr/libexec/exim-gen-cert.
I suggest these workarounds which might be required for older systems be
documented on
https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/sysadmin/Secu…
- along with anything else that might suffer from similar issues.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1889931
Bug ID: 1889931
Summary: feature request: release notes document status of
systemd-homed for install and upgrade to fedora33
Product: Fedora Documentation
Version: devel
OS: Linux
Status: NEW
Component: release-notes
Severity: medium
Assignee: pbokoc(a)redhat.com
Reporter: william.garber(a)att.net
QA Contact: docs-qa(a)lists.fedoraproject.org
CC: relnotes(a)fedoraproject.org, wb8rcr(a)arrl.net,
zach(a)oglesby.co
Target Milestone: ---
Classification: Fedora
Description of problem:
would like some easy to find documentation on status of systemd-homed setup
for install and/or upgrade to fedora33.
i.e. what happens to standard home directory on upgrade.
Version-Release number of selected component (if applicable):
fedora 32 upgrade to fedora 33
How reproducible:
would like to know how this works before installing.
Additional info:
was not so easy to find on web.
should be more easy to find on fedora website.
--
You are receiving this mail because:
You are on the CC list for the bug.