The snakeoil ssl certificate

I recently came across this one as part of a PostgreSQL upgrade I run on my Linux (Debian) box.

Going from version PostgreSQL 9.4 to 9.5 worked like a charm. Upgrading to version 9.6 did not go as well though … The error I was getting was:

FATAL: could not load server certificate file 
"/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small

It turns out that the snakeoil certificate is a self-signed certificate that gets installed on your system when you first install the ssl-cert package. (Self signed means that is not signed by a Certificate Authority which in turn means it’s not a trusted certificate).
This is not regenerated every time the package gets upgraded so you might find that the certificate on your system is actually quite old. Mine was generated back in 2008 🤯 when I first setup this particular box with some updates that happened 2011 and then later on in 2017.

snakeoil certificate references from the /etc/ssl/certs/ folder on my Debian box

So the reason the PostgreSQL upgrade was failing was because the generated certificate was actually too old to comply with what PostgreSQL was expecting whilst upgrading to version 9.6.
The solution is to regenerate the snakeoil certificate with the following command.

make-ssl-cert generate-default-snakeoil --force-overwrite

Attempting the upgrade again worked nicely 🌞 this time!

Resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s