The snakeoil ssl certificate

I recently came across this one as part of a PostgreSQL upgrade I run on my Linux (Debian) box.

Going from version PostgreSQL 9.4 to 9.5 worked like a charm. Upgrading to version 9.6 did not go as well though … The error I was getting was:

FATAL: could not load server certificate file 
"/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small

It turns out that the snakeoil certificate is a self-signed certificate that gets installed on your system when you first install the ssl-cert package. (Self signed means that is not signed by a Certificate Authority which in turn means it’s not a trusted certificate).
This is not regenerated every time the package gets upgraded so you might find that the certificate on your system is actually quite old. Mine was generated back in 2008 🤯 when I first setup this particular box with some updates that happened 2011 and then later on in 2017.

snakeoil certificate references from the /etc/ssl/certs/ folder on my Debian box

So the reason the PostgreSQL upgrade was failing was because the generated certificate was actually too old to comply with what PostgreSQL was expecting whilst upgrading to version 9.6.
The solution is to regenerate the snakeoil certificate with the following command.

make-ssl-cert generate-default-snakeoil --force-overwrite

Attempting the upgrade again worked nicely 🌞 this time!

Resources

Leave a Reply