I recently came across this one as part of a PostgreSQL upgrade I run on my Linux (Debian) box.
Going from version PostgreSQL 9.4 to 9.5 worked like a charm. Upgrading to version 9.6 did not go as well though … The error I was getting was:
FATAL: could not load server certificate file
"/etc/ssl/certs/ssl-cert-snakeoil.pem": ee key too small
It turns out that the snakeoil certificate is a self-signed certificate that gets installed on your system when you first install the
ssl-cert package. (Self signed means that is not signed by a Certificate Authority which in turn means it’s not a trusted certificate).
This is not regenerated every time the package gets upgraded so you might find that the certificate on your system is actually quite old. Mine was generated back in 2008 🤯 when I first setup this particular box with some updates that happened 2011 and then later on in 2017.
So the reason the PostgreSQL upgrade was failing was because the generated certificate was actually too old to comply with what PostgreSQL was expecting whilst upgrading to version 9.6.
The solution is to regenerate the snakeoil certificate with the following command.
make-ssl-cert generate-default-snakeoil --force-overwrite
Attempting the upgrade again worked nicely 🌞 this time!
2 thoughts on “The snakeoil ssl certificate”
I recently got the same problem, and this blog post helped me!! thanks!!
This was super helpful; ran in to this upgrading Postgres 9.6 to 11. Thanks!