Fails running In chroot with "ENGINE_by_id failed (crypto failure)"

Bug #1630025 reported by Alexander Radev on 2016-10-03
40
This bug affects 6 people
Affects Status Importance Assigned to Milestone
BIND
Undecided
Unassigned
bind9 (Debian)
Fix Released
Unknown
bind9 (Ubuntu)
Low
Unassigned
Xenial
Undecided
Unassigned

Bug Description

Running inside an OpenVZ guest, it is not possible to use the AppArmor as discussed, so I am trying to configure BIND9 to run in chroot.

Then I got the following in the log:

named[3398]: ENGINE_by_id failed (crypto failure)
named[3398]: error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:233:
named[3398]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:467:
named[3398]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:390:id=gost
named[3398]: initializing DST: crypto failure
named[3398]: exiting (due to fatal error)
systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE

This seems to be a bug that is found in Debian https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820974

Changed in bind9 (Debian):
status: Unknown → New
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Since this bug affects a non-default configuration of bind, there are alternatives (such as AppArmor and running in a container) and OpenVZ is not part of Ubuntu, I'm setting the importance of this bug to Low. I don't expect anyone on the Ubuntu Server Team to work on this bug, but if someone else wants to provide a fix, please do.

Changed in bind9 (Ubuntu):
importance: Undecided → Low
Changed in bind9 (Debian):
status: New → Fix Released
Brian Menges (mengesb) wrote :

Per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820974#86 , Debian has fixed this. Can we please import this package to get this resolved? While this may be thought of as a non-standard configuration this is a critical security issue that is now solved upstream. Could we please get this update pushed?

Brian Menges (mengesb) wrote :

I can confirm that the following debian packages resolve the issue:

bind9_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
bind9utils_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libbind9-140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libdns162_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libgssapi-krb5-2_1.15-1+deb9u1_amd64.deb
libisc160_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libisccc140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libisccfg140_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libk5crypto3_1.15-1+deb9u1_amd64.deb
libkrb5-3_1.15-1+deb9u1_amd64.deb
libkrb5support0_1.15-1+deb9u1_amd64.deb
liblwres141_9.10.3.dfsg.P4-12.3+deb9u3_amd64.deb
libssl1.0.2_1.0.2l-2+deb9u1_amd64.deb

If we could get bind9 and dependencies rebuilt with the necessary patch (from the bug, a 1-liner) that'd be splendid so that we can return to a safe chroot bind9 scenario

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bind9 (Ubuntu):
status: New → Confirmed
Brian Menges (mengesb) wrote :

Will this be fixed any time soon?

Hi Brian,
these versions are actually already in Artful and Bionic.
Given the time you opened this you found that on Xenial I'll add a task for an SRU.

@Andreas - you look at bind fixes every now and then - how about to include this on your next run?

Changed in bind9 (Ubuntu):
status: Confirmed → Fix Released
Changed in bind9 (Ubuntu Xenial):
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.