ssl-cert (1.0.11.0ubuntu1) postinst is broken

FWIW: Running `sudo make-ssl-cert generate-default-snakeoil` and then reinstalling the ssl-cert and postfix packages seems to solve this issue.

I have the exact same problem on Ubuntu 7.04 server, when I try to install postfx it jams:

srivest@frodo:~$ sudo apt-get install postfix
Reading package lists... Done
Building dependency tree
Reading state information... Done
postfix is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Setting up postfix (2.3.8-2) ...
Adding system user `postfix' (UID 104) ...

[Hangs here, forever]

Would that be related ? Would the script have difficulty creating the postfix user ?

I was having the same problem when trying to install ssl-cert via a script post-preseed:

chgrp: cannot access `/etc/ssl/private/ssl-cert-snakeoil.key': No such file or directory
chmod: cannot access `/etc/ssl/private/ssl-cert-snakeoil.key': No such file or directory

The cause seems to be $HOME not being defined. The postinst calls make-ssl-cert, which uses the template file /usr/share/ssl-cert/ssleay.cnf as an argument to openssl -req. ssleay.cnf contains:

RANDFILE = $ENV::HOME/.rnd

which naturally breaks when $HOME isn't present. Ideally make-ssl-cert should either check for $HOME, or perhaps check for errors on the openssl command rather than sending to /dev/null ?

Try to install mktemp first:

# aptitude install mktemp

and try again

had the same problem when installing latest Alpha of Hardy Heron. I did a command line install and booted into recovery mode and afterwards did apt-get update and apt-get install. So the base packages are updated. Then I did apt-get install ubuntu-desktop.
and got the same error..

same problem installing hardy in a chroot environment with debootsrap.

The dpkg --compare-versions test in the postinst doesn't take into account new installations, which pass the empty version to dpkg --compare-versions.

@Steve: This will have to go via the SRU process now sadly.

Thanks for your bugreport.

I was not able to reproduce this error. I logged into a pbuilder chroot (pbuilder create; pbuilder login) and ran:
$ sudo apt-get install ssl-cert
without a error.

Trying:
$ sudo apt-get install postfix
in the pbuilder chroot worked too in hardy.

Could you please give let us know how to reproduce the issue?

Thanks,
 Michael

I'm sorry Michael, I don't have access to this server anymore, I'm now
working for another company.

Thanks for following up anyway.

Cheers

On Mon, Jun 2, 2008 at 10:26 PM, Michael Vogt <email address hidden>
wrote:

> Thanks for your bugreport.
>
> I was not able to reproduce this error. I logged into a pbuilder chroot
> (pbuilder create; pbuilder login) and ran:
> $ sudo apt-get install ssl-cert
> without a error.
>
> Trying:
> $ sudo apt-get install postfix
> in the pbuilder chroot worked too in hardy.
>
> Could you please give let us know how to reproduce the issue?
>
> Thanks,
> Michael
>
> ** Changed in: ssl-cert (Ubuntu)
> Status: Confirmed => Incomplete
>
> ** Changed in: ssl-cert (Ubuntu Hardy)
> Status: Confirmed => Incomplete
>
> --
> ssl-cert (1.0.11.0ubuntu1) postinst is broken
> https://bugs.launchpad.net/bugs/43987
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Serge Rivest

"Success is getting what you want. Happiness is wanting what you get." -
Dale Carnegie

As for me personally (the original poster of the bug), I couldn’t reproduce this in Hardy. That said, there are reports of others in this thread having this (or a similar) issue in Hardy.

I can reproduce this on a fresh install of hardy built with debootstrap. I have an init script that tries to install post script then remove itself late in the boot process and it comes up with ssl-cert failed to install and blocked the postfix install ... exactly as shown above. I will try to see if I have the same issue installing as root on the console after boot.

This does not happen if I manually perform the same steps that resulted in the problem. Nor does it happen if I try to do it remotely over SSH

 ssh root@192.168.1.118 'apt-get install postfix' &> log

The init script was placed here: /etc/rc2.d/S95instpostfix

Austin

I can reproduce when running debootstrap from cron.

Use the attached script to reproduce:
1) Add debootstrap and chroot to sudoers as NOPASSWD:
user host=NOPASSWD: /usr/sbin/chroot
user host=NOPASSWD: /usr/sbin/debootstrap
2) Run attached script via cron
3) Script fails with the following error:
[...]
chgrp: cannot access `/etc/ssl/private/ssl-cert-snakeoil.key': No such
file or directory
chmod: cannot access `/etc/ssl/private/ssl-cert-snakeoil.key': No such
file or directory
dpkg: error processing ssl-cert (--configure):
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 ssl-cert
E: Sub-process /usr/bin/dpkg returned an error code (1)

(Step 4: Clean up sudoers if desired)

The patch I attached in comment #7 fixes the problem for me.

Quick comment, dpkg --compare-versions should use "lt-nl", not "lt" (then you don't need the extra [ -n "$2" ]).

Hi,

This can't be reproduced in Intrepid as it was fixed there when 1.0.15 was merged.

The code shouldn't break on fresh installs, though it is redundant, as the key that
it chmods is created a couple of lines earlier in the file.

The other clue is that it reports failures for both chgrp and chmod, because the postinst
at that time was not set -e, so if the key wasn't created it would still try and operate on it.

I think the correct fix in hardy would therefore be to simply add -e to the first line of the
postinst (and probably postrm), as while the current proposed patch would fix the initial
install case it still leaves a problem when the key couldn't be created.

I'm reluctant to fix this, as all it would do would be to shift the install failure a couple of
lines earlier. There is still the question of what the failure is, as there is no error message
from the key creation failure.

It could be argued that it should be fixed with a check for the presence of the key, and the
key creation should be allowed to fail silently. I don't like that, as while package install failures
are annoying, it may leave the user unable to start e.g. postfix after installation as the cert
was not created and they got no notification about why.

I can't reproduce the failure in a hardy pbuilder here to have a guess at what the underlying
issue is.

Thanks,

James

James,

It was stated above that the cause appears to be HOME missing from the environment. I believe this is the case, although I haven't tested thoroughly.

Thanks,
Forest

Hello,
   I've been able to reproduce this on Hardy with ssl-cert version 1.0.14-0ubuntu2.1. I've been running into problems getting postgresql installed via chef. Debug output showed exactly the same problem the original reporter was having. Automatic chef runs don't set a HOME environment. Once I added a line to my chef recipe to set $HOME, everything worked. /usr/share/ssl-cert/ssleay.cnf should perhaps use a reasonable default location like /var/tmp if $HOME is not set.
  This bug has been marked fix released, but the latest package available for Hardy still has this problem. It looks like the version in Lucid has been fixed to not rely on $HOME. Is there a plan to make a fix available for Hardy?
Thanks,
Michael

Thank you for reporting this bug to Ubuntu. Hardy reached EOL on May 9, 2013.
See this document for currently supported Ubuntu releases: https://wiki.ubuntu.com/Releases

LinkedIn
------------

Bug,

I'd like to include you in my network to share updates and stay in touch.

- Serge

Serge Rivest
Web Developer / Linux Systems Administrator at WebdevDural
Tasmania, Australia

Confirm that you know Serge Rivest:
https://www.linkedin.com/e/-tgfpix-hnm7se4y-1c/isd/17798532375/c8TvqFk5/?hs=false&tok=0iTuvDWXIyTBY1

--
You are receiving Invitation to Connect emails. Click to unsubscribe:
http://www.linkedin.com/e/-tgfpix-hnm7se4y-1c/ukoob0dlIvjNdpXi6Cv9qNXfAs5O0ZrLhIfmSg/goo/43987%40bugs%2Elaunchpad%2Enet/20061/I5870546364_1/?hs=false&tok=0HlVJMPQ0yTBY1

(c) 2012 LinkedIn Corporation. 2029 Stierlin Ct, Mountain View, CA 94043, USA.