[2020-04-18 15:47:13] <happyfish> Installing bahamut 2.1.4. Ran ./make-cert.sh to generate SSL cert. Error SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:310: ssl failed!
[2020-04-18 15:47:53] <xPsycho> hi, happyfish
[2020-04-18 15:47:53] <xPsycho> hmmm
[2020-04-18 15:48:38] <xPsycho> seems like we are only creating a 1024-bit key
[2020-04-18 15:48:45] <xPsycho> probably needs to be updated to 2048
[2020-04-18 15:49:09] <xPsycho> I haven't seen that pop up anywhere before though
[2020-04-18 15:49:17] <happyfish> yes, initially I was getting this, which may be related. # ./ircd
[2020-04-18 15:49:17] <happyfish> bahamut-2.1.4 booting...
[2020-04-18 15:49:17] <happyfish> Initializing Encryption...
[2020-04-18 15:49:17] <happyfish> No random state found, generating entropy from /dev/urandom...
[2020-04-18 15:49:29] <xPsycho> so I wonder if your machine has a custom minimum ... or a new version of openssl has a new minimum default
[2020-04-18 15:49:52] <happyfish> thanks, i'll dig into openssl
[2020-04-18 15:50:30] <xPsycho> try changing "default_bits = 1024" to "default_bits = 2048" in our make-cert.cnf, then re-run make-cert.sh
[2020-04-18 15:52:45] <xPsycho> ls
[2020-04-18 15:54:45] <xPsycho> also, what version of OpenSSL are you using? type "openssl version"
[2020-04-18 15:56:00] <happyfish> OpenSSL 1.1.1c FIPS 28 May 2019
[2020-04-18 15:58:51] <xPsycho> new enough
[2020-04-18 15:58:52] <xPsycho> hmm
[2020-04-18 16:00:14] <xPsycho> is this Debian?
[2020-04-18 16:03:38] <happyfish> RHEL 8.1. I regenerated 2048 bit cert and it worked.
[2020-04-18 16:03:47] <happyfish> "Ircd is now becoming a daemon."
[2020-04-18 16:03:52] <xPsycho> great
[2020-04-18 16:03:55] <xPsycho> I found this about Debian: https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1
[2020-04-18 16:04:09] <xPsycho> in /etc/ssl/openssl.cnf, CipherString = DEFAULTSECLEVEL=2
[2020-04-18 16:04:16] <xPsycho> SECLEVEL=2 means a minimum key size of 2048
rscs
commented
4 years ago