You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Iliffe <jo...@iliffe.ca> on 2014/04/12 03:40:38 UTC
[users@httpd] mod ssl
I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So
far everything looks good EXCEPT that Apache won't start. After making a
number of tweaks to the configuration, I'm stuck. The error from httpd -t
is:
httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf:
Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open
shared object file: No such file or directory
I compiled with:
"./configure" \
"--prefix=/usr/apache-2.4.9" \
"--with-included-apr" \
"--with-pcre=/usr/pcre-8.32" \
"--with-ssl=/usr/openssl-1.0.1g" \
and the modules/ directory has the following partial listing:
-rwxr-xr-x 1 root root 35192 Apr 10 20:23 mod_socache_memcache.so
-rwxr-xr-x 1 root root 66857 Apr 10 20:23 mod_socache_shmcb.so
-rwxr-xr-x 1 root root 36732 Apr 10 20:23 mod_speling.so
-rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so
-rwxr-xr-x 1 root root 61870 Apr 10 20:23 mod_status.so
-rwxr-xr-x 1 root root 42570 Apr 10 20:23 mod_substitute.so
Note that mod_ssl.so is third from the bottom. I'm assuming that there is
some problem with the way I compiled openssl but it doesn't save a copy of
the command line. Here is what I "think" I used:
./configure --prefix=/usr/openssl-1.0.1g share
which worked OK when I compiled Apache.
I'm sure if I weren't in such an all-fired hurry I could figure this out but
I would ask anyone who has already done this update to help me out here.
Thanks in advance.
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: mod ssl
Posted by John Iliffe <jo...@iliffe.ca>.
Basil:
I pretty much followed the Apache INSTALL documentation except as noted in
this thread.
Before you install Apache you have to install PCRE if you don't already
have it (I installed pcre-8.32 a couple of years ago) and OpenSSL. I put
them in /usr under their own sub directory (/usr/pcre-8.32 and
/usr/openssl-1.0.1g). Then when you compile Apache let the compiler know
where they both are. For example, --with-ssl=/usr/openssl-1.0.1g) The
issue I encountered was simply that the path included in the "with-ssl"
parameter was not passed to the resulting DSO module as expected. The
resulting traffic gives several ways to resolve this, most of them better
than what I came up with.
At a guess, you either don't have PCRE installed or didn't give Apache the
path. But there are people who know a whole lot more about how all this
fits than me! (PCRE is the Perl regular expression library and is required
by Apache. It is described somewhere in the INSTALL docs).
Good luck!
John
===================================
On Monday 14 April 2014 02:17:26 Basil wrote:
> John Iliffe <john.iliffe <at> iliffe.ca> writes:
> > I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g.
> > So far everything looks good EXCEPT that Apache won't start. After
> > making a number of tweaks to the configuration, I'm stuck. The error
> > from httpd -t is:
> >
> > httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf:
> > Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot
> > open shared object file: No such file or directory
> >
> > I compiled with:
> >
> > "./configure" \
> > "--prefix=/usr/apache-2.4.9" \
> > "--with-included-apr" \
> > "--with-pcre=/usr/pcre-8.32" \
> > "--with-ssl=/usr/openssl-1.0.1g" \
> >
> > and the modules/ directory has the following partial listing:
> >
> > -rwxr-xr-x 1 root root 35192 Apr 10 20:23 mod_socache_memcache.so
> > -rwxr-xr-x 1 root root 66857 Apr 10 20:23 mod_socache_shmcb.so
> > -rwxr-xr-x 1 root root 36732 Apr 10 20:23 mod_speling.so
> > -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so
> > -rwxr-xr-x 1 root root 61870 Apr 10 20:23 mod_status.so
> > -rwxr-xr-x 1 root root 42570 Apr 10 20:23 mod_substitute.so
> >
> > Note that mod_ssl.so is third from the bottom. I'm assuming that
> > there is some problem with the way I compiled openssl but it doesn't
> > save a copy of the command line. Here is what I "think" I used:
> >
> > ./configure --prefix=/usr/openssl-1.0.1g share
> >
> > which worked OK when I compiled Apache.
> >
> > I'm sure if I weren't in such an all-fired hurry I could figure this
> > out
>
> but
>
> > I would ask anyone who has already done this update to help me out
> > here.
> >
> > Thanks in advance.
> >
> > John
>
> Dear John,
>
> Can u please let me know how you compiled httpd 2.4.9 with
> openssl1.0.1g?! When I tried the same, it is showing
> make[2]: *** [util_pcre.lo] Error 1
> make[1]: *** [all-recursive] Error 1
>
> My cat /proc/version:
>
> Linux version 2.6.21.7-2.fc8xen
> (mockbuild@xenbuilder1.fedora.redhat.com) (gcc version 4.1.2 20070925
> (Red Hat 4.1.2-33)) #1 SMP Fri Feb 15 12:39:36 EST 2008
>
> Please assist.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: mod ssl
Posted by Basil <ba...@gmail.com>.
John Iliffe <john.iliffe <at> iliffe.ca> writes:
>
> I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So
> far everything looks good EXCEPT that Apache won't start. After making a
> number of tweaks to the configuration, I'm stuck. The error from httpd -t
> is:
>
> httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf:
> Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open
> shared object file: No such file or directory
>
> I compiled with:
>
> "./configure" \
> "--prefix=/usr/apache-2.4.9" \
> "--with-included-apr" \
> "--with-pcre=/usr/pcre-8.32" \
> "--with-ssl=/usr/openssl-1.0.1g" \
>
> and the modules/ directory has the following partial listing:
>
> -rwxr-xr-x 1 root root 35192 Apr 10 20:23 mod_socache_memcache.so
> -rwxr-xr-x 1 root root 66857 Apr 10 20:23 mod_socache_shmcb.so
> -rwxr-xr-x 1 root root 36732 Apr 10 20:23 mod_speling.so
> -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so
> -rwxr-xr-x 1 root root 61870 Apr 10 20:23 mod_status.so
> -rwxr-xr-x 1 root root 42570 Apr 10 20:23 mod_substitute.so
>
> Note that mod_ssl.so is third from the bottom. I'm assuming that there is
> some problem with the way I compiled openssl but it doesn't save a copy of
> the command line. Here is what I "think" I used:
>
> ./configure --prefix=/usr/openssl-1.0.1g share
>
> which worked OK when I compiled Apache.
>
> I'm sure if I weren't in such an all-fired hurry I could figure this out
but
> I would ask anyone who has already done this update to help me out here.
>
> Thanks in advance.
>
> John
>
Dear John,
Can u please let me know how you compiled httpd 2.4.9 with openssl1.0.1g?!
When I tried the same, it is showing
make[2]: *** [util_pcre.lo] Error 1
make[1]: *** [all-recursive] Error 1
My cat /proc/version:
Linux version 2.6.21.7-2.fc8xen (mockbuild@xenbuilder1.fedora.redhat.com)
(gcc version 4.1.2 20070925 (Red Hat 4.1.2-33)) #1 SMP Fri Feb 15 12:39:36
EST 2008
Please assist.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by "Rainer M. Canavan" <ra...@sevenval.com>.
On Apr 14, 2014, at 01:34 , John Iliffe <jo...@iliffe.ca> wrote:
> The library (found in the OpenSSL installation
> directory in the /bin/ subdirectory) must be copied to the SYSTEM's library
> directory.
Don't do that. Re-Build apache with LDFLAGS=-Wl,-rpath,/path/to/new/openssl
You can check if the RPATH is set in your mod_ssl e.g. with
objdump -x mod_sssl.so |grep RPATH
rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by Jeff Trawick <tr...@gmail.com>.
On Sun, Apr 13, 2014 at 8:01 PM, John Iliffe <jo...@iliffe.ca> wrote:
> On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote:
> > On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <jo...@iliffe.ca>
> wrote:
> > > Well, after a weekend of absolute frustration I figured this one out.
> > >
> > > Because there is a paucity of documentation and given the importance
> > > of OpenSSL to the Apache community, I will give a full explanation as
> > > to what happened and why, and I hope that the Apache maintainers will
> > > be interested in putting some of this in the docs, even though some
> > > parts are really not Apache issues.
> > >
> > > Here I am assuming that you are not using the O/S supplied OpenSSL
> > > version and that you are either updating Apache or don't have OpenSSL
> > > linked dynamically.
> > >
> > > First, compile OpenSSL from source. You need to have AT LEAST the
> > > following two parameters in the configuration:
> > >
> > > --prefix=/path/to/new/OpenSSL
> > > share <-- without this Apache will not link to OpenSSL
> > >
> > > add any other parameters required and make, make test, make install
> > >
> > > Now compile Apache as per the instructions in the INSTALL file and for
> > > OpenSSL you need:
> > >
> > > --enable-ssl
> > > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct
> > > version of
> > >
> > > OpenSSL, not the one supplied by the O/S
> > >
> > > compile and install Apache and edit the configuration file httpd.conf
> > > to make
> > > sure that the LoadModule statement for SSL is not commented out.
> > >
> > > Now run httpd -t
> > >
> > > you will probably get an error saying can't open libssl.so.x.x.x, no
> > > such file or directory. The documentation in the Apache install
> > > implies that when you use the form with-xxx=(path) that the module
> > > will be made available (ie the path to the required libraries will be
> > > stored in the DSO) but this isn't the case. The library (found in
> > > the OpenSSL installation directory in the /bin/ subdirectory) must be
> > > copied to the SYSTEM's library directory.
> >
> I completely agree Jeff. If I was a bit more of an Apache specialist I
> would have done what you suggest as it is obvious once it is pointed out!
> My immediate problem was to get our e-commerce web site back on the Inet
> and what I did resolved the problem. Maybe your suggestion would be best
> added to the docs?
>
I'll think about this some more. Docs are fine, but I don't know why it
doesn't "just work", as when you install apr to some arbitrary place and it
gets picked up by httpd automatically.
> > IMO it is best to avoid mixing stuff you built with system directories,
> > especially when part of the installation is manual and easily forgotten.
> >
> > You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to
> > include /path/to/new/OpenSSL/lib so that httpd could find
> > libssl.so.x.x.x.
> >
> > After that you need to always use "apachectl <args>" instead of "httpd
> > <args>" so that envvars takes effect.
> >
> > (I don't know why the custom OpenSSL lib directory doesn't end up in
> > rpath. Does anyone know?)
> >
> > > In my case (Red Hat EL6) this is /usr/lib64/ but other distros
> > > may put it somewhere else. Be careful here; don't overlay any library
> > > with the same name. I give this warning because the library for
> > > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases
> > > named the library the same as the release (eg libssl.so.1.0.1e).
> > >
> > > Now run httpd -t again. You will probably get another error on
> > > libcrypto.so and have to copy in the library from the OpenSSL
> > > installation directory.
> > >
> > > Now try httpd -t and everything SHOULD work.
> > >
> > > Start Apache (apachectl -k start) and HTTPD should come up. Now do:
> > >
> > > head /path to logfiles/error_log
> > >
> > > and check that the start message shows that the correct version of
> > > OpenSSL started. It is shown on the first line of the new log, just
> > > ahead of the command line for the starting httpd.
> > >
> > > Folks, I know this is somewhat arcane and probably overkill, but I
> > > just spent two days that I really didn't have chasing things around
> > > and a slight enhancement of the installation instructions would have
> > > been very welcome.
> > >
> > > Regards, and thanks to those who replied to my two previous posts.
> > >
> > > John
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/
Re: [users@httpd] mod ssl
Posted by John Iliffe <jo...@iliffe.ca>.
On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote:
> On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <jo...@iliffe.ca> wrote:
> > Well, after a weekend of absolute frustration I figured this one out.
> >
> > Because there is a paucity of documentation and given the importance
> > of OpenSSL to the Apache community, I will give a full explanation as
> > to what happened and why, and I hope that the Apache maintainers will
> > be interested in putting some of this in the docs, even though some
> > parts are really not Apache issues.
> >
> > Here I am assuming that you are not using the O/S supplied OpenSSL
> > version and that you are either updating Apache or don't have OpenSSL
> > linked dynamically.
> >
> > First, compile OpenSSL from source. You need to have AT LEAST the
> > following two parameters in the configuration:
> >
> > --prefix=/path/to/new/OpenSSL
> > share <-- without this Apache will not link to OpenSSL
> >
> > add any other parameters required and make, make test, make install
> >
> > Now compile Apache as per the instructions in the INSTALL file and for
> > OpenSSL you need:
> >
> > --enable-ssl
> > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct
> > version of
> >
> > OpenSSL, not the one supplied by the O/S
> >
> > compile and install Apache and edit the configuration file httpd.conf
> > to make
> > sure that the LoadModule statement for SSL is not commented out.
> >
> > Now run httpd -t
> >
> > you will probably get an error saying can't open libssl.so.x.x.x, no
> > such file or directory. The documentation in the Apache install
> > implies that when you use the form with-xxx=(path) that the module
> > will be made available (ie the path to the required libraries will be
> > stored in the DSO) but this isn't the case. The library (found in
> > the OpenSSL installation directory in the /bin/ subdirectory) must be
> > copied to the SYSTEM's library directory.
>
I completely agree Jeff. If I was a bit more of an Apache specialist I
would have done what you suggest as it is obvious once it is pointed out!
My immediate problem was to get our e-commerce web site back on the Inet
and what I did resolved the problem. Maybe your suggestion would be best
added to the docs?
> IMO it is best to avoid mixing stuff you built with system directories,
> especially when part of the installation is manual and easily forgotten.
>
> You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to
> include /path/to/new/OpenSSL/lib so that httpd could find
> libssl.so.x.x.x.
>
> After that you need to always use "apachectl <args>" instead of "httpd
> <args>" so that envvars takes effect.
>
> (I don't know why the custom OpenSSL lib directory doesn't end up in
> rpath. Does anyone know?)
>
> > In my case (Red Hat EL6) this is /usr/lib64/ but other distros
> > may put it somewhere else. Be careful here; don't overlay any library
> > with the same name. I give this warning because the library for
> > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases
> > named the library the same as the release (eg libssl.so.1.0.1e).
> >
> > Now run httpd -t again. You will probably get another error on
> > libcrypto.so and have to copy in the library from the OpenSSL
> > installation directory.
> >
> > Now try httpd -t and everything SHOULD work.
> >
> > Start Apache (apachectl -k start) and HTTPD should come up. Now do:
> >
> > head /path to logfiles/error_log
> >
> > and check that the start message shows that the correct version of
> > OpenSSL started. It is shown on the first line of the new log, just
> > ahead of the command line for the starting httpd.
> >
> > Folks, I know this is somewhat arcane and probably overkill, but I
> > just spent two days that I really didn't have chasing things around
> > and a slight enhancement of the installation instructions would have
> > been very welcome.
> >
> > Regards, and thanks to those who replied to my two previous posts.
> >
> > John
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by Jeff Trawick <tr...@gmail.com>.
On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <jo...@iliffe.ca> wrote:
> Well, after a weekend of absolute frustration I figured this one out.
>
> Because there is a paucity of documentation and given the importance of
> OpenSSL to the Apache community, I will give a full explanation as to what
> happened and why, and I hope that the Apache maintainers will be interested
> in putting some of this in the docs, even though some parts are really not
> Apache issues.
>
> Here I am assuming that you are not using the O/S supplied OpenSSL version
> and that you are either updating Apache or don't have OpenSSL linked
> dynamically.
>
> First, compile OpenSSL from source. You need to have AT LEAST the
> following two parameters in the configuration:
>
> --prefix=/path/to/new/OpenSSL
> share <-- without this Apache will not link to OpenSSL
>
> add any other parameters required and make, make test, make install
>
> Now compile Apache as per the instructions in the INSTALL file and for
> OpenSSL you need:
>
> --enable-ssl
> --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct version of
> OpenSSL, not the one supplied by the O/S
>
> compile and install Apache and edit the configuration file httpd.conf to
> make
> sure that the LoadModule statement for SSL is not commented out.
>
> Now run httpd -t
>
> you will probably get an error saying can't open libssl.so.x.x.x, no such
> file or directory. The documentation in the Apache install implies that
> when you use the form with-xxx=(path) that the module will be made
> available (ie the path to the required libraries will be stored in the DSO)
> but this isn't the case. The library (found in the OpenSSL installation
> directory in the /bin/ subdirectory) must be copied to the SYSTEM's library
> directory.
IMO it is best to avoid mixing stuff you built with system directories,
especially when part of the installation is manual and easily forgotten.
You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to
include /path/to/new/OpenSSL/lib so that httpd could find libssl.so.x.x.x.
After that you need to always use "apachectl <args>" instead of "httpd
<args>" so that envvars takes effect.
(I don't know why the custom OpenSSL lib directory doesn't end up in rpath.
Does anyone know?)
> In my case (Red Hat EL6) this is /usr/lib64/ but other distros
> may put it somewhere else. Be careful here; don't overlay any library with
> the same name. I give this warning because the library for OpenSSL-1.0.1g
> is named libssl.so.1.0.0 whereas previous releases named the library the
> same as the release (eg libssl.so.1.0.1e).
>
> Now run httpd -t again. You will probably get another error on
> libcrypto.so and have to copy in the library from the OpenSSL installation
> directory.
>
> Now try httpd -t and everything SHOULD work.
>
> Start Apache (apachectl -k start) and HTTPD should come up. Now do:
>
> head /path to logfiles/error_log
>
> and check that the start message shows that the correct version of OpenSSL
> started. It is shown on the first line of the new log, just ahead of the
> command line for the starting httpd.
>
> Folks, I know this is somewhat arcane and probably overkill, but I just
> spent two days that I really didn't have chasing things around and a slight
> enhancement of the installation instructions would have been very welcome.
>
> Regards, and thanks to those who replied to my two previous posts.
>
> John
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/
Re: [users@httpd] mod ssl
Posted by John Iliffe <jo...@iliffe.ca>.
On Sunday 13 April 2014 21:32:12 Nick Kew wrote:
> On 14 Apr 2014, at 00:34, John Iliffe wrote:
> > Here I am assuming that you are not using the O/S supplied OpenSSL
> > version and that you are either updating Apache or don't have OpenSSL
> > linked dynamically.
>
Nick:
I'm not trying to be a pain in the ass here, I really do like Apache and it
works well. I wasn't using the OpenSSL supplied by Red Hat as the
maintenance contract for it has expired, so basically, I'm on my own. I
think you might find that many small companies like ours are in the same
position. Someone suggested exactly what you do here but it didn't work,
and not knowing whether OpenSSL was dynamically linked (it is) when the
update didn't work I made the wrong assumption. (not dynamically linked,
which was wrong). My only defence is that I'm not a web specialist, or
even very knowledgeable about it.
> Aren't those assumptions alone sufficiently unusual (even idiosyncratic)
> to take you beyond the scope of what Apache docs might reasonably be
> expected to cover?
>
> For the regular user, you would just replace your vulnerable openssl
> version in-situ. If it was O/S-supplied then use the relevant package
> manager; if it's your own build then upgrade that. Either way, apache
> is unaffected unless you did rather more than just replace a bleeding
> heart OpenSSL version with a newly-patched one.
>
> Probably the most useful advice in your post, for those who might have
>
> vulnerable OpenSSL versions floating around, is how to check:
> > Start Apache (apachectl -k start) and HTTPD should come up. Now do:
> >
> > head /path to logfiles/error_log
> >
> > and check that the start message shows that the correct version of
> > OpenSSL started. It is shown on the first line of the new log, just
> > ahead of the command line for the starting httpd.
>
Good question. I would suggest in the SSL/TLS How-to at the need of the
Basic Configuration Example section. Something to the effect that on first
start up one should check that the version of OpenSSL that starts is the
correct one. That also takes care of the situation where there is an error
in the Apache configuration to make that is not caught.
> I guess a note to that effect in our docs could indeed benefit the
> worried. Where do you think would be a good place for such a note?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by Nick Kew <ni...@webthing.com>.
On 14 Apr 2014, at 00:34, John Iliffe wrote:
> Here I am assuming that you are not using the O/S supplied OpenSSL version
> and that you are either updating Apache or don't have OpenSSL linked
> dynamically.
Aren't those assumptions alone sufficiently unusual (even idiosyncratic)
to take you beyond the scope of what Apache docs might reasonably be
expected to cover?
For the regular user, you would just replace your vulnerable openssl
version in-situ. If it was O/S-supplied then use the relevant package
manager; if it's your own build then upgrade that. Either way, apache
is unaffected unless you did rather more than just replace a bleeding
heart OpenSSL version with a newly-patched one.
Probably the most useful advice in your post, for those who might have
vulnerable OpenSSL versions floating around, is how to check:
> Start Apache (apachectl -k start) and HTTPD should come up. Now do:
>
> head /path to logfiles/error_log
>
> and check that the start message shows that the correct version of OpenSSL
> started. It is shown on the first line of the new log, just ahead of the
> command line for the starting httpd.
I guess a note to that effect in our docs could indeed benefit the worried.
Where do you think would be a good place for such a note?
--
Nick Kew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by John Iliffe <jo...@iliffe.ca>.
Well, after a weekend of absolute frustration I figured this one out.
Because there is a paucity of documentation and given the importance of
OpenSSL to the Apache community, I will give a full explanation as to what
happened and why, and I hope that the Apache maintainers will be interested
in putting some of this in the docs, even though some parts are really not
Apache issues.
Here I am assuming that you are not using the O/S supplied OpenSSL version
and that you are either updating Apache or don't have OpenSSL linked
dynamically.
First, compile OpenSSL from source. You need to have AT LEAST the
following two parameters in the configuration:
--prefix=/path/to/new/OpenSSL
share <-- without this Apache will not link to OpenSSL
add any other parameters required and make, make test, make install
Now compile Apache as per the instructions in the INSTALL file and for
OpenSSL you need:
--enable-ssl
--with-ssl=/path/to/new/OpenSSL <-- this gets you the correct version of
OpenSSL, not the one supplied by the O/S
compile and install Apache and edit the configuration file httpd.conf to make
sure that the LoadModule statement for SSL is not commented out.
Now run httpd -t
you will probably get an error saying can't open libssl.so.x.x.x, no such
file or directory. The documentation in the Apache install implies that
when you use the form with-xxx=(path) that the module will be made
available (ie the path to the required libraries will be stored in the DSO)
but this isn't the case. The library (found in the OpenSSL installation
directory in the /bin/ subdirectory) must be copied to the SYSTEM's library
directory. In my case (Red Hat EL6) this is /usr/lib64/ but other distros
may put it somewhere else. Be careful here; don't overlay any library with
the same name. I give this warning because the library for OpenSSL-1.0.1g
is named libssl.so.1.0.0 whereas previous releases named the library the
same as the release (eg libssl.so.1.0.1e).
Now run httpd -t again. You will probably get another error on
libcrypto.so and have to copy in the library from the OpenSSL installation
directory.
Now try httpd -t and everything SHOULD work.
Start Apache (apachectl -k start) and HTTPD should come up. Now do:
head /path to logfiles/error_log
and check that the start message shows that the correct version of OpenSSL
started. It is shown on the first line of the new log, just ahead of the
command line for the starting httpd.
Folks, I know this is somewhat arcane and probably overkill, but I just
spent two days that I really didn't have chasing things around and a slight
enhancement of the installation instructions would have been very welcome.
Regards, and thanks to those who replied to my two previous posts.
John
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by John Iliffe <jo...@iliffe.ca>.
Thanks Didier.
I ran ldd and openssl/libssl doesn't show up in either the version of
Apache that is running (2.4.3) or the new version 2.4.9. I checked the
error log for the last restart as suggested by Katherine Manfre on this
list and the running version reports: OpenSSL/1.0.0-FIPS.
The ldd for the same version is:
ldd /usr/apache-2.4.3/bin/httpd
linux-vdso.so.1 => (0x00007fff23a00000)
libpcre.so.1 => /usr/pcre-8.32/lib/libpcre.so.1
(0x00007fc2320a0000)
libaprutil-1.so.0 => /usr/apache-2.4.3/lib/libaprutil-1.so.0
(0x00007fc231e78000)
libexpat.so.0 => /usr/apache-2.4.3/lib/libexpat.so.0
(0x00007fc231c50000)
libapr-1.so.0 => /usr/apache-2.4.3/lib/libapr-1.so.0
(0x00007fc231a20000)
librt.so.1 => /lib64/librt.so.1 (0x00000037c9600000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00000037d7a00000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00000037c8a00000)
libc.so.6 => /lib64/libc.so.6 (0x00000037c8200000)
/lib64/ld-linux-x86-64.so.2 (0x00000037c7e00000)
libfreebl3.so => /lib64/libfreebl3.so (0x00000037d8c00000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000037c8e00000)
and the ldd for the new version 2.4.9 (that can't start) is about the same:
linux-vdso.so.1 => (0x00007fff92ac8000)
libpcre.so.1 => /usr/pcre-8.32/lib/libpcre.so.1 (0x00007ffd4be70000)
libaprutil-1.so.0 => /usr/apache-2.4.9/lib/libaprutil-1.so.0
(0x00007ffd4bc48000)
libexpat.so.0 => /usr/apache-2.4.9/lib/libexpat.so.0
(0x00007ffd4ba20000)
libapr-1.so.0 => /usr/apache-2.4.9/lib/libapr-1.so.0
(0x00007ffd4b7e8000)
librt.so.1 => /lib64/librt.so.1 (0x00000037c9600000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00000037d7a00000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00000037c8a00000)
libc.so.6 => /lib64/libc.so.6 (0x00000037c8200000)
/lib64/ld-linux-x86-64.so.2 (0x00000037c7e00000)
libfreebl3.so => /lib64/libfreebl3.so (0x00000037d8c00000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000037c8e00000)
I looked at your config file for make and obviously I left out quite a bit
from last time. I used the previous config.nice file as input and obviously
it doesn't show everything that was used in the previous compile.
I'll recompile again and see if it runs. Maybe I was just too sleepy last
night!
Thanks again.
John
On Saturday 12 April 2014 01:49:09 Didier Spaier wrote:
> On 12/04/2014 03:40, John Iliffe wrote:
> > I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g.
> > So far everything looks good EXCEPT that Apache won't start. After
> > making a number of tweaks to the configuration, I'm stuck. The error
> > from httpd -t is:
> >
> > httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf:
> > Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot
> > open shared object file: No such file or directory
> >
> > I compiled with:
> >
> > "./configure" \
> > "--prefix=/usr/apache-2.4.9" \
> > "--with-included-apr" \
> > "--with-pcre=/usr/pcre-8.32" \
> > "--with-ssl=/usr/openssl-1.0.1g" \
> >
> > and the modules/ directory has the following partial listing:
> >
> > -rwxr-xr-x 1 root root 35192 Apr 10 20:23 mod_socache_memcache.so
> > -rwxr-xr-x 1 root root 66857 Apr 10 20:23 mod_socache_shmcb.so
> > -rwxr-xr-x 1 root root 36732 Apr 10 20:23 mod_speling.so
> > -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so
> > -rwxr-xr-x 1 root root 61870 Apr 10 20:23 mod_status.so
> > -rwxr-xr-x 1 root root 42570 Apr 10 20:23 mod_substitute.so
> >
> > Note that mod_ssl.so is third from the bottom. I'm assuming that
> > there is some problem with the way I compiled openssl but it doesn't
> > save a copy of the command line. Here is what I "think" I used:
> >
> > ./configure --prefix=/usr/openssl-1.0.1g share
> >
> > which worked OK when I compiled Apache.
> >
> > I'm sure if I weren't in such an all-fired hurry I could figure this
> > out but I would ask anyone who has already done this update to help
> > me out here.
> >
> > Thanks in advance.
> >
> > John
>
> Well, if you installed opensl-1.0.1g and have openssl dynamically linked
> by httpd, I don't see the need to re-compile http, rebooting should be
> enough I think (someone correct if I'm wrong).
>
> Here (Slackware-14.0), oepnssl upgraded to openssl-1.0.1g but httpd nor
> recompiled since):
>
> bash-4.2$ ldd /usr/sbin/httpd
> linux-gate.so.1 (0xffffe000)
> libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb75fb000)
> libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb75d2000)
> libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb75aa000)
> libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0xb74fb000)
> libdb-4.4.so => /lib/libdb-4.4.so (0xb73dd000)
> libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb7393000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7379000)
> libssl.so.1 => /lib/libssl.so.1 (0xb7316000)
> libcrypto.so.1 => /lib/libcrypto.so.1 (0xb715f000)
> liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7150000)
> libresolv.so.2 => /lib/libresolv.so.2 (0xb7137000)
> libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb7104000)
> libuuid.so.1 => /lib/libuuid.so.1 (0xb7100000)
> librt.so.1 => /lib/librt.so.1 (0xb70f7000)
> libcrypt.so.1 => /lib/libcrypt.so.1 (0xb70c4000)
> libpthread.so.0 => /lib/libpthread.so.0 (0xb70aa000)
> libdl.so.2 => /lib/libdl.so.2 (0xb70a4000)
> libc.so.6 => /lib/libc.so.6 (0xb6f1f000)
> /lib/ld-linux.so.2 (0xb76ef000)
> bash-4.2$ openssl version
> OpenSSL 1.0.1g 7 Apr 2014
> bash-4.2$
>
> I just upgraded openssl.
>
> But this message
>
> > Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot
> > open shared object file: No such file or directory
>
> doesn't say that there was a problem in compiling https, only that you
> miss the shared library libssl.so.1.0.0.
>
> Did you check that it is where expected?
>
> FYI, the configure command in Slackware 14.0 is:
> ./configure \
> --enable-layout=Slackware-FHS \
> --with-apr=/usr \
> --with-apr-util=/usr \
> --enable-mods-shared=all \
> --enable-so \
> --enable-mpms-shared=all \
> --enable-pie \
> --enable-cgi \
> --with-pcre \
> --enable-ssl \
> --enable-rewrite \
> --enable-vhost-alias \
> --enable-proxy \
> --enable-proxy-http \
> --enable-proxy-ftp \
> --enable-cache \
> --enable-mem-cache \
> --enable-file-cache \
> --enable-disk-cache \
> --enable-dav \
> --enable-ldap \
> --enable-authnz-ldap \
> --enable-authn-anon \
> --enable-authn-alias \
> --build=$ARCH-slackware-linux || exit 1
>
> HTH,
>
> Didier
>
> PS I don't see the need for this:
> > ./configure --prefix=/usr/openssl-1.0.1g share
>
> I'd just keep *only* the good version of openssl.
>
> In any case ldd /path/to/httpd should confirm you that there is a
> problem linking to openssl (maybe it's not in /usr/openssl-1.0.1g/lib
> ?)
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod ssl
Posted by Didier Spaier <di...@epsm.fr>.
On 12/04/2014 03:40, John Iliffe wrote:
> I am compiling Apache-2.4.9 from source with the new openssl 1.0.1g. So
> far everything looks good EXCEPT that Apache won't start. After making a
> number of tweaks to the configuration, I'm stuck. The error from httpd -t
> is:
>
> httpd: Syntax error on line 130 of /usr/apache-2.4.9/conf/httpd.conf:
> Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open
> shared object file: No such file or directory
>
> I compiled with:
>
> "./configure" \
> "--prefix=/usr/apache-2.4.9" \
> "--with-included-apr" \
> "--with-pcre=/usr/pcre-8.32" \
> "--with-ssl=/usr/openssl-1.0.1g" \
>
> and the modules/ directory has the following partial listing:
>
> -rwxr-xr-x 1 root root 35192 Apr 10 20:23 mod_socache_memcache.so
> -rwxr-xr-x 1 root root 66857 Apr 10 20:23 mod_socache_shmcb.so
> -rwxr-xr-x 1 root root 36732 Apr 10 20:23 mod_speling.so
> -rwxr-xr-x 1 root root 826891 Apr 10 20:23 mod_ssl.so
> -rwxr-xr-x 1 root root 61870 Apr 10 20:23 mod_status.so
> -rwxr-xr-x 1 root root 42570 Apr 10 20:23 mod_substitute.so
>
> Note that mod_ssl.so is third from the bottom. I'm assuming that there is
> some problem with the way I compiled openssl but it doesn't save a copy of
> the command line. Here is what I "think" I used:
>
> ./configure --prefix=/usr/openssl-1.0.1g share
>
> which worked OK when I compiled Apache.
>
> I'm sure if I weren't in such an all-fired hurry I could figure this out but
> I would ask anyone who has already done this update to help me out here.
>
> Thanks in advance.
>
> John
Well, if you installed opensl-1.0.1g and have openssl dynamically linked by httpd, I don't see the need to re-compile http, rebooting should be enough I think (someone correct if I'm wrong).
Here (Slackware-14.0), oepnssl upgraded to openssl-1.0.1g but httpd nor recompiled since):
bash-4.2$ ldd /usr/sbin/httpd
linux-gate.so.1 (0xffffe000)
libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb75fb000)
libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0xb75d2000)
libexpat.so.1 => /usr/lib/libexpat.so.1 (0xb75aa000)
libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0xb74fb000)
libdb-4.4.so => /lib/libdb-4.4.so (0xb73dd000)
libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0xb7393000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7379000)
libssl.so.1 => /lib/libssl.so.1 (0xb7316000)
libcrypto.so.1 => /lib/libcrypto.so.1 (0xb715f000)
liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7150000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7137000)
libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0xb7104000)
libuuid.so.1 => /lib/libuuid.so.1 (0xb7100000)
librt.so.1 => /lib/librt.so.1 (0xb70f7000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb70c4000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb70aa000)
libdl.so.2 => /lib/libdl.so.2 (0xb70a4000)
libc.so.6 => /lib/libc.so.6 (0xb6f1f000)
/lib/ld-linux.so.2 (0xb76ef000)
bash-4.2$ openssl version
OpenSSL 1.0.1g 7 Apr 2014
bash-4.2$
I just upgraded openssl.
But this message
> Cannot load modules/mod_ssl.so into server: libssl.so.1.0.0: cannot open
> shared object file: No such file or directory
doesn't say that there was a problem in compiling https, only that you miss the shared library libssl.so.1.0.0.
Did you check that it is where expected?
FYI, the configure command in Slackware 14.0 is:
./configure \
--enable-layout=Slackware-FHS \
--with-apr=/usr \
--with-apr-util=/usr \
--enable-mods-shared=all \
--enable-so \
--enable-mpms-shared=all \
--enable-pie \
--enable-cgi \
--with-pcre \
--enable-ssl \
--enable-rewrite \
--enable-vhost-alias \
--enable-proxy \
--enable-proxy-http \
--enable-proxy-ftp \
--enable-cache \
--enable-mem-cache \
--enable-file-cache \
--enable-disk-cache \
--enable-dav \
--enable-ldap \
--enable-authnz-ldap \
--enable-authn-anon \
--enable-authn-alias \
--build=$ARCH-slackware-linux || exit 1
HTH,
Didier
PS I don't see the need for this:
> ./configure --prefix=/usr/openssl-1.0.1g share
I'd just keep *only* the good version of openssl.
In any case ldd /path/to/httpd should confirm you that there is a problem linking to openssl (maybe it's not in /usr/openssl-1.0.1g/lib ?)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org