On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote: > On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <john.iliffe@xxxxxxxxx> wrote: > > Well, after a weekend of absolute frustration I figured this one out. > > > > Because there is a paucity of documentation and given the importance > > of OpenSSL to the Apache community, I will give a full explanation as > > to what happened and why, and I hope that the Apache maintainers will > > be interested in putting some of this in the docs, even though some > > parts are really not Apache issues. > > > > Here I am assuming that you are not using the O/S supplied OpenSSL > > version and that you are either updating Apache or don't have OpenSSL > > linked dynamically. > > > > First, compile OpenSSL from source. You need to have AT LEAST the > > following two parameters in the configuration: > > > > --prefix=/path/to/new/OpenSSL > > share <-- without this Apache will not link to OpenSSL > > > > add any other parameters required and make, make test, make install > > > > Now compile Apache as per the instructions in the INSTALL file and for > > OpenSSL you need: > > > > --enable-ssl > > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct > > version of > > > > OpenSSL, not the one supplied by the O/S > > > > compile and install Apache and edit the configuration file httpd.conf > > to make > > sure that the LoadModule statement for SSL is not commented out. > > > > Now run httpd -t > > > > you will probably get an error saying can't open libssl.so.x.x.x, no > > such file or directory. The documentation in the Apache install > > implies that when you use the form with-xxx=(path) that the module > > will be made available (ie the path to the required libraries will be > > stored in the DSO) but this isn't the case. The library (found in > > the OpenSSL installation directory in the /bin/ subdirectory) must be > > copied to the SYSTEM's library directory. > I completely agree Jeff. If I was a bit more of an Apache specialist I would have done what you suggest as it is obvious once it is pointed out! My immediate problem was to get our e-commerce web site back on the Inet and what I did resolved the problem. Maybe your suggestion would be best added to the docs? > IMO it is best to avoid mixing stuff you built with system directories, > especially when part of the installation is manual and easily forgotten. > > You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to > include /path/to/new/OpenSSL/lib so that httpd could find > libssl.so.x.x.x. > > After that you need to always use "apachectl <args>" instead of "httpd > <args>" so that envvars takes effect. > > (I don't know why the custom OpenSSL lib directory doesn't end up in > rpath. Does anyone know?) > > > In my case (Red Hat EL6) this is /usr/lib64/ but other distros > > may put it somewhere else. Be careful here; don't overlay any library > > with the same name. I give this warning because the library for > > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases > > named the library the same as the release (eg libssl.so.1.0.1e). > > > > Now run httpd -t again. You will probably get another error on > > libcrypto.so and have to copy in the library from the OpenSSL > > installation directory. > > > > Now try httpd -t and everything SHOULD work. > > > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > > > head /path to logfiles/error_log > > > > and check that the start message shows that the correct version of > > OpenSSL started. It is shown on the first line of the new log, just > > ahead of the command line for the starting httpd. > > > > Folks, I know this is somewhat arcane and probably overkill, but I > > just spent two days that I really didn't have chasing things around > > and a slight enhancement of the installation instructions would have > > been very welcome. > > > > Regards, and thanks to those who replied to my two previous posts. > > > > John > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|