Hello,
I'm running bind 9.18.28 on OpenSuSE Leap 15.6. I also run 'certbot'
with some home-brewed scripts for DNS validation.
Something happened between January 6th and yesterday that caused
'certbot' renewals to fail with OpenSSL errors:
tls.c:90:tls_initialize(): fatal error:
RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
Digging deeper I found out that 'certbot' defines several environment
variables when it runs external scripts ('hooks') and among those is also:
export OPENSSL_FORCE_FIPS_MODE="0"
And when this variable is defined (regardless of it's value), named
related commands, such as rndc, named-checkzone and named-checkconf fail
with that error.
# named-checkconf
tls.c:90:tls_initialize(): fatal error:
RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
# named-checkzone
tls.c:90:tls_initialize(): fatal error:
RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
# rndc
tls.c:90:tls_initialize(): fatal error:
RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
So my workaround is to 'unset' this variable in my script.
I guess the issue was caused by one of the OpenSuSE package updates
(glibc, maybe?) and has probably nothing to do with Bind itself, but I
thought someone else might run into it.
Danilo
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
