On Sun, Apr 13, 2014 at 8:01 PM, John Iliffe <john.ili...@iliffe.ca> wrote:
> On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote: > > On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <john.ili...@iliffe.ca> > wrote: > > > Well, after a weekend of absolute frustration I figured this one out. > > > > > > Because there is a paucity of documentation and given the importance > > > of OpenSSL to the Apache community, I will give a full explanation as > > > to what happened and why, and I hope that the Apache maintainers will > > > be interested in putting some of this in the docs, even though some > > > parts are really not Apache issues. > > > > > > Here I am assuming that you are not using the O/S supplied OpenSSL > > > version and that you are either updating Apache or don't have OpenSSL > > > linked dynamically. > > > > > > First, compile OpenSSL from source. You need to have AT LEAST the > > > following two parameters in the configuration: > > > > > > --prefix=/path/to/new/OpenSSL > > > share <-- without this Apache will not link to OpenSSL > > > > > > add any other parameters required and make, make test, make install > > > > > > Now compile Apache as per the instructions in the INSTALL file and for > > > OpenSSL you need: > > > > > > --enable-ssl > > > --with-ssl=/path/to/new/OpenSSL <-- this gets you the correct > > > version of > > > > > > OpenSSL, not the one supplied by the O/S > > > > > > compile and install Apache and edit the configuration file httpd.conf > > > to make > > > sure that the LoadModule statement for SSL is not commented out. > > > > > > Now run httpd -t > > > > > > you will probably get an error saying can't open libssl.so.x.x.x, no > > > such file or directory. The documentation in the Apache install > > > implies that when you use the form with-xxx=(path) that the module > > > will be made available (ie the path to the required libraries will be > > > stored in the DSO) but this isn't the case. The library (found in > > > the OpenSSL installation directory in the /bin/ subdirectory) must be > > > copied to the SYSTEM's library directory. > > > I completely agree Jeff. If I was a bit more of an Apache specialist I > would have done what you suggest as it is obvious once it is pointed out! > My immediate problem was to get our e-commerce web site back on the Inet > and what I did resolved the problem. Maybe your suggestion would be best > added to the docs? > I'll think about this some more. Docs are fine, but I don't know why it doesn't "just work", as when you install apr to some arbitrary place and it gets picked up by httpd automatically. > > IMO it is best to avoid mixing stuff you built with system directories, > > especially when part of the installation is manual and easily forgotten. > > > > You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to > > include /path/to/new/OpenSSL/lib so that httpd could find > > libssl.so.x.x.x. > > > > After that you need to always use "apachectl <args>" instead of "httpd > > <args>" so that envvars takes effect. > > > > (I don't know why the custom OpenSSL lib directory doesn't end up in > > rpath. Does anyone know?) > > > > > In my case (Red Hat EL6) this is /usr/lib64/ but other distros > > > may put it somewhere else. Be careful here; don't overlay any library > > > with the same name. I give this warning because the library for > > > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases > > > named the library the same as the release (eg libssl.so.1.0.1e). > > > > > > Now run httpd -t again. You will probably get another error on > > > libcrypto.so and have to copy in the library from the OpenSSL > > > installation directory. > > > > > > Now try httpd -t and everything SHOULD work. > > > > > > Start Apache (apachectl -k start) and HTTPD should come up. Now do: > > > > > > head /path to logfiles/error_log > > > > > > and check that the start message shows that the correct version of > > > OpenSSL started. It is shown on the first line of the new log, just > > > ahead of the command line for the starting httpd. > > > > > > Folks, I know this is somewhat arcane and probably overkill, but I > > > just spent two days that I really didn't have chasing things around > > > and a slight enhancement of the installation instructions would have > > > been very welcome. > > > > > > Regards, and thanks to those who replied to my two previous posts. > > > > > > John > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > > For additional commands, e-mail: users-h...@httpd.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
