2

Alright -- having a bad couple days here compiling Apache 2.2.21 on CentOS 5.7 with the following configure commands:

./configure --enable-ssl=shared --with-ssl=/usr/local/openssl

I've compiled from source OpenSSL 1.0.0e from source:

./config --prefix=/usr/local --openssldir=/usr/local/openssl shared zlib-dynamic

I attempt to start Apache and it returns:

httpd: Syntax error on line 54 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so: undefined symbol: SSL_get_servername

If I look at how the libraries are linked, this is what I get:

[root@web1 modules]# ldd mod_ssl.so libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaaace4000) libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002aaaaaf30000) libdl.so.2 => /lib64/libdl.so.2 (0x00002aaaab281000) libz.so.1 => /lib64/libz.so.1 (0x00002aaaab486000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00002aaaab69a000) libc.so.6 => /lib64/libc.so.6 (0x00002aaaab8b5000) libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002aaaabc0e000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002aaaabe3c000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002aaaac0d1000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002aaaac2d4000) /lib64/ld-linux-x86-64.so.2 (0x0000555555554000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002aaaac4f9000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002aaaac702000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002aaaac904000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002aaaacb19000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002aaaacd32000)

Basically, I've tired compiling from source OpenSSL (both 0.9.8r and 1e), having yum reinstall from the repos, done a make clean and remade both OpenSSL and Apache numerous times -- but I can't get it to compile into the apache base or dynamically as a shared object file.

What am I doing wrong here?

Update 1:

After doing a make clean and make distclean, I've reconfigured with the same parameters as above without any effect.

The config.log is at Pastebin.

Update 2:

Modifying the LD_LIBRARY_PATH had no effect on the lib-deps of mod_ssl.so.

UPDATE 3:

I've compiled and recompiled many times, and verified with ldconfig that the OpenSSL libs dir is in my path, and included in ld.so.conf. Still cannot get httpd/mod_ssl to load the library at runtime.

Improve this question
2
  • 1
    Is this still an open question you are interested in? If so, I can provide detailes steps since I did this recently on my CentOS 6.3. I was enabling FIPS on OpenSSL and Apache. Commented Aug 14, 2012 at 8:02
  • 1
    I'm not the OP, but I'm interested - please do post an answer! Commented Aug 27, 2012 at 17:32

6 Answers 6

Reset to default
4

When you compiled Apache you should have "--enable-so". I think you must have because the so module is trying to load.

Also after compiling openssl ensure the system can find the shared library with "/sbin/ldconfig -v /usr/local/openssl/lib"

and I also like to edit /etc/ld.so.conf.d/local.conf to add a line for /usr/local/openssl/lib

Improve this answer
3
  • That's correct. I've tried with --enable-so and without (and then compiling it into httpd). Either way do it, it will not load the libssl.so.* files no matter where they are when they're in the library path, and everything in between, trying builds of apache from 2.2.19-2.2.21 and openssl.0.9.8.r-1.0.0e. Commented Oct 5, 2011 at 21:13
  • Fresh install of ScientificLinux 5.5 without openssl-devel.<br>openssl 1.0.0e<br>./Configure --prefix=/usr/local/openssl100e linux-elf shared; make install<br>cd /usr/local; ln -s openssl100e ssl<br>/sbin/ldconfig -v /usr/local/ssl/lib<br><br>Apache 2.2.21:<br>--prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/ssl and others.<br>bin/apachectl -M | grep ssl says "ssl_module (shared)"<br>Copied a generic server.crt and server.key into the conf directory, uncommented conf/extra/httpd-ssl.conf<br>/usr/local/servers/bin/apachectl start worked and nmap shows 80 and 443 open. Commented Oct 6, 2011 at 19:09
  • Had the same problem it was resolved when doing the "/sbin/ldconfig -v /usr/local/openssl/lib" command. Although i had to use "sudo" and i had not compiled it in "/usr/local/openssl". Commented Jul 16, 2014 at 12:54
2

I recall that openssl doesn't make shared libraries by default. I do this:

./Configure --prefix=/usr/local/openssl linux-elf shared

Then you still have to do ldconfig as above. And tell apache where to find ssl libs.

Improve this answer
1
  • Correct, and OpenSSL has been compiled this way. Apache will not link the library to the libraries installed from compiling OpenSSL nor through yum and the CentOS repos. Commented Oct 6, 2011 at 1:40
1

Had the same problem few minutes again, so I add:

LDFLAGS=-L/usr/local/ssl/lib

and the parameter for ./configure (Apache) modified from:

--with-ssl=/usr/local/ssl

to

--with-ssl=/usr/local/ssl/lib

and no its ok.

Improve this answer
0

ldd mod_ssl.so libssl.so.6 => /lib64/libssl.so.

would indicate that you're not linking against the openssl in /usr/local. do a "make clean && makedistclean" for both your apache/openssl builds, then rebuild/install openssl. ./configure [your options] apache, and check its config.log to make sure that it's linking against the correct openssl lib.

alternatively, please provide the output of your existing config.log

Improve this answer
4
  • No change with make clean and make distclean, but I have tried them before. config.log link is above. Commented Oct 4, 2011 at 19:06
  • export LD_LIBRARY_PATH=/usr/local/openssl/lib:$LD_LIBRARY_PATH, then recheck ldd. Commented Oct 4, 2011 at 20:26
  • basically, it looks like Apache's finding the right libraries at compile-time, but not at run-time. adjusting LD_LIBRARY_PATH will give your openssl libs precedence in the search path. Commented Oct 4, 2011 at 20:45
  • After modifying the LD_LIBRARY_PATH var, the results are the same. Commented Oct 5, 2011 at 16:59
0

It is definitely linking to the wrong OpenSSL install as pointed out previously. You should have /usr/local/ssl/lib in ld.so.conf, but try it with the following Apache configure command:

LDFLAGS=-L/usr/local/ssl/lib \ ./configure \ --enable-ssl \ --enable-mods-shared=all \ --with-ssl=/usr/local/ssl

Also, are you sure OpenSSL itself is compiling as intended? Could it be failing to make shared libraries itself and falling back to static but still compiling successfully?

Improve this answer
2
  • It is compiling the mod_ssl.so file in modules/. I'm still executing ./configure --with-ssl=the/right/dir, and configure sees this at configure-time. Once it compiles, and we come to runtime, it doesn't link properly to the library dictated at compile time. Commented Oct 5, 2011 at 23:56
  • You could try removing openssl-devel from your system and then try again. If you are compiling your own version of SSL, you likely don't need that. As a last resort, you can manually tell mod_ssl.so which library to use with this: nixos.org/patchelf.html Commented Oct 6, 2011 at 15:54
0

Check the SELinux logs. You have to tag the binaries with the proper SELinux attribute.

Improve this answer
1
  • SELinux is disabled. Commented Oct 6, 2011 at 17:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.