httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Iliffe <john.ili...@iliffe.ca>
Subject Re: [users@httpd] mod ssl
Date Mon, 14 Apr 2014 00:01:39 GMT
On Sunday 13 April 2014 19:44:11 Jeff Trawick wrote:
> On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <john.iliffe@iliffe.ca> wrote:
> > Well, after a weekend of absolute frustration I figured this one out.
> > 
> > Because there is a paucity of documentation and given the importance
> > of OpenSSL to the Apache community, I will give a full explanation as
> > to what happened and why, and I hope that the Apache maintainers will
> > be interested in putting some of this in the docs, even though some
> > parts are really not Apache issues.
> > 
> > Here I am assuming that you are not using the O/S supplied OpenSSL
> > version and that you are either updating Apache or don't have OpenSSL
> > linked dynamically.
> > 
> > First, compile OpenSSL from source.  You need to have AT LEAST the
> > following two parameters in the configuration:
> > 
> > --prefix=/path/to/new/OpenSSL
> > share      <-- without this Apache will not link to OpenSSL
> > 
> > add any other parameters required and make, make test, make install
> > 
> > Now compile Apache as per the instructions in the INSTALL file and for
> > OpenSSL you need:
> > 
> > --enable-ssl
> > --with-ssl=/path/to/new/OpenSSL   <-- this gets you the correct
> > version of
> > 
> >       OpenSSL, not the one supplied by the O/S
> > 
> > compile and install Apache and edit the configuration file httpd.conf
> > to make
> > sure that the LoadModule statement for SSL is not commented out.
> > 
> > Now run httpd -t
> > 
> > you will probably get an error saying can't open libssl.so.x.x.x, no
> > such file or directory.  The documentation in the Apache install
> > implies that when you use the form with-xxx=(path) that the module
> > will be made available (ie the path to the required libraries will be
> > stored in the DSO) but this isn't the case.  The library (found in
> > the OpenSSL installation directory in the /bin/ subdirectory) must be
> > copied to the SYSTEM's library directory.
> 
I completely agree Jeff.  If I was a bit more of an Apache specialist I 
would have done what you suggest as it is obvious once it is pointed out!  
My immediate problem was to get our e-commerce web site back on the Inet 
and what I did resolved the problem.  Maybe your suggestion would be best 
added to the docs?  

> IMO it is best to avoid mixing stuff you built with system directories,
> especially when part of the installation is manual and easily forgotten.
> 
> You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to
> include /path/to/new/OpenSSL/lib so that httpd could find
> libssl.so.x.x.x.
> 
> After that you need to always use "apachectl <args>" instead of "httpd
> <args>" so that envvars takes effect.
> 
> (I don't know why the custom OpenSSL lib directory doesn't end up in
> rpath. Does anyone know?)
> 
> > In my case (Red Hat EL6) this is /usr/lib64/  but other distros
> > may put it somewhere else.  Be careful here; don't overlay any library
> > with the same name.  I give this warning because the library for
> > OpenSSL-1.0.1g is named libssl.so.1.0.0 whereas previous releases
> > named the library the same as the release (eg libssl.so.1.0.1e).
> > 
> > Now run httpd -t again.  You will probably get another error on
> > libcrypto.so and have to copy in the library from the OpenSSL
> > installation directory.
> > 
> > Now try httpd -t and everything SHOULD work.
> > 
> > Start Apache (apachectl -k start) and HTTPD should come up.  Now do:
> > 
> > head /path to logfiles/error_log
> > 
> > and check that the start message shows that the correct version of
> > OpenSSL started.  It is shown on the first line of the new log, just
> > ahead of the command line for the starting httpd.
> > 
> > Folks, I know this is somewhat arcane and probably overkill, but I
> > just spent two days that I really didn't have chasing things around
> > and a slight enhancement of the installation instructions would have
> > been very welcome.
> > 
> > Regards, and thanks to those who replied to my two previous posts.
> > 
> > John
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message