httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [users@httpd] mod ssl
Date Sun, 13 Apr 2014 23:44:11 GMT
On Sun, Apr 13, 2014 at 7:34 PM, John Iliffe <> wrote:

> Well, after a weekend of absolute frustration I figured this one out.
> Because there is a paucity of documentation and given the importance of
> OpenSSL to the Apache community, I will give a full explanation as to what
> happened and why, and I hope that the Apache maintainers will be interested
> in putting some of this in the docs, even though some parts are really not
> Apache issues.
> Here I am assuming that you are not using the O/S supplied OpenSSL version
> and that you are either updating Apache or don't have OpenSSL linked
> dynamically.
> First, compile OpenSSL from source.  You need to have AT LEAST the
> following two parameters in the configuration:
> --prefix=/path/to/new/OpenSSL
> share      <-- without this Apache will not link to OpenSSL
> add any other parameters required and make, make test, make install
> Now compile Apache as per the instructions in the INSTALL file and for
> OpenSSL you need:
> --enable-ssl
> --with-ssl=/path/to/new/OpenSSL   <-- this gets you the correct version of
>       OpenSSL, not the one supplied by the O/S
> compile and install Apache and edit the configuration file httpd.conf to
> make
> sure that the LoadModule statement for SSL is not commented out.
> Now run httpd -t
> you will probably get an error saying can't open, no such
> file or directory.  The documentation in the Apache install implies that
> when you use the form with-xxx=(path) that the module will be made
> available (ie the path to the required libraries will be stored in the DSO)
> but this isn't the case.  The library (found in the OpenSSL installation
> directory in the /bin/ subdirectory) must be copied to the SYSTEM's library
> directory.

IMO it is best to avoid mixing stuff you built with system directories,
especially when part of the installation is manual and easily forgotten.

You could edit <HTTPDINST>/bin/envvars and update LD_LIBRARY_PATH to
include /path/to/new/OpenSSL/lib so that httpd could find

After that you need to always use "apachectl <args>" instead of "httpd
<args>" so that envvars takes effect.

(I don't know why the custom OpenSSL lib directory doesn't end up in rpath.
 Does anyone know?)

> In my case (Red Hat EL6) this is /usr/lib64/  but other distros
> may put it somewhere else.  Be careful here; don't overlay any library with
> the same name.  I give this warning because the library for OpenSSL-1.0.1g
> is named whereas previous releases named the library the
> same as the release (eg
> Now run httpd -t again.  You will probably get another error on
> and have to copy in the library from the OpenSSL installation
> directory.
> Now try httpd -t and everything SHOULD work.
> Start Apache (apachectl -k start) and HTTPD should come up.  Now do:
> head /path to logfiles/error_log
> and check that the start message shows that the correct version of OpenSSL
> started.  It is shown on the first line of the new log, just ahead of the
> command line for the starting httpd.
> Folks, I know this is somewhat arcane and probably overkill, but I just
> spent two days that I really didn't have chasing things around and a slight
> enhancement of the installation instructions would have been very welcome.
> Regards, and thanks to those who replied to my two previous posts.
> John
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Born in Roswell... married an alien...

View raw message