Ubuntu 10.04 updating openssl for apache - apache

My company's website is on an EC2 instance. The os is ubuntu 10.04. Currently we are using packages installed through apt-get. We have apache 2.2.14 and openssl 0.9.8k. After some security audit, I was told to update the version of openssl. The latest version of openssl on the 0.9.8 line is 0.9.8y. Is it compatible with apache 2.2.14 ? If so, Is it easy or at least possible to upgrade the openssl only ? I read it on somewhere that some people simply recommend to upgrade the whole os. Any comments ?
I did try to upgrade by downloading the tarball of
httpd-2.2.24 + openssl 0.9.8y
I installed them both under
/usr/local/apache2
/usr/local/ssl
I configured apache by
./configure --enable-modules=all --enable-mods-shared="all ssl" \
--with-ssl=/usr/local/ssl/ --enable-ssl
the /usr/local/ssl/bin/openssl does show 0.9.8y
but my web service shows apache 2.2.24 + openssl 0.9.8k
Any idea how to fix it ? Thanks.

$ ldd /usr/local/apache2/bin/httpd
...
libssl.so.0.9.8 => /lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8
...
The libssl.so.0.9.8 is still found in /lib/ system directory by the loader, not /usr/local/ssl. So you need to set LD_LIBRARY_PATH before running httpd:
$ export LD_LIBRARY_PATH=/usr/local/ssl/lib && /usr/local/apache2/bin/httpd
See also this document for more info on compatibility between apache & openssl. See this table for info on binary compatibility of openssl 0.9.8k and 0.9.8y.

Related

How to fix following ansible galaxy SSL error?

Started learning Ansible and want to facilitate ansible-galaxy search nginx command, but I'm getting:
ERROR! Unknown error when attempting to call Galaxy at 'https://galaxy.ansible.com/api/api': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
Had try to use ansible-galaxy --ignore-certs search nginx and ansible-galaxy -c search nginx but now getting ansible-galaxy: error: unrecognized arguments: --ignore-certs for booth.
OS :
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
Ansible version:
ansible 2.9.5
config file = /home/maciej/projects/priv/ansible_nauka/packt_course/ansible.cfg
configured module search path = ['/home/maciej/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/maciej/.local/lib/python3.6/site-packages/ansible
executable location = /home/maciej/.local/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
I had the same issue, but on Mac OS X.
The underlying problem is that your Python environment is not finding/making use of the default root certificates that are installed on your OS. These root certs are required to connect securely (via TLS) with Ansible Galaxy.
For Mac OS X I was able to solve this based on this answer:
How to make Python use CA certificates from Mac OS TrustStore?
i.e. by running the script to install the certs, shipped with the installation:
cd /Applications/Python\ 3.7/
./Install\ Certificates.command
For Ubuntu / Debian:
Update: As pointed out by Maciej in the accepted answer, certs can be regenerated and added to the environment:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
P.S.: I would not suggest to use --ignore-certs, this will skip verification of the certificate in the TLS connection, making the connection insecure (allowing Man-in-the-middle attacks)
Worked for me:
ansible-galaxy search --ignore-certs postgresql
Had back to this issue... life is best motivator. What helped me is:
sudo update-ca-certificates --fresh
export SSL_CERT_DIR=/etc/ssl/certs
For RHEL/CENTOS
You may want to check the cryptopolicy, if the policy is set to future temporarily set it to default
sudo update-crypto-policies --set=DEFAULT
bahrathkumaraju#Bahrathkumarajus-MacBook-Pro vault_ansible % ansible-galaxy collection install community.hashi_vault --ignore-certs
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Downloading https://galaxy.ansible.com/download/community-hashi_vault-3.0.0.tar.gz to /Users/bahrathkumaraju/.ansible/tmp/ansible-local-91443c5vh69v3/tmp76qmz32a/community-hashi_vault-3.0.0-635b3qde
Installing 'community.hashi_vault:3.0.0' to '/Users/bahrathkumaraju/.ansible/collections/ansible_collections/community/hashi_vault'
community.hashi_vault:3.0.0 was installed successfully
bahrathkumaraju#Bahrathkumarajus-MacBook-Pro vault_ansible %
in case someone else is looking at this, the args are order dependent. On rhel8 with a cntlm proxy ....
declare -x https_proxy='127.0.0.1:3128'
declare -x http_proxy='127.0.0.1:3128'
# this works through a proxy
ansible-galaxy collection install ovirt.ovirt --ignore-certs
# this does not
ansible-galaxy --ignore-certs collection install ovirt.ovirt
# and this does not
ansible-galaxy collection --ignore-certs install ovirt.ovirt

Manual install of curl can't find openssl

My system (Centos7) install of curl doesn't support https. So I followed this answer downloaded from source and installed myself, using the ./configure --with-ssl option.
I got the following warning while configuring:
checking OpenSSL linking with -ldl... no
checking OpenSSL linking with -ldl and -lpthread... no
checking for ssl_version in -laxtls... no
configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
As a result, my curl build does not support https.
Open SSL is installed on my system:
[user#server curl-7.61.0]$ which openssl
/usr/bin/openssl
How can I get my curl install to find openssl and support HTTPS?
Try installing openssl-devel. Development (-devel) packages are usually needed when building from source.

"OpenSSL version is too old" while compiling http 2.4.16 on MacOS 10.11

I encounter an error with OpenSSL while compiling http 2.4.16 on El Capitan 10.11.1.
It is looking for OpenSSL version >= 0.9.8a:
checking for OpenSSL... checking for user-provided OpenSSL base directory... none
checking for OpenSSL version >= 0.9.8a... FAILED
configure: WARNING: OpenSSL version is too old
The default OpenSSL version is 0.9.8zg:
$ openssl version
OpenSSL 0.9.8zg 14 July 2015
And finally here is a part of my compilation line:
./configure --prefix=/usr/local/MyWebserver/httpd-2.4.12 \
--enable-ssl \
--with-few-things… \
--disable-lots-of-things…
I don't want to install another openssl even with brew.
For me, the problem was solved by installing the package 'openssl-devel'.
None of the above solutions worked for me.
I resolved it by telling "configure" which open-ssl to use:
When doing ./configure, please add the following:
--with-ssl=/usr/local/Cellar/openssl/1.0.2r
whereas, 1.0.2r is your current version of openssl, usually installed by brew.
I prefer doing this method rather than messing about with the system files (i.e. don't like to link anything on /usr/... directories as it messes up with the system, especially Apple will always do an update to prevent you from doing this), therefore, the following command works:
./configure --enable-ssl --enable-so --prefix=/(Wherever you like to
install location) --with-included-apr --with-mpm=prefork
--with-ssl=/usr/local/Cellar/openssl/1.0.2r
For my installation to work, I also needed to download the apr and apr-util, unzip and place them onto the srclib folder before installing.
I hope this helps.
You don't necessarily need to copy things if you have a current version of OpenSSL installed (using Homebrew), creating a symlink is sufficient to ensure it is picked up by the configure command:
ln -s /usr/local/opt/openssl/include/openssl /usr/local/include
More details: https://medium.com/#timmykko/using-openssl-library-with-macos-sierra-7807cfd47892
I’ve found a way :
Copy the folder /usr/incude/openssl from a Yosemite (MacOS 10.10) to /usr/local/include/openssl on my computer (El Capitan MacOS 10.11).
Then compile apache by adding a flag to the compilation environment variables gcc and g++ : -I/usr/local/include
Here are all the variables that I use :
ARCH="-arch x86_64 -mmacosx-version-min=10.7"
LDFLAGS="-O3 $ARCH"
CFLAGS="-O3 -fno-common $ARCH"
CXXFLAGS="-O3 -fno-common $ARCH"
CC="gcc $ARCH -I/usr/local/include"
CXX="gcc $ARCH -I/usr/local/include"
CPP="gcc -E"
CXXCPP="g++ -E »
Actually, you just need to provide the headers.
Download the Openssl source code here, and then copy to /usr/local/include/ as below,
$ sudo cp -r include/openssl /usr/local/include/
then everything will work fine.
Edit:
The openssl being outdated was the result of not having the proper libraries install.
installing libssl via : sudo apt-get install libssl-dev
caused --enable-ssl to function without extra configuration

How to upgrade apache 2.2.15 to apache 2.4.12 on CentOS 6.6?

I tried ,but didn't work for me.
Apache 2.4 on CentOS 6.6:
Step 1:
cd /etc/yum.repos.d/
wget http://repos.fedorapeople.org/repos/jkaluza/httpd24/epel-httpd24.repo
Step 2:
yum install httpd24.x86_64
Step 3:
$ /opt/rh/httpd24/root/usr/sbin/httpd -version
Server version: Apache/2.4.6 (Red Hat)
Server built: Sep 25 2013 05:25:46
NOTE: config files are in: /opt/rh/httpd24/root/etc/httpd
$ ls
conf conf.d conf.modules.d logs modules run
EDIT: in case you want to switch off Apache 2.2
$ chkconfig httpd off
$ chkconfig --list | grep httpd
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
httpd24-httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
EDIT 2: http://wiki.apache.org/httpd/PHP-FPM
yum install php-fpm
/etc/init.d/php-fpm start
Does any body knows the solutions, please let me know.
It would be best if you built it yourself from the Apache source code on a CentOS 6.6 system.
Compiling and Installing Apache 2.4:
http://httpd.apache.org/docs/current/install.html
Make note of the configure line during the build so you can make sure it includes all the modules you want (Like mod_ssl...etc..). Details on what is available for the configure line located here http://httpd.apache.org/docs/current/programs/configure.html
$ CC="pgcc" CFLAGS="-O2" \
./configure --prefix=/sw/pkg/apache \
--enable-ldap=shared \
--enable-lua=shared
If you want your own RPM, create a SPEC file with your own customizations.
The easiest way is to install the SCL version, as described here:
https://unix.stackexchange.com/questions/412122/how-to-update-apache-to-2-4-29-using-scl

Apache httpd setup and installation

I am trying to install Apache HTTP server locally in my box as a regular user (non-root).
I have downloaded Apache 2.4.1 version of Apache HTTP server [http://httpd.apache.org/download.cgi]. However when I am trying to build and install locally in my box I am getting below error:
httpd/httpd-2.4.1 1059> ./configure
checking for chosen layout... Apache
checking for working mkdir -p... yes
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
Configuring Apache Portable Runtime library ...
checking for APR... no
configure: error: APR not found. Please read the documentation.
I am not sure what dependency it is looking for - I mean the download package does not contains it? What I need to do to build / deploy Apache HTTP server?
When it tells you Please read documentation it means that you should go read Apache documentation ( http://httpd.apache.org/docs/2.4/install.html ) which tells you to
download the latest versions of both APR and APR-Util from Apache APR,
unpack them into ./srclib/apr and ./srclib/apr-util (be sure the
domain names do not have version numbers; for example, the APR
distribution must be under ./srclib/apr/)
then do
./configure --with-included-apr
For Ubuntu 11.10 this option seems to be working well:
# APR
wget http://mirrors.axint.net/apache//apr/apr-1.4.6.tar.gz
tar -xvzf apr-1.4.6.tar.gz
cd apr-1.4.6/
./configure
make
make install
cd ..
# APR Utils
wget http://mirrors.axint.net/apache//apr/apr-util-1.4.1.tar.gz
tar -xvzf apr-util-1.4.1.tar.gz
cd apr-util-1.4.1
./configure --with-apr=/usr/local/apr
make
make install
cd ..
# Apache
wget http://apache.petsads.us//httpd/httpd-2.4.1.tar.gz
tar -xvzf httpd-2.4.1.tar.gz
cd httpd-2.4.1
./configure --enable-file-cache --enable-cache --enable-disk-cache --enable-mem-cache --enable-deflate --enable-expires --enable-headers --enable-usertrack --enable-ssl --enable-cgi --enable-vhost-alias --enable-rewrite --enable-so --with-apr=/usr/local/apr/
make
make install
cd ..
You can find more about it below
Source: VaporCreations.com
If you have Debian/Ubuntu you can just:
apt-get install libapr1-dev libaprutil1-dev
Then ./configure
Done
Here are the steps of how I installed apache-httpd on a non-root users:
Download and extract apache-httpd-2.4.2 (but before ./configuring,
making and installing it, follow the steps below:)
Download and extract APR & APR-UTIL into "./srclib/apr" &
"./srclib/apr-util" folders. This requires ./configure
--with-apr=./apache/httpd-2.4.2/srclib/apr (and) --with-included-apr (options).
Download, extract, ./configure (with) --prefix=localURL, make and
make install PCRE into "./pcre" folder. This requires ./configure
--with-pcre=/home/username/apache/pcre (option).
Configure apache-httpd by entring following command (I like to
enable certain options as written in the command below):
./configure --enable-file-cache --enable-cache --enable-disk-cache
--enable-mem-cache --enable-deflate --enable-expires --enable-headers --enable-usertrack --enable-cgi --enable-vhost-alias --enable-rewrite --enable-so --with-apr=/home/username/apache/httpd-2.4.2/srclib/apr --prefix=/home/username/apache/httpd-2.4.2/ --with-included-apr --with-pcre=/home/username/apache/pcre
Note: When configuring apache-httpd, use option "--enable-ssl" ONLY if OpenSSL is installed otherwise DON'T enable it.
Now on the command-line, enter 'make' and 'make install' command.
Open and configure the 'httpd.conf' file e.g.:
"vi /home/eddie_kumar/apache/httpd-2.4.2/conf/httpd.conf"
IMPORTANT: don't forget to change the default port from 80 to something else e.g. 8080, this is especially important for non-root
user. (How to? open httpd.conf -> search "Listen 80" -> change it
to "Listen 8080".
And that's it, now open your browser enter "localhost:8080", it should display "It works!".
If you are using fedora, you can use yum to install APR, APR-Util and PCRE. You'll also need to download apr-devel, apr-util-devel and pcre-devel.
That being said, you can just run the following command on your terminal and no more "configure: error: APR not found.. ..APR-Util and PCRE" errors.
yum -y install arp apr-devel apr-util apr-util-devel pcre pcre-devel
I'm using fedora 17 and planning on using a shell script to setup apache 2.4.3. So yum works pretty slick instead of manually downloading apr, apr-util, and pcre.
1, You need APR (apache portable runtime), which is core component of apache web server
2, If you wnat to do make install, you may need root account
3, Even if not, apache can not start to listen on unprivileged port (lower then 1024) without root account
4, gain root or ask someone with root to install apache from official repo(I don;t know which distro you run) like using yum, apt-get, etc...
Apr or pcre related errors require the source to be downloaded and Apache HTTPD "configure" process needs to be made aware of these source locations on your file system. For instance: if you downloaded the source for APR at ./srclib (relative to apache httpd) then you would use
--with-included-apr
as the configure option.
On the other hand if you want to not build but install APR / APR-UTIL, then you need the following on CentOS / RedHat:
yum install apr-util-devel apr-devel
However it might so happen that the APR version provided by yum does not match what is expected by this version of Apache httpd. In that case you could download APR and APR-UTIL and use the --with-included-apr option.
You could also build PCRE utilizing the same "configure, make, make install" process and then continue where you left off building Apache httpd.
Or you could install pcre:
yum install pcre-devel
If while building PCRE: you see "compile: unrecognized option" then perhaps you would need other dependencies as well: Please see the details at:
http://khanna111.com/wordPressBlog/2012/09/11/94087-2/
It also covers "mod_deflate" and "zlib" as well.
Basic steps
tar -xvf httpd-2.4.1-customized.tar -C ../
#Balancer folder will be created
tar -xvzf openssl-1.0.1.tar.gz -C /balancer/
cd ->/balancer/openssl-1.0.1
./config --prefix=/usr/local/ssl/ shared zlib-dynamic enable-camellia
make depend
make
make install
tar -xvzf pcre-8.30.tar.gz -C ../balancer/
/balancer/pcre-8.30
./configure --prefix=/usr/local/pcre/
make
make install
remove pcre and openssl
Installing and compiling the Apache server on Ubuntu machine
step 1:Install the Java JDK
sudo apt install openjdk-11-jdk
sudo gedit /etc/environment
JAVA_HOME="/usr/lib/jvm/openjdk-11"
source /etc/environment
echo $JAVA_HOME
verify the java version
javac --version
**** install Other required packages:**
sudo apt-get install apache2-dev -y
sudo apt-get install libpcre3 libpcre3-dev
Step 2 :To Install Apache HTTP Server
#1 For ubuntu ,install development tools including the C compiler:
sudo apt-get install build-essential checkinstall
#2 Download and Extract the required files
assuming that all the files have been downloaded into the ~/Downloads directory
Download the Apache HTTP Server httpd-2.4.41.tar.gz from Apache download page (https://httpd.apache.org/download.cgi)
and following required libraries for compiling the apache HTTP server:
apr-1.7.0.tar.gz(http://apr.apache.org/download.cgi)
apr-util-1.6.1.tar.gz(http://apr.apache.org/download.cgi)
pcre2-10.34.tar.gz (ftp://ftp.pcre.org/pub/pcre/) http://pcre.org/
****Read Requirements Section(http://httpd.apache.org/docs/2.4/install.html)***
#3 Extract the tar files
tar -xvf httpd-2.4.41.tar.gz
tar -xvf apr-1.7.0.tar.gz
tar -xvf apr-util-1.6.1.tar.gz
tar -xvf pcre2-10.34.tar.gz
after extraction you should see following list of directories in ~/Downloads
httpd-2.4.41
apr-1.7.0
apr-util-1.6.1
pcre2-10.34
#4 Create a directory for the apache HTTP Server
*make sure to give all rights to this directory so that while compiling files can be read/written
sudo mkdir /home{your username here}/apache
To give all permissions to a apache directory :
sudo chmod -R 777 /home{your username here}/apache
#5 copy the arp and arp-util directory into the ~/Downloads/httpd-2.4.41/srclib/
cd ~/Downloads
mv apr-util-1.6.1 ~/Downloads/httpd-2.4.41/srclib/apr-util
mv apr-1.7.0 ~/Downloads/httpd-2.4.41/srclib/apr
#6 Configure the sources for compilation.
The --prefix option can be used to install the Web server in a location where you can write files.
cd ~/Downloads/httpd-2.4.41/
./configure --prefix=/home/{username here}/apache --with-pcre=~/Downloads/pcre2-10.34
NOTE:
If you have some problems while running above command,you can also try
insallting pcre in /usr/local/pcre, using
./configure --prefix=/usr/local/pcre
make
sudo make install
commands and then by running folllowing commands:
cd ~/Downloads/httpd-2.4.41/
./configure --prefix=/home/{username here}/apache --with-pcre=/usr/local/pcre
make
sudo make install
If you still face some problems ,make sure that ~/apache and its nested directory have read/write permissions. if not run **sudo chmod -R 777 /home{your username here}/apache** command again.
#7 Compile Apache HTTP Server.
cd ~/Downloads/httpd-2.2.25
sudo make
#8 Install Apache HTTP Server.
cd ~/Downloads/httpd-2.2.25
sudo make install
Optional
#9 To Prepare Your Hosts File
sudo gedit /etc/hosts
27.0.0.1 localhost www.example.com
sudo gedit /home/{your username here}/apache/conf/httpd.conf
and copy:
Listen 8000
ServerName www.example.com:8000
#10 Test the installation to ensure Apache HTTP Server is working.
/home/{your username here}//apache/bin/apachectl -k start