需要部署nginx的https環境,之前是yum安裝的openssl,版本比較低,如下:
[root@nginx ~]# yum install -y pcre pcre-devel openssl openssl-devel gcc [root@nginx ~]# openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Wed Mar 22 21:43:28 UTC 2017 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic
預設yum安裝的openssl版本是1.0.1,現在需要將版本升級到1.1.0。升級的操作記錄如下:
[root@nginx ~]# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz [root@nginx ~]# tar -zvxf openssl-1.1.0g.tar.gz [root@nginx ~]# cd openssl-1.1.0g [root@nginx openssl-1.1.0g]# ./config shared zlib [root@nginx openssl-1.1.0g]# make [root@nginx openssl-1.1.0g]# make install [root@nginx openssl-1.1.0g]# mv /usr/bin/openssl /usr/bin/openssl.bak [root@nginx openssl-1.1.0g]# mv /usr/include/openssl /usr/include/openssl.bak [root@nginx openssl-1.1.0g]# find / -name openssl /etc/pki/ca-trust/extracted/openssl /data/software/nginx-1.12.2/auto/lib/openssl /data/software/openssl-1.1.0g/apps/openssl /data/software/openssl-1.1.0g/include/openssl /usr/lib64/openssl /usr/local/share/doc/openssl /usr/local/include/openssl /usr/local/bin/openssl /usr/include/openssl /usr/bin/openssl [root@nginx openssl-1.1.0g]# ln -s /usr/local/bin/openssl /usr/bin/openssl [root@nginx openssl-1.1.0g]# ln -s /usr/local/include/openssl /usr/include/openssl [root@external-lb01 ~]# find / -name "libssl*" /data/software/openssl-1.1.0g/libssl.pc /data/software/openssl-1.1.0g/libssl.so /data/software/openssl-1.1.0g/libssl.a /data/software/openssl-1.1.0g/libssl.so.1.1 /data/software/openssl-1.1.0g/util/libssl.num /usr/lib64/libssl3.so /usr/lib64/pkgconfig/libssl.pc /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so /usr/lib64/libssl.so.10 /usr/local/lib64/libssl.a /usr/local/lib64/pkgconfig/libssl.pc /usr/local/lib64/libssl.so /usr/local/lib64/libssl.so.1.1 [root@nginx openssl-1.1.0g]# echo "/usr/local/lib64/" >> /etc/ld.so.conf [root@nginx openssl-1.1.0g]# ldconfig [root@nginx openssl-1.1.0g]# openssl version -a OpenSSL 1.1.0g 2 Nov 2017 built on: reproducible build, date unspecified platform: linux-x86_64 compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines-1.1\"" -Wa,--noexecstack OPENSSLDIR: "/usr/local/ssl" ENGINESDIR: "/usr/local/lib64/engines-1.1"
===============openssl升級後編譯nginx出現的問題================
如上將本機的openssl升級後,由於之前編譯的nginx裡沒有stream模組,現在需要手動平滑新增stream模組,操作如下:
檢查下,發現nginx沒有安裝stream模組
[root@external-lb01 ~]# /data/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre
操作之前,一定要備份一下之前的nginx安裝目錄,防止操作失敗進行回滾!
[root@external-lb01 ~]# cp -r /data/nginx /mnt/nginx.bak
之前的編譯命令是:
[root@external-lb01 vhosts]# cd /data/software/nginx-1.12.2
[root@external-lb01 nginx-1.12.2]# ./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre
現在需要手動新增stream,編譯命令如下:
[root@external-lb01 vhosts]# cd /data/software/nginx-1.12.2
[root@external-lb01 nginx-1.12.2]# ./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream
報錯如下:
......
./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.
原因分析:是由於openssl升級所致!
[root@external-lb01 nginx-1.12.2]# openssl version -a
OpenSSL 1.1.0g 2 Nov 2017
built on: reproducible build, date unspecified
platform: dist
compiler: cc -DNDEBUG -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines-1.1\""
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1
所以編譯命令需要改為:
[root@external-lb01 nginx-1.12.2]# ./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-openssl=/usr/local/ssl
然後進行make,千萬注意!!!!一定不要make install!!!否則會自動覆蓋掉之前的配置!!!
[root@external-lb01 nginx-1.12.2]# make
又報錯如下:
.......
make[1]: *** [/usr/local/ssl/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/usr/local/src/nginx-1.9.9'
make: *** [build] Error 2
解決辦法:
[root@external-lb01 nginx-1.12.2]# cd auto/lib/openssl
[root@external-lb01 openssl]# cp conf /mnt/
[root@external-lb01 openssl]# vim conf
將
CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
修改為
CORE_INCS="$CORE_INCS $OPENSSL/include"
CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"
CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"
CORE_LIBS="$CORE_LIBS $NGX_LIBDL"
接著繼續make安裝
[root@external-lb01 nginx-1.12.2]# make
又報錯說找不到下面兩個檔案
/usr/local/ssl/lib/libssl.a
/usr/local/ssl/lib/libcrypto.a
解決辦法:
[root@external-lb01 nginx-1.12.2]# mkdir /usr/local/ssl/lib
[root@external-lb01 nginx-1.12.2]# ln -s /usr/local/lib64/libssl.a /usr/local/ssl/lib/libssl.a
[root@external-lb01 nginx-1.12.2]# ln -s /usr/local/lib64/libcrypto.a /usr/local/ssl/lib/libcrypto.a
然後make就可以了
[root@external-lb01 nginx-1.12.2]# make
最後進行平滑操作
[root@external-lb01 nginx-1.12.2]# cp -f /data/software/nginx-1.12.2/objs/nginx /data/nginx/sbin/nginx
[root@external-lb01 nginx-1.12.2]# pkill -9 nginx
[root@external-lb01 nginx-1.12.2]# /data/nginx/sbin/nginx
檢查下,發現nginx已經安裝了stream模組了
[root@external-lb01 nginx-1.12.2]# /data/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-openssl=/usr/local/ssl
=======================================================
如上升級openssl版本後, 導致某些服務編譯安裝失敗的坑, 如果短時間解決不來, 最好回滾到之前的預設版本:
openssl由預設的OpenSSL 1.0.1e升級到OpenSSL 1.1.1e後, 編譯安裝keepalived, 出現下面報錯: ......... /usr/local/src/keepalived-1.3.5/keepalived/check/check_ssl.c:70: undefined reference to `OPENSSL_init_ssl' ......... 由於openssl升級後, 可能會導致一個應用編譯安裝失敗, 遇到的有nginx, keepalived等, 不得已的辦法就是將openssl回滾到之前預設的版本狀態, 操作方法如下: 檢視openssl, 然後刪除升級後的openssl [root@localhost ~]# find / -name openssl [root@localhost ~]# rm -rf /usr/local/src/openssl-1.1.1 [root@localhost ~]# rm -rf /usr/local/bin/openssl [root@localhost ~]# rm -rf /usr/local/share/doc/openssl [root@localhost ~]# rm -rf /usr/local/include/openssl 然後檢視下openssl版本 [root@localhost ~]# which openssl /usr/bin/openssl [root@localhost ~]# openssl version -a 報錯說/usr/local/bin/openssl 找不到這個檔案 然後重啟機器 [root@localhost ~]# init 6 重啟機器後, 檢視openssl版本, 如果正常查出是預設版本, 則回滾正常 [root@localhost ~]# openssl version -a 如果還是報錯"/usr/local/bin/openssl 找不到這個檔案", 則需要解除安裝掉openssl, 重新安裝! 特別注意: 解除安裝openssl之前, 要確保安裝了rz, sz命令(yum install -y lrzsz), 方便後續從別的機器上傳檔案 [root@localhost ~]# rpm -qa|grep openssl [root@localhost ~]# rpm -e openssl-devel-1.0.1e-57.el6.x86_64 --nodeps [root@localhost ~]# rpm -e openssl-1.0.1e-57.el6.x86_64 --nodeps openssl解除安裝後, 使用yum安裝會報錯 [root@localhost ~]# yum install -y openssl openssl-devel 報錯: libssl.so.10: cannot open shared object file: No such file or directory libcrypto.so.10: cannot open shared object file: No such file or directory 然後從別的正常機器(預設openssl版本的機器)上拷貝上面兩個檔案(先sz到本地, 然後rz上傳到本機) 即從別的機器下載libssl.so.1.0.1e 和 libcrypto.so.1.0.1e 檔案到本機的/usr/lib64下, 授權777, 並做ln軟連結 [root@localhost ~]# cd /usr/lib64/ [root@localhost lib64]# ll libssl.so.10 lrwxrwxrwx 1 root root 16 Dec 20 17:16 libssl.so.10 -> libssl.so.1.0.1e [root@localhost lib64]# ll libssl.so.1.0.1e -rwxr-xr-x 1 root root 443416 Mar 23 2017 libssl.so.1.0.1e [root@localhost lib64]# ll libcrypto.so.10 lrwxrwxrwx 1 root root 19 Dec 20 17:16 libcrypto.so.10 -> libcrypto.so.1.0.1e [root@localhost lib64]# ll libcrypto.so.1.0.1e -rwxr-xr-x 1 root root 1971488 Mar 23 2017 libcrypto.so.1.0.1e [root@localhost lib64]# cat /etc/ld.so.conf include ld.so.conf.d/*.conf /usr/lib64/ [root@localhost lib64]# ldconfig 然後重啟伺服器 [root@localhost lib64]# init 6 [root@localhost lib64]# openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Wed Mar 22 21:43:28 UTC 2017 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic