Cannot dynamically link with libcrypto shared library

General
1

Dear Team,

Please guide for below receiving error:

[root@sys-214-29 conf-basic-5.3.2]# confd
/home/rdhanapa/confd-basic-5.3.2.linux.x86_64/conf-basic-5.3.2/etc/confd/confd.conf:0: cannot dynamically link with libcrypto shared library
Daemon died status=21

  • SYSTEM INFO:
    [root@sys-214-29 conf-basic-5.3.2]# cat /etc/os-release
    NAME=“Red Hat Enterprise Linux Server”
    VERSION=“7.0 (Maipo)”
    ID=“rhel”
    ID_LIKE=“fedora”
    VERSION_ID=“7.0”
    PRETTY_NAME=“Red Hat Enterprise Linux”
    ANSI_COLOR=“0;31”
    CPE_NAME=“cpe:/o:redhat:enterprise_linux:7.0:GA:server”
    HOME_URL=“https://www.redhat.com/
    BUG_REPORT_URL=“https://bugzilla.redhat.com/

REDHAT_BUGZILLA_PRODUCT=“Red Hat Enterprise Linux 7”
REDHAT_BUGZILLA_PRODUCT_VERSION=7.0
REDHAT_SUPPORT_PRODUCT=“Red Hat Enterprise Linux”
REDHAT_SUPPORT_PRODUCT_VERSION=7.0

Thanks in advance.

2

You either don’t have OpenSSL installed or the wrong version installed. Please refer to Chapter 26.12.2 (Problems Starting ConfD) of the ConfD Basic 5.4 User Guide for more information.

Regards,

Wai

3

When ConfD is built, it has a dependency on OpenSSL 1.0.0. If your system has a version other than this, then you simply need to rebuild a pair of libraries. There is a description of how to handle in this in the Installation category of the forum in the topic found here: Using a Different Version of OpenSSL

4

There is currently a known problem using libcrypto from OpenSSL 1.0.2 with ConfD 5.4. The fix for this problem will be in the next release of ConfD Basic in June. Until then, you should use either OpenSSL 1.0.0 or 1.0.1 with ConfD Basic 5.4.

5

Dear Waitai and greg,

Thanks for your guidance.
As you said it has a dependency on OpenSSL 1.0.0.
Finally issue is resolved, once downgrading it to 1.0.0 from 1.0.1.

6

Thanks for your intimation Jlawitzke.
Good to hear this. Expecting your next release soon :slight_smile:

7

Dear all, I get the same error. However my openssl version is 1.0.0r. Please help me out. I am stuck here.

$ openssl version
OpenSSL 1.0.0r 19 Mar 2015

$ make start
Killing any confd daemon or DHCP confd agents
/users/acmp/confd-basic.5.4/bin/confd --stop || true
connection refused (stop)
killall dhcpd_conf || true
dhcpd_conf: no process killed
/users/acmp/confd-basic.5.4/bin/confd -c confd.conf --addloadpath /users/acmp/confd-basic.5.4/etc/confd
Bad configuration: confd.conf:0: cannot dynamically link with libcrypto shared library
Daemon died status=21
make-3.79.1-p7: *** [start_confd] Error 21

8

If you have a requirement to use OpenSSL 1.0.0r, you will need to follow the instructions at Using a Different Version of OpenSSL to rebuild libconfd and the crypto interface module, and replace the versions in the ConfD release build. Otherwise, you will need to install a compatible version, OpenSSL 1.0.0 for all ConfD releases of Linux systems, on your system.

9

Thank you. I fixed the issue.

10

I’m trying to follow re-compile instructions in this thread to re-compile for newer libconfd.so and crypto.so using my openssl (0.9.8y) on power-pc-linux platform.
My re-compiles are successful but am still getting the “cannot dynamically link with libcrypto…” message upon confd startup.

I did cross-platform compile of libconfd.so and crypto.so using the makefiles given in the zip. My target is linux powerpc and build host is linux i686.

I’m sure my PATH and LD_LIBRARY_PATH are correct and there seems no confusion about which libcrypto is getting picked at runtime.

Q. Is there something different about the pre-built powerpc-linux version of confd binary vs confd for i686? Is there something I could be missing to cause the error. Thanks for help.

%confd -c confd.conf --addloadpath /export/hydra/home/qamar/netconf/Linux-ppc2020/confd-5.4/etc/confd
Bad configuration: confd.conf:0: cannot dynamically link with libcrypto shared library
Daemon died status=21

P.S I have successfully done similar re-compile exercise on my linux-686 platform to again use openssl 0.9.8y - and that went just fine and confd server was well up and running.

11

Any insight into why powerpc build still complains about libcrypto?

12

There is nothing different about the power-pc-linux builds of ConfD vs the i686 builds.

Can you try using the strace utility with the -f flag to start the confd script and see if anything else may be wrong or missing in your PowerPC target environment?

13

If for some reason new version of ConfD cannot be used, I have used following solution/workaround (tested with ConfD-5.2, Ubuntu 16.10):

  • download openssl-1.0.1.u from https://www.openssl.org/source/

  • unpack downloaded package

  • build openssl-1.0.1.u

    ./config shared
    make all

  • copy libcrypto.so.1.0.0 to $CONFD_DIR/lib (where LD_LIBRARY_PATH points to after sourcing .confdrc)

14

I am using Confd 6.4 and Openssl 1.1.0f on Debian Stretch.
When trying to compile the crypto.so, seeing this error

confd/ConfD/confd-6.4/libconfd$ sudo make crypto
cd crypto && make all
make[1]: Entering directory ‘/mnt/hgfs/Arrcus_git/confd/ConfD/confd-6.4/libconfd/crypto’
gcc -DHAVE_DYNAMIC_CRYPTO_LIB -g -I. -Wall -fpic -O2 -c crypto.c
crypto.c:108:28: fatal error: openssl/chacha.h: No such file or directory
#include <openssl/chacha.h>
^
compilation terminated.
…/src/include.mk:47: recipe for target ‘crypto.o’ failed
make[1]: *** [crypto.o] Error 1
make[1]: Leaving directory ‘/mnt/hgfs/Arrcus_git/confd/ConfD/confd-6.4/libconfd/crypto’
Makefile:42: recipe for target ‘crypto//crypto.so’ failed
make: *** [crypto//crypto.so] Error 2

Any suggestions? Are we missing some FLAGs to be set?

15

OpenSSL 1.1 introduced many non-backward-compatible interface changes, I’m afraid it will not be supported by ConfD in the near future. You will need to use one of the 1.0.x versions.

16

Hi,

When I moved to new centos7.4, we got openssl 1.0.2k where as our confd was previously working with openssl 1.0.1e. Now when I followed the steps mentioned above (get the 1.0.1e openssl and compile it on this system and copy to lib folder) then the libconfd.so point to this old openssl - thats good. But the libcrypto.so is still linked with /usr/lib64/1.0.0 (which points to 1.0.2k).

To make it work, I had to change directly /usr/lib64/libcrypto.so.1.0.0 to point to 1.0.1e. Then confd worked. I could login using CLI - but not using ssh. That time i got the error of “debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 5/6 cc -1)”. This is after auth is successful with confd.

Is this a problem because of incorrect openssl?

Thanks,
Prashant

17

Hello

I have taken the Confd Version 7.3.2
this works fine with
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

I could confd process is up and everything works fine

But whereas we have a container - where the Openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

and i get the below Error
confd.conf:0: cannot dynamically link with libcrypto shared library
Daemon died status=21

from /usr/lib64
lrwxrwxrwx 1 root root 15 Dec 23 14:06 libcrypto.so.1.0.0
-rwxr-xr-x 1 root root 2012800 Jun 23 2015 libcrypto.so.1.0.1e
-rwxr-xr-x 1 root root 2013048 Dec 23 12:38 libcrypto.so.10
lrwxrwxrwx 1 root root 18 Aug 26 2016 libk5crypto.so.3 -> libk5crypto.so.3.1
-rwxr-xr-x 1 root root 202576 Sep 4 2015 libk5crypto.so.3.1

Can you please help this get resolved - i have tried creating soft links for this crypto mentioned in the other discussion thread - but not working

18

Faced similar issue, so i moved the libcrypto library that worked with CONFD to the docker image by adding COPY command in the dockerfile.

I did not see this issue with CONFD 7.5

19

For ConfD 7.4 or earlier, you can for example use this Dockerfile as a reference:

20

A Centos 8 variant that doesn’t require rebuilding libcrypto: