Confd almalinux 8.7

General
1

Dear Experts,

Please guide me on fixing the below issue:

Issue regarding confd startup

Confd is not starting up in almalinux 8.7

alma linux 8.7 + confd 6.6.1

In /var/log/message could see the below error while starting confd
Bad configuration: can’t–dynamically-link-with-libcrypto–shared-library

Output of

  1. ldd /opt/confd-6.6.1/lib/confd/lib/core/crypto/priv/lib/crypto.so
    linux-vdso.so.1 (0x00007ffd2d50e000)
    libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f6778329000)
    libc.so.6 => /lib64/libc.so.6 (0x00007f6777f63000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007f6777d5f000)
    libz.so.1 => /lib64/libz.so.1 (0x00007f6777b47000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f677899d000)

  2. cd /lib64
    ls -l libcrypto*
    lrwxrwxrwx. 1 root root 26 Jan 11 2021 libcrypto.so → /usr/lib64/libcrypto.so.10
    lrwxrwxrwx. 1 root root 19 Jun 29 2022 libcrypto.so.10 → libcrypto.so.1.0.2o
    lrwxrwxrwx. 1 root root 30 May 29 08:21 libcrypto.so.1.0.0 → /usr/lib64/libcrypto.so.1.0.2o
    -rwxr-xr-x. 1 root root 2521136 Jun 29 2022 libcrypto.so.1.0.2o
    lrwxrwxrwx. 1 root root 19 Mar 22 10:53 libcrypto.so.1.1 → libcrypto.so.1.1.1k
    -rwxr-xr-x. 1 root root 3083896 Mar 22 10:53 libcrypto.so.1.1.1k

  3. rpm -qa | grep openssl
    compat-openssl10-1.0.2o-4.el8_6.x86_64
    openssl-libs-1.1.1k-9.el8_7.x86_64
    openssl-1.1.1k-9.el8_7.x86_64
    openssl-pkcs11-0.4.10-2.el8.x86_64
    xmlsec1-openssl-1.2.25-4.el8.x86_64

I think openssl1.1 is compatible with confd6.6.1… Hence not sure why
we are getting the error

Could you please share your views

cat /etc/os-release
NAME=“AlmaLinux”
VERSION=“8.7 (Stone Smilodon)”
ID=“almalinux”
ID_LIKE=“rhel centos fedora”
VERSION_ID=“8.7”
PLATFORM_ID=“platform:el8”
PRETTY_NAME=“AlmaLinux 8.7 (Stone Smilodon)”
ANSI_COLOR=“0;34”
LOGO=“fedora-logo-icon”
CPE_NAME=“cpe:/o:almalinux:almalinux:8::baseos”
HOME_URL=“https://almalinux.org/

ALMALINUX_MANTISBT_PROJECT=“AlmaLinux-8”
ALMALINUX_MANTISBT_PROJECT_VERSION=“8.7”
REDHAT_SUPPORT_PRODUCT=“AlmaLinux”
REDHAT_SUPPORT_PRODUCT_VERSION=“8.7”

Thanks in Advance

2

The old ConfD 6.6.1 released 5 years ago crypto.so does not work with OpenSSL 1.1, and your crypto.so it seems to have been rebuilt for some other target system. For OpenSSL 1.1 try ConfD 7.x or 8.x (latest)

Since you have installed OpenSSL 1.0, you can try using the original ConfD 6.6.1 crypto.so and, for example, make a symbolic link:
$ ln -s /usr/lib64/libcrypto.so.1.0.2o /usr/lib64/libcrypto.so.1.0.0

3

Thanks @cohult for reaching out on this… I tried creating the softlink with -sf option… and even tried restarting confd… but even after that issue was not resolved…

So I installed openssl-libs-1.0.2 as below:
rpm --force -iv openssl-libs-1.0.2u.6.2.374-20200204204722.el7.x86_64.rpm

Now confd is up and running.

  1. Is that correct way to go about… ?
    (Almalinux 8.7 comes with openssl-libs-1.1.1 )

  2. Now I see a paramiko ssh issue while running netconf-confole
    Incompatible ssh peer (no acceptable host key)
    Is this a known issue related to libcrypto / confd… ?

/opt/cisco/esc/confd/bin/netconf-console --port=830 --host=127.0.0.1 --user=admin --password=****** --get -x “datamodel/opdata”
False
server_key_algo_list
[‘’]
self.preferred_keys=
(‘ssh-ed25519’, ‘ecdsa-sha2-nistp256’, ‘ecdsa-sha2-nistp384’, ‘ecdsa-sha2-nistp521’, ‘ssh-rsa’, ‘ssh-dss’)
agreed_keys=
[]
Exception: Incompatible ssh peer (no acceptable host key)
Traceback (most recent call last):
File “/usr/local/lib/python3.6/site-packages/paramiko/transport.py”, line 2083, in run
self._handler_table[ptype](self, m)
File “/usr/local/lib/python3.6/site-packages/paramiko/transport.py”, line 2198, in _negotiate_keys
self._parse_kex_init(m)
File “/usr/local/lib/python3.6/site-packages/paramiko/transport.py”, line 2385, in _parse_kex_init
“Incompatible ssh peer (no acceptable host key)”
paramiko.ssh_exception.SSHException: Incompatible ssh peer (no acceptable host key)

Kindly suggest

4

Yes, as you can only use OpenSSL 1.0.x with ConfD 6.6.1.
The most correct way to do it would be to upgrade ConfD to a modern 8.x version and use OpenSSL 1.1.x.

The issue is that you use a 5-year-old EOL ConfD version. As of OpenSSH-7.8 keys are generated like this (see https://www.openssh.com/txt/release-7.8 for more details):

-----BEGIN OPENSSH PRIVATE KEY----
… something base64-encoded …
-----END OPENSSH PRIVATE KEY-----

The ConfD 6.6.1 installation generates SSH keys using an old, no longer supported format. Hence, you need to generate new keys for your ConfD installation using something like the following:

ssh-keygen -t rsa -m PEM -f $CONFD_DIR/etc/confd/ssh/ssh_host_rsa_key