OpenSSL might not be installed on this system

sisambas · January 10, 2022, 12:17pm

Dear ConfD Team,

In our product ESC (Elastic service controller),
we are upgrading from confd 661 to 763.

We are getting the below errors while starting confd

[root@dnd-sisambas-confd753b-debug1 lib64]# sudo runuser -s /bin/sh - esc-user -c "cd /opt/cisco/esc/esc-confd; /opt/cisco/esc/confd/bin/confd --foreground -c /opt/cisco/esc/esc_database/esc_production_confd.conf --addloadpath /opt/cisco/esc/confd/etc/confd --addloadpath /opt/cisco/esc/esc-confd/YANGmodels-tailf"

=ERROR REPORT==== 7-Jan-2022::11:38:38.417606 ===
**Unable to load crypto library. Failed with error:**
**"load_failed, Failed to load NIF library: '/opt/cisco/esc/confd/lib/confd/lib/core/crypto/priv/lib/crypto.so: undefined symbol: ENGINE_unregister_STORE'"**
**OpenSSL might not be installed on this system.**

=WARNING REPORT==== 7-Jan-2022::11:38:38.444382 ===
The on_load function for module crypto returned:
{error,{load_failed,"Failed to load NIF library: '/opt/cisco/esc/confd/lib/confd/lib/core/crypto/priv/lib/crypto.so: undefined symbol: ENGINE_unregister_STORE'"}}

=ERROR REPORT==== 7-Jan-2022::11:38:38.450360 ===
Unable to load crypto library. Failed with error:
"load_failed, Failed to load NIF library: '/opt/cisco/esc/confd/lib/confd/lib/core/crypto/priv/lib/crypto.so: undefined symbol: ENGINE_unregister_STORE'"
OpenSSL might not be installed on this system.

=WARNING REPORT==== 7-Jan-2022::11:38:38.451010 ===
The on_load function for module crypto returned:
{error,{load_failed,"Failed to load NIF library: '/opt/cisco/esc/confd/lib/confd/lib/core/crypto/priv/lib/crypto.so: undefined symbol: ENGINE_unregister_STORE'"}}

"Bad configuration: /opt/cisco/esc/esc_database/esc_production_confd.conf:0: cannot dynamically link with libcrypto shared library\n"

=ERROR REPORT==== 7-Jan-2022::11:38:38.453158 ===
init:boot_msg: "Bad configuration: /opt/cisco/esc/esc_database/esc_production_confd.conf:0: cannot dynamically link with libcrypto shared library\n"

</COMPLETE ERROR SNIPPET>

Other outputs captured for debugging:

output1)

[root@dnd-sisambas-confd753b-debug1 opt]# **ldd /opt/confd-7.5.3/lib/confd/lib/core/crypto/priv/lib/crypto.so**
linux-vdso.so.1 (0x00007ffd373ed000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fc4f4e8c000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc4f4ac7000)
libz.so.1 => /lib64/libz.so.1 (0x00007fc4f48b0000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc4f46ac000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc4f448c000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc4f558e000)
[root@dnd-sisambas-confd753b-debug1 opt]#

output2)

[root@dnd-sisambas-confd753b-debug1 ~]# **rpm -qa | grep openssl**
openssl-1.1.1g-15.el8_3.x86_64
openssl-libs-1.1.1g-15.el8_3.x86_64

Could you please help in finding the reason for this error:

(This is little urgent as we are planning for the upgrade in this release…)

Unable to load crypto library. Failed with error:
"load_failed, Failed to load NIF library: '/opt/cisco/esc/confd/lib/confd/lib/core/crypto/priv/lib/crypto.so: undefined symbol: ENGINE_unregister_STORE'"
OpenSSL might not be installed on this system.

Thanks & Best Regards,
Siva

waitai · January 10, 2022, 4:41pm

Hi Siva,

The versions of OpenSSL libcryto being built with ConfD are different between ConfD 6.6.1 and ConfD 7.6.3.

If you refer to Chapter 28.15 of the ConfD 6.6.1 User Guide: Currently most ConfD releases, in particular all releases for Linux systems, are built with OpenSSL version 1.0.0, and thus require that the libcrypto library from this version is present when ConfD is run. Some releases for other systems require libcrypto from OpenSSL version 0.9.8 or 0.9.7.

If you refer to Chapter 32.13 of the ConfD 7.6.3 User Guide: ConfD depends on the OpenSSL libcrypto shared library for a number of cryptographic functions. (The libssl library is not used by ConfD.) Currently ConfD releases are built with OpenSSL version 1.1.1, and thus require that the libcrypto library from this version is present when ConfD is run.

You need to make sure that the required version of libcrypto is present for the ConfD releases that you are running.

If you have a different requirement from the ones that is built with ConfD: To use a different OpenSSL version than the one the ConfD release is built with, it is sufficient to use the provided sources to rebuild these two components with the desired OpenSSL version, and replace them in the ConfD release. The toplevel README file included in the tar archive has instructions on how to do the build of both libconfd and crypto.so.

Regards,

Wai

sisambas · January 11, 2022, 10:40am

Hi Wai, thank you for the message.
we already have libcrypto.so.1.1 on the ESC VM

[root@dnd-sisambas-confd753b-debug1 opt]# ldd /opt/confd-7.5.3/lib/confd/lib/core/crypto/priv/lib/crypto.so
linux-vdso.so.1 (0x00007ffd373ed000)
libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fc4f4e8c000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc4f4ac7000)
libz.so.1 => /lib64/libz.so.1 (0x00007fc4f48b0000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc4f46ac000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc4f448c000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc4f558e000)
[root@dnd-sisambas-confd753b-debug1 opt]#

[admin@dnd-sisambas-confd753b-boot ~]$ ls -l /usr/lib64/libcrypto*
lrwxrwxrwx. 1 root root 26 Jan 7 10:47 /usr/lib64/libcrypto.so → /usr/lib64/libcrypto.so.10
lrwxrwxrwx. 1 root root 16 Jan 10 10:07 /usr/lib64/libcrypto.so.10 → libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Jan 10 10:10 /usr/lib64/libcrypto.so.1.1 → libcrypto.so.1.1.1g
-rwxr-xr-x. 1 root root 3071456 Mar 30 2021 /usr/lib64/libcrypto.so.1.1.1g

Still the confd fails to run!

Could someone please assist on a call or meeting for 5 minutes to see whether there is anything
wrong in our setup ?