Sep 30
84 / 84
Oct 19
27d ago
kstange
gibble
Oct 4

I can't give exact installation instructions for everyone because it somewhat depends on what you already have installed. You will need to add all the packages you need at the same time to avoid conflict messages as the packages are interdependent. Because this version of the package separated openssl-libs from the main package you will definitely need at least this one. You can see what's already installed by running rpm -qa openssl\*. If you have i686 packages installed as well, you will need to remove them or cross compile openssl for i686 as well, but we are getting deeper and deeper into the weeds and it's impossible to elucidate every corner case in this thread.

For me I had to do: cd ~/rpmbuild/RPMS/x86_64/; rpm -Uhv openssl-1.0.2k-21.el6.x86_64.rpm openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-devel-1.0.2k-21.el6.x86_64.rpm but this may not be the same for everyone.

OsirisCommunity leader
Oct 4

Woohoo! I did it too! Full list of commands on a "fresh" CentOS 6 Docker image:

yum install wget
yum install krb5-devel zlib-devel lksctp-tools-devel util-linux make gcc rpm-build
curl -o openssl-1.0.2k-21.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm -i openssl-1.0.2k-21.el7_9.src.rpm
cd ~/rpmbuild/SOURCES/
sed -i 's/secure_getenv(/getenv(/g' *patch
cd ../SPECS/
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild -bb openssl.spec
cd ../RPMS/x86_64
rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm

Not sure if openssl-devel-1.0.2k-21.el6.x86_64.rpm would be required, but for regular use I'm guessing it's not.

ghen
Oct 4

@Osiris The -devel package (for any package) contains just include files, only needed to build other packages depending on this one, not needed for regular operations. You can safely remove them.

@alan3188 The dependency failures are because on CentOS 7 (where we took the spec file from), the openssl package is split into "openssl" and "openssl-libs", but on CentOS 6 you had only "openssl". So you need to explicitly install the -libs package at the same time.

(which is why I suggested to merge them back into one, but that's another bit more work on the spec file. once you get it installed, it doesn't matter anymore.)

gibble
Oct 5

Thanks for the help folks, I still get a curious error when trying to update/install the rpm (existing latest openssl in centos 6 is 1.0.1e)...

error: Failed dependencies:
openssl-devel = 1.0.1e-58.el6_10 is needed by (installed) openssl-static-1.0.1e-58.el6_10.x86_64

However, yum install openssl-devel
Package openssl-devel-1.0.1e-58.el6_10.x86_64 already installed and latest version

EDIT think I fixed it by including the static and source file rpms as well at the same time.
Thanks for all the help.

kstange
Oct 5

You won't need to install the source RPM, but that message indicates that your existing version of openssl-static doesn't like that you are upgrading openssl-devel and trying to leave it back on the old version, so the correct fix is just to install openssl-static in the same command like you did!

futureweb
Osiris
Oct 6

@ Osiris - thx - it's working like a charm with the manually compiled RPMs! :wink:

For the sake of completeness, here again the complete workflow to solve the DST Root CA X3 expiration problem with Centos / RHEL 6 ...

yum install wget
yum install krb5-devel zlib-devel lksctp-tools-devel util-linux make gcc rpm-build
curl -o openssl-1.0.2k-21.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm -i openssl-1.0.2k-21.el7_9.src.rpm
cd ~/rpmbuild/SOURCES/
sed -i 's/secure_getenv(/getenv(/g' *patch
cd ../SPECS/
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild -bb openssl.spec
cd ../RPMS/x86_64
rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm

I also compiled a current ca-certificates so one doesn't need to manually remove the X3 Cert ...

How to build the ca-certificates RPM:

yum install asciidoc java-1.6.0-openjdk
mkdir -p /dl/ca-cert; cd /dl/ca-cert;
curl -o ca-certificates-2020.2.41-65.1.el6_10.src.rpm https://vault.centos.org/6.10/updates/Source/SPackages/ca-certificates-2020.2.41-65.1.el6_10.src.rpm
rpm -i ca-certificates-2020.2.41-65.1.el6_10.src.rpm
curl -o ca-certificates-2021.2.50-72.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/ca-certificates-2021.2.50-72.el7_9.src.rpm
rpm2cpio ca-certificates-2021.2.50-72.el7_9.src.rpm | cpio -idmv
cp certdata.txt ~/rpmbuild/SOURCES/
sed -i 's/Version: 2020.2.41/Version: 2021.2.50/g' ~/rpmbuild/SPECS/ca-certificates.spec
cd ~/rpmbuild/SPECS
rpmbuild -bb ca-certificates.spec
cd /root/rpmbuild/RPMS/noarch/
rpm -U ca-certificates-2021.2.50-65.1.el6.noarch.rpm

If someone is interested I could also publish the RPMs ... (I personally wouldn't install any RPMs from "foreign sources" on my servers ... ^^)

thx, bye from Austria
Andreas Schnederle-Wagner

al3xxx
Oct 6

For all interested parties. I've modified openssl.spec to incorporate shared files back into monolitic RPM file to match EL6 package contents.
URL for corresponding binary and source packages (openssl and ca-certificates) + openssl.spec is
https://server-support.co/openssl-el6/ 46

Coleso007
futureweb
Oct 8

I have problem with manually compiled RPMs on centos 6.

# rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm
error: Failed dependencies:
openssl = 1.0.1e-58.el6_10 is needed by (installed) openssl-devel-1.0.1e-58.el6_10.x86_64
openssl = 1.0.1e-58.el6_10 is needed by (installed) openssl-perl-1.0.1e-58.el6_10.x86_64

How i can solve it? I have installed openssl-devel and openssl-perl x86_64.

futureweb
Oct 8

add the devel and perl RPM to the "rpm -U" call ... they are all there ... :wink:

whereisaaron
Oct 9

Thank you very much for the summation @futureweb!

For openssl update needed to remove a python-libs-2.6.6-68.el6_10.i686 package from 6.10 @updates repo, as it had a fixed dependency that prevented the openssl install. It removed cleanly though, nothing using it apparently.

yum remove python-libs-2.6.6-68.el6_10.i686

due to:

error: Failed dependencies:
        libcrypto.so.10 is needed by (installed) python-libs-2.6.6-68.el6_10.i686
        libcrypto.so.10(libcrypto.so.10) is needed by (installed) python-libs-2.6.6-68.el6_10.i686
        libssl.so.10 is needed by (installed) python-libs-2.6.6-68.el6_10.i686
        libssl.so.10(libssl.so.10) is needed by (installed) python-libs-2.6.6-68.el6_10.i686

For the certificates update, I needed following changes:

  1. Add "-p": mkdir -p /dl/ca-cert; cd /dl/ca-cert;
  2. Add "cd ~/rpmbuild/SPECS" before "rpmbuild -bb ca-certificates.spec"
yaylife
Oct 13

Signed up just to say thanks. The comments in this thread are pure gold. @futureweb incorporated the comments from many in this thread into a perfect post on building the openssl & ca-certificate packages in post #73. I happened to load these into Spacewalk, and yum is smart enough to install the openssl-libs on upgrade of openssl.

Thanks!

rg305Community leader
Oct 13

Hi @yaylife and welcome to the LE community forum :slight_smile:

I can't think of a better compliment :+1:

ghen
27d

Wow, this openssl mailing list post 20 has a much simpler solution for CentOS 6 / openssl < 1.0.2

Since openssl apparantly doesn't check the self-signature on root CA's, you can simply alter the expiration date of DST Root CA X3, and it will be trusted again. The following command fudges the expiration date to 30 September 2024 (the end-date of the ISRG Root X1 cross-signature) directly in the PEM-encoded certificate:

sudo sed -i s/xMDkzMDE0MDExNVow/0MDkzMDE4MTQwM1ow/ /etc/pki/tls/certs/ca-bundle.crt

This works :cowboy_hat_face: no openssl upgrade needed!

rg305Community leader
27d

This trades one problem for another... but maybe this one is less problematic (for some):

image
image832×521 14 KB

ghen
27d

At least this is not problematic for OpenSSL, which ignores the (now broken) self-signature.
Other applications & libraries should be able to anchor any LE chain to ISRG Root X1 directly, ignoring DST Root CA X3 completely (either because it's expired or corrupted), this was an OpenSSL-specific issue.

orangepizzaRegular
27d

if it doen'st care about self-sign then would it need to keep same issuer? not sure intermediate from unknown issuer in trust store would work though

OsirisCommunity leader
27d

I'm pretty sure users using this hack will know of the altered state. And as it's a client thing and not a server thing, it wouldn't influence anything else but the user when inspecting the altered certificate. Sooooo, this doesn't really matter.

This topic will close a month after the last reply.