Discover Centmin Mod today
Register Now

Letsencrypt SSL acmetool.sh openssl error

Discussion in 'Domains, DNS, Email & SSL Certificates' started by ShawnH, Feb 20, 2017.

  1. ShawnH

    ShawnH New Member

    3
    1
    3
    Dec 27, 2016
    Ratings:
    +1
    Local Time:
    3:03 PM
    1.1.16
    10
    I have an interesting error on one of my servers and haven't had a chance to check the others. When I try to renew the certificate I get the following error (numerous times) and the renew fails of course.
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

    I am using the latest libressl for Nginx, all updates applied, and I have no external programs on the system. My openssl info is below:

    Installed Packages
    Name : openssl
    Arch : x86_64
    Epoch : 1
    Version : 1.0.1e
    Release : 60.el7
    Size : 1.5 M
    Repo : installed
    From repo : base
    Summary : Utilities from the general purpose cryptography library with TLS implementation
    URL : /index.html
    License : OpenSSL
    Description : The OpenSSL toolkit provides support for secure communications between
    : machines. OpenSSL includes a certificate management tool and shared
    : libraries which provide various cryptographic algorithms and
    : protocols.

    Not sure where to go next. Any help is appreciated.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    moved your post to it's own thread :)

    what is the exact error and command used for renewal ? and output for

    Code (Text):
    nginx -V
    


    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  3. ShawnH

    ShawnH New Member

    3
    1
    3
    Dec 27, 2016
    Ratings:
    +1
    Local Time:
    3:03 PM
    1.1.16
    10
    Code (Text):
    ./acmetool.sh renew dankinsella.online live
    -------------------------------------------------
    acmetool.sh is in beta testing phase
    please read & provide bug reports &
    feedback for this tool via the forums
    https://centminmod.com/acmetool
    -------------------------------------------------
    
    continue [y/n] ? y
    
    -----------------------------------------------------
    updating acme.sh client...
    -----------------------------------------------------
    [Sun Feb 19 19:57:33 PST 2017] Installing to /root/.acme.sh
    [Sun Feb 19 19:57:33 PST 2017] Installed to /root/.acme.sh/acme.sh
    [Sun Feb 19 19:57:33 PST 2017] Installing alias to '/root/.bashrc'
    [Sun Feb 19 19:57:33 PST 2017] OK, Close and reopen your terminal to start using acme.sh
    [Sun Feb 19 19:57:33 PST 2017] Installing alias to '/root/.cshrc'
    [Sun Feb 19 19:57:33 PST 2017] Installing alias to '/root/.tcshrc'
    [Sun Feb 19 19:57:33 PST 2017] Installing cron job
    0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    [Sun Feb 19 19:57:33 PST 2017] Good, bash is found, so change the shebang to use bash as preferred.
    [Sun Feb 19 19:57:33 PST 2017] OK
    https://github.com/Neilpang/acme.sh
    v2.6.7
    -----------------------------------------------------
    acme.sh updated
    -----------------------------------------------------
    grep 'root' /usr/local/nginx/conf/conf.d/dankinsella.online.ssl.conf
      root /home/nginx/domains/dankinsella.online/public;
    
    -----------------------------------------------------------
    renew & install letsencrypt ssl certificate for dankinsella.online
    -----------------------------------------------------------
    testcert value = live
    /root/.acme.sh/acme.sh --issue -d dankinsella.online -d www.dankinsella.online --days 60 -w /home/nginx/domains/dankinsella.online/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-190217-195730.log --log-level 2
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    [Sun Feb 19 19:57:34 PST 2017] Registering account
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
    [Sun Feb 19 19:57:34 PST 2017] Register account Error: {"type":"urn:acme:error:malformed","detail":"Parse error reading JWS","status": 400}
    [Sun Feb 19 19:57:34 PST 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-190217-195730.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r-- 1 root root  4.9K Feb 19 19:57 acmetool.sh-debug-log-190217-195730.log
    -rw-r--r-- 1 root root  3.2K Feb 19 19:57 acmesh-renew_190217-195730.log
    
    


    Same error with the cron job command line.

    Code (Text):
     nginx -V
    nginx version: nginx/1.11.10
    built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
    built with LibreSSL 2.4.5
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -g -O3 -fstack-protector-strong -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-http_stub_status_module --with-http_secure_link_module --add-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_pagespeed-1.12.34.2-beta --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --with-http_dav_module --add-module=../nginx-dav-ext-module-0.0.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.13 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.17 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.40 --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.4.5
    


    The vhost was added via option 22, the option 4 so never actually ran the acme.sh until today when I realized the cert didn't autorenew.

    I also see there is an update that tries to install and build Axel, that is failing as well on the openssl portion as well.

    Code (Text):
    update axel version... one time task
    Axel 2.12 Archive found, skipping download...
    axel-2.12.tar.gz valid file.
    
    config.status: creating po/POTFILES
    config.status: creating po/Makefile
    Making all in src
    ssl.o: In function `ssl_startup':
    /svr-setup/axel-2.12/src/ssl.c:57: undefined reference to `OPENSSL_init_ssl'
    /svr-setup/axel-2.12/src/ssl.c:58: undefined reference to `OPENSSL_init_ssl'
    /svr-setup/axel-2.12/src/ssl.c:60: undefined reference to `TLS_client_method'
    collect2: error: ld returned 1 exit status
    make[2]: *** [axel] Error 1
    make[1]: *** [all-recursive] Error 1
    make: *** [all] Error 2
    Making install in src
    ssl.o: In function `ssl_startup':
    /svr-setup/axel-2.12/src/ssl.c:57: undefined reference to `OPENSSL_init_ssl'
    /svr-setup/axel-2.12/src/ssl.c:58: undefined reference to `OPENSSL_init_ssl'
    /svr-setup/axel-2.12/src/ssl.c:60: undefined reference to `TLS_client_method'
    collect2: error: ld returned 1 exit status
    make[1]: *** [axel] Error 1
    make: *** [install-recursive] Error 1
    


    I will run acme.sh in debug tomorrow and paste the debug logs.

    Thanks
    Shawn
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    1. what version of centmin mod did your server start off with 123.08stable or 123.09beta01 ?
    2. how long about did you install centmin mod originally ?
    3. when was last time you ran centmin.sh menu option 23 submenu option 2 ?
    4. also is there any output from this command
      Code (Text):
      grep -nrw 'OPENSSL_init_ssl' /root/centminlogs/
      wrap output in CODE bbcode tags
    5. also output from
      Code (Text):
      ldd $(which axel)
    6. also output from
      Code (Text):
      ldconfig -p | grep libssl
    7. also output from
      Code (Text):
      updatedb; locate libssl.so.1.1
    8. also output from
      Code (Text):
      locate /bin/openssl | while read b; do echo $b; $b version; done
    9. also output from
      Code (Text):
      history | grep 'openssl'
     
    Last edited: Feb 20, 2017
  5. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    8:03 AM
    Nginx 1.13.x
    MariaDB 5.5
    did you at one time switch nginx to using OpenSSL 1.1.0 branch by any chance ? or tried to compile OpenSSL 1.1.0 branch on your system manually ? That could of broken the system OpenSSL version :(
     
    Last edited: Feb 20, 2017