Upgrade Nginx Nginx build failed switching from OpenSSL to AWS-LC

iaTa · Feb 9, 2025

CentOS Version: AlmaLinux 9.5

Centmin Mod Version Installed: 140.00beta01.b198

Nginx Version Installed: 1.27.4

PHP Version Installed: 8.1.31

MariaDB MySQL Version Installed: 10.6.21

When was last time updated Centmin Mod code base: Today
Persistent Config:
Code (Text):
MARIADB_INSTALLTENTWO='n' 
MARIADB_INSTALLTENTHREE='n'
MARIADB_INSTALLTENFOUR='n'
MARIADB_INSTALLTENFIVE='n'
MARIADB_INSTALLTENSIX='y'
OPENSSL_SYSTEM_USE='n'
AWS_LC_SWITCH='y'
NEEDRESTART_CHECK='y'
VHOSTCTRL_CLOUDFLAREINC='y'
LETSENCRYPT_DETECT='y'
DUALCERTS='y'
NGINX_SSLCACHE_ALLOWOVERRIDE='y'
NGINX_STAPLE_CACHE_OVERRIDE='y'
NGINX_STAPLE_CACHE_TTL='86400'
ZSTD_LOGROTATE_NGINX='y'
ZSTD_LOGROTATE_PHPFPM='y'
SELFSIGNEDSSL_ECDSA='y'
NGINX_LIBBROTLI='y'
NGXDYNAMIC_BROTLI='y'
PHP_BROTLI='y'
PHP_LZFOUR='y'
PHP_LZF='y'
PHP_ZSTD='y'
DMOTD_PHPCHECK='y'
PHPFINFO='y'
Nginx Upgrade Log

removed

eva2000 · Feb 9, 2025

Yeah AWS-LC seems to be not compatible with Nginx 1.27.4 changes right now, only Nginx 1.27.3 is supported with AWS-LC. So might want to turn off AWS-LC for now.

eva2000 · Feb 9, 2025

I updated 140.00beta01 with a test patch for Nginx 1.27.4 + AWS-LC, run cmupdate command then remove existing nginx-1.27.4 source directory and then re-run centmin.sh menu option 4
Code (Text):
cd /svr-setup
rm -rf /svr-setup/nginx-1.27.4*
cmupdate
cmdir
centmin

iaTa · Feb 9, 2025

The test patch worked great, thank you!

iaTa · Jun 25, 2025

Looks like the patch needs updating again for nginx 1.29.0.

Nginx 1.29.0 build failing due to AWS-LC nginx patch 1.27.4+ failures.

Code (Text):

nginx 1.27.4+ aws-lc-nginx-1.27.4.patch

AWS-LC patch: patch -p1 < /usr/local/src/centminmod/patches/nginx/aws-lc-nginx-1.27.4.patch
patching file src/event/ngx_event_openssl.h
Hunk #1 succeeded at 27 (offset 2 lines).
patching file src/event/quic/ngx_event_quic.c
Hunk #1 FAILED at 965.
1 out of 1 hunk FAILED -- saving rejects to file src/event/quic/ngx_event_quic.c.rej
patching file src/event/quic/ngx_event_quic_protection.c
Hunk #6 succeeded at 263 (offset 1 line).
Hunk #7 succeeded at 325 (offset 1 line).
Hunk #8 succeeded at 388 (offset 1 line).
Hunk #9 succeeded at 448 (offset 1 line).
Hunk #10 succeeded at 468 (offset 1 line).
Hunk #11 succeeded at 484 (offset 1 line).
Hunk #12 succeeded at 563 (offset 1 line).
Hunk #13 succeeded at 579 (offset 1 line).
Hunk #14 succeeded at 615 (offset 1 line).
patching file src/event/quic/ngx_event_quic_protection.h
Hunk #1 succeeded at 22 (offset -2 lines).
patching file src/event/quic/ngx_event_quic_ssl.c
Hunk #1 FAILED at 11.
Hunk #2 succeeded at 968 with fuzz 2 (offset 385 lines).
1 out of 2 hunks FAILED -- saving rejects to file src/event/quic/ngx_event_quic_ssl.c.rej
patching file src/http/ngx_http_request.c
patching file src/stream/ngx_stream_ssl_module.c
patch unexpectedly ends in middle of line
Hunk #1 succeeded at 592 with fuzz 1.
AWS-LC patch: patch -p1 < /usr/local/src/centminmod/patches/nginx/aws-lc-nginx2.patch
patching file src/event/ngx_event_openssl.c
Hunk #1 succeeded at 5231 with fuzz 1 (offset 68 lines).

...

In file included from src/event/quic/ngx_event_quic_connection.h:38,
                 from src/event/quic/ngx_event_quic.c:10:
src/event/quic/ngx_event_quic_openssl_compat.h:18:6: error: redeclaration of ‘enum ssl_encryption_level_t’
   18 | enum ssl_encryption_level_t {
      |      ^~~~~~~~~~~~~~~~~~~~~~
In file included from src/event/ngx_event_openssl.h:17,
                 from src/core/ngx_core.h:86,
                 from src/event/quic/ngx_event_quic.c:8:
/opt/aws-lc-install/include/openssl/ssl.h:3856:6: note: originally defined here
 3856 | enum ssl_encryption_level_t {
      |      ^~~~~~~~~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:19:5: error: redeclaration of enumerator ‘ssl_encryption_initial’
   19 |     ssl_encryption_initial = 0,
      |     ^~~~~~~~~~~~~~~~~~~~~~
/opt/aws-lc-install/include/openssl/ssl.h:3857:3: note: previous definition of ‘ssl_encryption_initial’ with type ‘enum ssl_encryption_level_t’
 3857 |   ssl_encryption_initial = 0,
      |   ^~~~~~~~~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:20:5: error: redeclaration of enumerator ‘ssl_encryption_early_data’
   20 |     ssl_encryption_early_data,
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~
/opt/aws-lc-install/include/openssl/ssl.h:3858:3: note: previous definition of ‘ssl_encryption_early_data’ with type ‘enum ssl_encryption_level_t’
 3858 |   ssl_encryption_early_data,
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:21:5: error: redeclaration of enumerator ‘ssl_encryption_handshake’
   21 |     ssl_encryption_handshake,
      |     ^~~~~~~~~~~~~~~~~~~~~~~~
/opt/aws-lc-install/include/openssl/ssl.h:3859:3: note: previous definition of ‘ssl_encryption_handshake’ with type ‘enum ssl_encryption_level_t’
 3859 |   ssl_encryption_handshake,
      |   ^~~~~~~~~~~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:22:5: error: redeclaration of enumerator ‘ssl_encryption_application’
   22 |     ssl_encryption_application
      |     ^~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/aws-lc-install/include/openssl/ssl.h:3860:3: note: previous definition of ‘ssl_encryption_application’ with type ‘enum ssl_encryption_level_t’
 3860 |   ssl_encryption_application
      |   ^~~~~~~~~~~~~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:26:16: error: redefinition of ‘struct ssl_quic_method_st’
   26 | typedef struct ssl_quic_method_st {
      |                ^~~~~~~~~~~~~~~~~~
/opt/aws-lc-install/include/openssl/ssl.h:3864:8: note: originally defined here
 3864 | struct ssl_quic_method_st {
      |        ^~~~~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:38:3: error: conflicting types for ‘SSL_QUIC_METHOD’; have ‘struct ssl_quic_method_st’
   38 | } SSL_QUIC_METHOD;
      |   ^~~~~~~~~~~~~~~
In file included from /opt/aws-lc-install/include/openssl/ssl.h:145:
/opt/aws-lc-install/include/openssl/base.h:414:35: note: previous declaration of ‘SSL_QUIC_METHOD’ with type ‘SSL_QUIC_METHOD’ {aka ‘struct ssl_quic_method_st’}
  414 | typedef struct ssl_quic_method_st SSL_QUIC_METHOD;
      |                                   ^~~~~~~~~~~~~~~
src/event/quic/ngx_event_quic_openssl_compat.h:43:5: error: conflicting types for ‘SSL_set_quic_method’; have ‘int(SSL *, const SSL_QUIC_METHOD *)’ {aka ‘int(struct ssl_st *, const struct ssl_quic_method_st *)’}
   43 | int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method);
      |     ^~~~~~~~~~~~~~~~~~~
/opt/aws-lc-install/include/openssl/ssl.h:3978:20: note: previous declaration of ‘SSL_set_quic_method’ with type ‘int(SSL *, const SSL_QUIC_METHOD *)’ {aka ‘int(struct ssl_st *, const struct ssl_quic_method_st *)’}
 3978 | OPENSSL_EXPORT int SSL_set_quic_method(SSL *ssl,
      |                    ^~~~~~~~~~~~~~~~~~~
make[1]: *** [objs/Makefile:1136: objs/src/event/quic/ngx_event_quic.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/svr-setup/nginx-1.29.0'
make: *** [Makefile:10: build] Error 2

real    0m19.052s
user    0m59.868s
sys     0m11.542s

Wed Jun 25 10:10:09 AM UTC 2025
Error: 2, Nginx make failed

eva2000 · Jun 26, 2025

Thanks for the heads up. Currently there is no AWS-LC nginx 1.29 compatible patch released by AWS-LC folks, so need to wait, so for now either stick with nginx 1.28.0 or 1.27.5 with AWS-LC, or switch back from AWS-LC to default OpenSSL with nginx 1.29

Log in / Register

Forums

Discover Centmin Mod today

Upgrade Nginx Nginx build failed switching from OpenSSL to AWS-LC

iaTa Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

iaTa Member

iaTa Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

Upgrade Nginx Nginx build failed switching from OpenSSL to AWS-LC

iaTa Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

iaTa Member

iaTa Member

eva2000 Administrator Staff Member

.