openssl版本升级操作记录【转】

需要部署nginx的https环境，之前是yum安装的openssl，版本比较低，如下：

[root@nginx ~]# yum install -y pcre pcre-devel openssl openssl-devel gcc   [root@nginx ~]# openssl version -a OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Wed Mar 22 21:43:28 UTC 2017 platform: linux-x86_64 options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls" engines:  rdrand dynamic

默认yum安装的openssl版本是1.0.1，现在需要将版本升级到1.1.0。升级的操作记录如下：

[root@nginx ~]# wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz [root@nginx ~]# tar -zvxf openssl-1.1.0g.tar.gz [root@nginx ~]# cd openssl-1.1.0g [root@nginx openssl-1.1.0g]# ./config shared zlib [root@nginx openssl-1.1.0g]# make [root@nginx openssl-1.1.0g]# make install     [root@nginx openssl-1.1.0g]# mv /usr/bin/openssl /usr/bin/openssl.bak [root@nginx openssl-1.1.0g]# mv /usr/include/openssl /usr/include/openssl.bak   [root@nginx openssl-1.1.0g]#  find / -name openssl /etc/pki/ca-trust/extracted/openssl /data/software/nginx-1.12.2/auto/lib/openssl /data/software/openssl-1.1.0g/apps/openssl /data/software/openssl-1.1.0g/include/openssl /usr/lib64/openssl /usr/local/share/doc/openssl /usr/local/include/openssl /usr/local/bin/openssl /usr/include/openssl /usr/bin/openssl   [root@nginx openssl-1.1.0g]# ln -s /usr/local/bin/openssl /usr/bin/openssl [root@nginx openssl-1.1.0g]# ln -s /usr/local/include/openssl /usr/include/openssl   [root@external-lb01 ~]# find / -name "libssl*" /data/software/openssl-1.1.0g/libssl.pc /data/software/openssl-1.1.0g/libssl.so /data/software/openssl-1.1.0g/libssl.a /data/software/openssl-1.1.0g/libssl.so.1.1 /data/software/openssl-1.1.0g/util/libssl.num /usr/lib64/libssl3.so /usr/lib64/pkgconfig/libssl.pc /usr/lib64/libssl.so.1.0.1e /usr/lib64/libssl.so /usr/lib64/libssl.so.10 /usr/local/lib64/libssl.a /usr/local/lib64/pkgconfig/libssl.pc /usr/local/lib64/libssl.so /usr/local/lib64/libssl.so.1.1   [root@nginx openssl-1.1.0g]# echo "/usr/local/lib64/" >> /etc/ld.so.conf [root@nginx openssl-1.1.0g]# ldconfig   [root@nginx openssl-1.1.0g]# openssl version -a OpenSSL 1.1.0g  2 Nov 2017 built on: reproducible build, date unspecified platform: linux-x86_64 compiler: gcc -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib64/engines-1.1""  -Wa,--noexecstack OPENSSLDIR: "/usr/local/ssl" ENGINESDIR: "/usr/local/lib64/engines-1.1"

=========openssl升级后编译nginx出现的问题========
如上将本机的openssl升级后，由于之前编译的nginx里没有stream模块，现在需要手动平滑添加stream模块，操作如下：

检查下，发现nginx没有安装stream模块 [root@external-lb01 ~]# /data/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) built with OpenSSL 1.1.0g  2 Nov 2017 TLS SNI support enabled configure arguments: --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre     操作之前，一定要备份一下之前的nginx安装目录，防止操作失败进行回滚！ [root@external-lb01 ~]# cp -r /data/nginx /mnt/nginx.bak   之前的编译命令是： [root@external-lb01 vhosts]# cd /data/software/nginx-1.12.2 [root@external-lb01 nginx-1.12.2]# ./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre   现在需要手动添加stream，编译命令如下： [root@external-lb01 vhosts]# cd /data/software/nginx-1.12.2 [root@external-lb01 nginx-1.12.2]# ./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream   报错如下： ...... ./configure: error: SSL modules require the OpenSSL library. You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source with nginx by using --with-openssl=<path> option.   原因分析：是由于openssl升级所致！ [root@external-lb01 nginx-1.12.2]# openssl version -a OpenSSL 1.1.0g  2 Nov 2017 built on: reproducible build, date unspecified platform: dist compiler: cc -DNDEBUG -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib/engines-1.1"" OPENSSLDIR: "/usr/local/ssl" ENGINESDIR: "/usr/local/lib/engines-1.1   所以编译命令需要改为： [root@external-lb01 nginx-1.12.2]# ./configure --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-openssl=/usr/local/ssl   然后进行make，千万注意！！！！一定不要make install！！！否则会自动覆盖掉之前的配置！！！ [root@external-lb01 nginx-1.12.2]# make 又报错如下： ....... make[1]: *** [/usr/local/ssl/.openssl/include/openssl/ssl.h] Error 127 make[1]: Leaving directory `/usr/local/src/nginx-1.9.9' make: *** [build] Error 2   解决办法： [root@external-lb01 nginx-1.12.2]# cd auto/lib/openssl [root@external-lb01 openssl]# cp conf /mnt/ [root@external-lb01 openssl]# vim nginx 将             CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"             CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"             CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"             CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"             CORE_LIBS="$CORE_LIBS $NGX_LIBDL" 修改为             CORE_INCS="$CORE_INCS $OPENSSL/include"             CORE_DEPS="$CORE_DEPS $OPENSSL/include/openssl/ssl.h"             CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libssl.a"             CORE_LIBS="$CORE_LIBS $OPENSSL/lib/libcrypto.a"             CORE_LIBS="$CORE_LIBS $NGX_LIBDL"   接着继续make安装 [root@external-lb01 nginx-1.12.2]# make 又报错说找不到下面两个文件 /usr/local/ssl/lib/libssl.a /usr/local/ssl/lib/libcrypto.a   解决办法： [root@external-lb01 nginx-1.12.2]# mkdir /usr/local/ssl/lib [root@external-lb01 nginx-1.12.2]# ln -s /usr/local/lib64/libssl.a /usr/local/ssl/lib/libssl.a [root@external-lb01 nginx-1.12.2]# ln -s /usr/local/lib64/libcrypto.a /usr/local/ssl/lib/libcrypto.a   然后make就可以了 [root@external-lb01 nginx-1.12.2]# make   最后进行平滑操作 [root@external-lb01 nginx-1.12.2]# cp -f /data/software/nginx-1.12.2/objs/nginx /data/nginx/sbin/nginx [root@external-lb01 nginx-1.12.2]# pkill -9 nginx [root@external-lb01 nginx-1.12.2]# /data/nginx/sbin/nginx   检查下，发现nginx已经安装了stream模块了 [root@external-lb01 nginx-1.12.2]# /data/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) built with OpenSSL 1.1.0g  2 Nov 2017 TLS SNI support enabled configure arguments: --prefix=/data/nginx --user=www --group=www --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-openssl=/usr/local/ssl

 

转自

openssl版本升级操作记录 - 散尽浮华 - 博客园 http://www.cnblogs.com/kevingrace/p/8058535.html