"Make sure you have the same versions of libssl, libapr, and libtcnative that you built yourself and not those that e.g. ship with the OS. Where are all your .so files for libtcnative, libssl, and libapr?"
Do you know if there are instructions on building these, or where the .so files normally live? On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Clay, > > On 4/5/22 12:47, Clay Lehman wrote: > > Hello! > > > > > > I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running > into > > an error on startup. I have tried a ton of things, searched, read the > docs > > over and over, and cannot get past this. Has anyone had success with > this > > setup? > > > > > > I created a fully working sample project and Dockerfile to demonstrate > the > > issue: https://github.com/claylehman/spring-boot-tomcat-native-openssl3 > > > > > > Thanks! > > > > Clay > > > > > > More info below.... > > > > > > Most of the examples and documentation that I have found is for old > > versions of OpenSSL, but I do see some release notes mentioning OpenSSL > > v3.0.x so I suspect this is supported to some degree. > > > > > > I am testing this using a docker container for "Oracle Linux Server 8" > > (specifically FROM openjdk:latest) I am running embedded tomcat from > > Spring Boot, but I dont suspect that is important for my issue. > > > > > > > > Notes about the setup steps (in the Dockerfile example): > > > > > > 1) Installed OpenSSL v3.0.2 from source with FIPS enabled. > > > > ( > > > https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 > > ) > > > > > > RUN cd /usr/src \ > > > > && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \ > > > > && tar -zxf openssl-3.0.2.tar.gz \ > > > > && rm openssl-3.0.2.tar.gz \ > > > > && cd openssl-3.0.2 \ > > > > && ./config enable-fips && make -j8 && make -j8 install > > > > > > RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \ > > > > && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3 > > > > > > RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module > > /usr/local/lib/ossl-modules/fips.so > > > > > > 2) Installed Tomcat Native from source: > > > > (https://tomcat.apache.org/native-doc/) > > > > > > RUN microdnf install apr-devel openssl-devel \ > > > > && mkdir /usr/lib/tcnative > > > > > > RUN cd /usr/src \ > > > > && wget > > > https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz > > \ > > > > && tar -xvf tomcat-native-1.2.32-src.tar.gz \ > > > > && rm tomcat-native-1.2.32-src.tar.gz \ > > > > && cd tomcat-native-1.2.32-src/native \ > > > > && ./configure --with-api=/usr/bin/apr-1-config > > --with-java-home=/usr/java/latest --with-ssl=yes > --prefix=/usr/lib/tcnative > > \ > > > > && make \ > > > > && make install > > > > > > 3) Generate a self-signed certificate: > > > > RUN openssl req -x509 -newkey rsa:4096 -passout pass:test > > -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN= > > test.lehmansoftware.com' > > > > > > > > 4) To enable tomcat native, i pass these parameters: > > > > ENTRYPOINT java \ > > > > -Dserver.port=8443 \ > > > > -Dserver.ssl.enabled=true \ > > > > -Djava.library.path="/usr/lib/tcnative/lib" \ > > > > -Dserver.ssl.certificate-key-file="/testkey.pem" \ > > > > -Dserver.ssl.certificate-file="/testcert.pem" \ > > > > -jar app.jar > > > > > > > > 5) And finally, here is the error message that I receive on application > > startup trying to use tcnative. > > > > cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN > [main] > > core.AprLifecycleListener - The Apache Tomcat Native library failed to > > load. The error reported was > > [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: > > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol: > > EVP_PKEY_get_bits] > > > > cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError: > > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: > > /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol: > > EVP_PKEY_get_bits > > > > cmts-docker-cmts-1 | at jdk.internal.loader.NativeLibraries.load(Native > > Method) ~[?:?] > > Looks like the build worked (right?) so any "undefined symbol" issues > you see must be related to the versions made available to the process at > runtime. > > Make sure you have the same versions of libssl, libapr, and libtcnative > that you built yourself and not those that e.g. ship with the OS. Where > are all your .so files for libtcnative, libssl, and libapr? > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
