Chris, Thanks for your help so far! I am digging into this some more today.
First off, once i started bulding APR from source instead of doing "yum install apr-devel" - my main linking issue went away. so I think we are getting close!! Now I am struggling to get Spring Boot's embedded Tomcat to startup in the APR mode. Most of the blogs and docs i find are older and seem to be out of date, or are otherwise not about embedded tomcat. With these JVM Params: -Djava.library.path="/usr/lib/tcnative/lib" -Dserver.ssl.certificate-key-file="/testkey.pem" -Dserver.ssl.certificate-file="/testcert.pem" Spring Boot / Tomcat fails to start with this error: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'null' I have found tomcat notes on using this connector: <!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/usr/local/ssl/server.crt" SSLCertificateKeyFile="/usr/local/ssl/server.pem" SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/> But have not been able to figure out the right JVM params to tell Spring Boot to work in that manner. I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see what happens.... Thanks! Clay On Thu, Apr 7, 2022 at 1:22 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Clay, > > On 4/6/22 07:57, Clay Lehman wrote: > > "Make sure you have the same versions of libssl, libapr, and libtcnative > > that you built yourself and not those that e.g. ship with the OS. Where > > are all your .so files for libtcnative, libssl, and libapr?" > > > > Do you know if there are instructions on building these, or where the .so > > files normally live? > > The default LD_LIBRARY_PATH for your system may have lots of stuff in > it. You'll have to check your system to see. > > When Tomcat starts-up, the AprLifecycleListener should report all the > versions of the various things it's using. Does it get that far, or does > it choke before that? > > -chris > > > On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Clay, > >> > >> On 4/5/22 12:47, Clay Lehman wrote: > >>> Hello! > >>> > >>> > >>> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running > >> into > >>> an error on startup. I have tried a ton of things, searched, read the > >> docs > >>> over and over, and cannot get past this. Has anyone had success with > >> this > >>> setup? > >>> > >>> > >>> I created a fully working sample project and Dockerfile to demonstrate > >> the > >>> issue: > https://github.com/claylehman/spring-boot-tomcat-native-openssl3 > >>> > >>> > >>> Thanks! > >>> > >>> Clay > >>> > >>> > >>> More info below.... > >>> > >>> > >>> Most of the examples and documentation that I have found is for old > >>> versions of OpenSSL, but I do see some release notes mentioning OpenSSL > >>> v3.0.x so I suspect this is supported to some degree. > >>> > >>> > >>> I am testing this using a docker container for "Oracle Linux Server 8" > >>> (specifically FROM openjdk:latest) I am running embedded tomcat from > >>> Spring Boot, but I dont suspect that is important for my issue. > >>> > >>> > >>> > >>> Notes about the setup steps (in the Dockerfile example): > >>> > >>> > >>> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled. > >>> > >>> ( > >>> > >> > https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0 > >>> ) > >>> > >>> > >>> RUN cd /usr/src \ > >>> > >>> && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \ > >>> > >>> && tar -zxf openssl-3.0.2.tar.gz \ > >>> > >>> && rm openssl-3.0.2.tar.gz \ > >>> > >>> && cd openssl-3.0.2 \ > >>> > >>> && ./config enable-fips && make -j8 && make -j8 install > >>> > >>> > >>> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \ > >>> > >>> && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3 > >>> > >>> > >>> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module > >>> /usr/local/lib/ossl-modules/fips.so > >>> > >>> > >>> 2) Installed Tomcat Native from source: > >>> > >>> (https://tomcat.apache.org/native-doc/) > >>> > >>> > >>> RUN microdnf install apr-devel openssl-devel \ > >>> > >>> && mkdir /usr/lib/tcnative > >>> > >>> > >>> RUN cd /usr/src \ > >>> > >>> && wget > >>> > >> > https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz > >>> \ > >>> > >>> && tar -xvf tomcat-native-1.2.32-src.tar.gz \ > >>> > >>> && rm tomcat-native-1.2.32-src.tar.gz \ > >>> > >>> && cd tomcat-native-1.2.32-src/native \ > >>> > >>> && ./configure --with-api=/usr/bin/apr-1-config > >>> --with-java-home=/usr/java/latest --with-ssl=yes > >> --prefix=/usr/lib/tcnative > >>> \ > >>> > >>> && make \ > >>> > >>> && make install > >>> > >>> > >>> 3) Generate a self-signed certificate: > >>> > >>> RUN openssl req -x509 -newkey rsa:4096 -passout pass:test > >>> -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN= > >>> test.lehmansoftware.com' > >>> > >>> > >>> > >>> 4) To enable tomcat native, i pass these parameters: > >>> > >>> ENTRYPOINT java \ > >>> > >>> -Dserver.port=8443 \ > >>> > >>> -Dserver.ssl.enabled=true \ > >>> > >>> -Djava.library.path="/usr/lib/tcnative/lib" \ > >>> > >>> -Dserver.ssl.certificate-key-file="/testkey.pem" \ > >>> > >>> -Dserver.ssl.certificate-file="/testcert.pem" \ > >>> > >>> -jar app.jar > >>> > >>> > >>> > >>> 5) And finally, here is the error message that I receive on application > >>> startup trying to use tcnative. > >>> > >>> cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN > >> [main] > >>> core.AprLifecycleListener - The Apache Tomcat Native library failed to > >>> load. The error reported was > >>> [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: > >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol: > >>> EVP_PKEY_get_bits] > >>> > >>> cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError: > >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: > >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol: > >>> EVP_PKEY_get_bits > >>> > >>> cmts-docker-cmts-1 | at > jdk.internal.loader.NativeLibraries.load(Native > >>> Method) ~[?:?] > >> > >> Looks like the build worked (right?) so any "undefined symbol" issues > >> you see must be related to the versions made available to the process at > >> runtime. > >> > >> Make sure you have the same versions of libssl, libapr, and libtcnative > >> that you built yourself and not those that e.g. ship with the OS. Where > >> are all your .so files for libtcnative, libssl, and libapr? > >> > >> -chris > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >