[centos-rpm] OpenSSL conflicts

[karai17]

I am trying to build a Docker image using openresty's official image as a base. According to the following bug report, both RedHat and Luaossl backported a feature from OpenSSL 1.2 to OpenSSL 1.1 and this double-backport is causing conflicts.

wahern/luaossl#175

The proposed solution is to supply Luaossl with additional build flags so that it doesn't try to redefine definitions already defined by RedHat:

RUN luarocks install luaossl CFLAGS="-O2 -fPIC -DHAVE_EVP_KDF_CTX=1"

This works in that Luaossl builds, but when I am trying to run my Lapis application, I get the following error:

web_1   | 2020/09/23 01:10:18 [error] 21#21: *1 lua entry thread aborted: runtime error: error loading module '_openssl.hmac' from file '/usr/local/openresty/luajit/lib/lua/5.1/_openssl.so':
web_1   |       /usr/local/openresty/luajit/lib/lua/5.1/_openssl.so: undefined symbol: EVP_KDF_size, version OPENSSL_1_1_1b
web_1   | stack traceback:
web_1   | coroutine 0:
web_1   |       [C]: in function 'require'
web_1   |       content_by_lua(nginx.conf.compiled:33):1: in main chunk, client: 172.22.0.1, server: , request: "GET / HTTP/1.1", host: "localhost:1001"

From the error message, it appears that the _openssl.so provided by openresty does not have this backported feature, but the system OpenSSL, which appears to not be invoked, does?

[neomantra]

I recall seeing another issue somewhere sorta like this... try building luaossl against OpenResty's OpenSSL library?

[karai17]

How would I go about doing that? The Luarocks documentation leaves a lot to be desired.

[neomantra]

This might be what I was thinking of: #36

Maybe this helps too: leafo/lapis#632
In that bug they have this:

/usr/local/openresty/luajit/bin/luarocks install lapis CRYPTO_DIR=/usr/local/openresty/openssl/ OPENSSL_DIR=/usr/local/openresty/openssl/ 

The directory is /usr/local/openresty/openssl111 ?

$ docker run -it --rm  --entrypoint=/bin/bash openresty/openresty:centos-rpm  -c "ls /usr/local/openresty/openssl111/lib"
engines-1.1  libcrypto.so  libcrypto.so.1.1  libssl.so	libssl.so.1.1

[karai17]

No bueno. OpenResty does not provide source files and the source files provided by the system have the same backport conflict, as expected.

RUN luarocks install lapis CRYPTO_DIR=/usr/local/openresty/openssl111/ CRYPTO_INCDIR=/usr/include/ OPENSSL_DIR=/usr/local/openresty/openssl111/ OPENSSL_INCDIR=/usr/include/

[karai17]

I've fixed the issue! I needed to also install openresty-openssl-devel:

RUN yum -y install openssl-devel openresty-openssl-devel
RUN luarocks install lapis CRYPTO_DIR=/usr/local/openresty/openss/ CRYPTO_INCDIR=/usr/local/openresty/openssl/include OPENSSL_DIR=/usr/local/openresty/openssl OPENSSL_INCDIR=/usr/local/openresty/openssl/include

Interestingly enough, when I installed openresty-openssl-devel it added the openssl directory to /usr/local/openresty along side openssl111.

I also have the system openssl-devel installed because luasec and bcrypt were complaining at me and I didn't feel like spending more time on this.