Tag Archives: openssl

[Solved] ERROR: Failed building wheel for pycryptodome

Error: failed building wheel for pycryptodome PIP installation error solution

1. Questions

PIP install pycryptodome build wheel error error error stack display reference OpenSSL error

 ERROR: Failed building wheel for pycryptodome

2. Solutions

# ①. install brew
# ②. install openssl@1
# ③ link to openssl
env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include"

3. Other collected information

For devices using apple silicon, you can try this (because the default homebrew bin directory is different)

export LDFLAGS="-L/opt/homebrew/opt/[email protected]/lib"
export CPPFLAGS="-I/opt/homebrew/opt/[email protected]/include"

You can enter the view command yourself

brew info openssl

If you want to install an older version of cryptography (such as 2.9.x), you must link [email protected] instead of openssl@3

brew install openssl will prompt you to export

[Solved] error LNK2005: _bn_sub_part_words Already defined in bn_mul.obj

Compiling openssl and using the nasm method of mutation ends up with the following error:

link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\libea
y32.dll /def:ms/LIBEAY32.def @C:\Users\Unst\AppData\Local\Temp\nm75AD.tmp
bn-586.obj : error LNK2005: _bn_sub_part_words

Already defined in bn_mul.obj
Library out32dll\libeay32.lib and object out32dll\libeay32.exp are being created
mem.obj : error LNK2001: Unresolved external symbol _cleanse_ctr
mem.obj : error LNK2001: Unresolvable external symbol _cleanse_ctr
out32dll\libeay32.dll : fatal error LNK1120: 1 unresolvable external command
NMAKE : fatal error U1077: ""D:\Program Files\Microsoft Visual Studio 10.0\VC\B
IN\link.EXE"": return code "0x460"
Stop.

Solution: Delete the OpenSSL directory and try again.

[Solved] Error in OpenSSL when compiling code locally for raspberry pie

Error in OpenSSL when compiling code locally for raspberry pie

Error content

/usr/lib/gcc/arm-linux-gnueabihf/6/../../../libcurl.so: undefined reference to `SSL_CTX_set_keylog_callback@OPENSSL_1_1_1'
/usr/lib/gcc/arm-linux-gnueabihf/6/../../../libcurl.so: undefined reference to `SSL_CTX_set_post_handshake_auth@OPENSSL_1_1_1'
/usr/lib/gcc/arm-linux-gnueabihf/6/../../../libcurl.so: undefined reference to `SSL_CTX_set_ciphersuites@OPENSSL_1_1_1'

Raspberry pie still reports an error when querying the OpenSSL version number locally

openssl version

Error content:

openssl: /usr/lib/arm-linux-gnueabihf/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by openssl)
openssl: /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by openssl)

Problem source:

After inquiry, it is mainly LD_LIBRARY_environment variable path is not specified, so OpenSSL is using the old system OpenSSL library

Solution:

Temporary solution: the terminal enters the following command to temporarily add the environment variables of OpenSSL library, but this method can only ensure that the current terminal is valid. If a new terminal is opened, an error will still be reported

export LD_LIBRARY_PATH=/usr/local/lib

Permanent solution: modify the. Bashrc hidden file in the working directory, taking raspberry pie as an example

vi /home/pi/.bashrc 
export LD_LIBRARY_PATH=/usr/local/lib 
source .bashrc 
sudo reboot

You can also enter the following command

echo "export LD_LIBRARY_PATH=/usr/local/lib" >> ~/.bashrc

After completing the above series of operations, you can enter the following commands to check whether it is normal

pi@raspberrypi:~ $ openssl
OpenSSL> version
OpenSSL 1.1.1l  24 Aug 2021
OpenSSL> q

Finally, the problem is solved and the compiled code is an error

[Solved] error: Failed dependencies libcrypto.so.10()(64bit) is needed, libssl.so.10()(64bit) is needed

Premise: I install percona-server-shared-compat-8.0.23-14.1.el8.x86 in percona server for MySQL 8.0 bundle on CentOS 8_ 64. RPM package, even if the latest version of OpenSSL (version: 1:1.1.1g-15.el8) is installed_ 3) It doesn’t help

error:Failed Dependencies
		libcrypto.so.10()(64bit) is needed by percona-server-shared-compat-8.0.23-14.1.el8.x86_64.rpm
		libcrypto.so.10(libcrypto.so.10)(64bit) is needed by percona-server-shared-compat-8.0.23-14.1.el8.x86_64.rpm
		libssl.so.10()(64bit) is needed by percona-server-shared-compat-8.0.23-14.1.el8.x86_64.rpm
		libssl.so.10(libssl.so.10)(64bit) is needed by percona-server-shared-compat-8.0.23-14.1.el8.x86_64.rpm

Process : Found the library when googling
https://pkgs.org/download/libcrypto.so.10()(64bit)
I found compat-openssl10 and an explanation to the effect that compat-openssl10 contains only libraries and provides compatibility with earlier versions and software that does not support compilation with OpenSSL-1.1.

The OpenSSL toolkit provides support for secure communications between machines. This version of OpenSSL package contains only the libraries and is provided for compatibility with previous releases and software that does not support compilation with OpenSSL-1.1.

From stackoverflow, we can find that openssl provides libcrypto.so.10 without the module name, making the system think that the dependency is missing

In your case, openssl seems to provide only libcrypto.so.10 without any module name, making geramer-server believe that dependency is missing as it requires libcrypto.so.10 from module libcrypto.so.10.

https://stackoverflow.com/questions/20518183/dependency-resolution-fails-on-installed-library

Solution:
yum install compat-openssl10
or
yum install http://mirror.centos.org/centos/8/AppStream/x86_64/os/Packages/compat-openssl10-1.0.2o-3.el8.x86_64.rpm

Result:

Code:: blocks prompt nullptr’s was not declared in this scope

When this error occurred, I found a lot of information on the Internet. What is useful is that the following method is very simple,

Menu bar – & gt; setting – & gt; compiler

Check as shown in the figure below and click OK

Recompile, find correct, problem solved.

Error Loading extension section usr_cert

When generating the OVPN configuration with easy_RSA, the following error occurred:

[ root: /usr/share/easy-rsa] #/usr/share/easy-rsa/build-key --batch zzzz.29761
Using Common Name: zzzz.29761
Generating a 2048 bit RSA private key
...............+++
.................................................................+++
writing new private key to 'zzzz.29761.key'
-----
Using configuration from /usr/share/easy-rsa/openssl-1.0.0.cnf
Error Loading extension section usr_cert
140516636624544:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn
140516636624544:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537:
140516636624544:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=zzzz.29761

View the version information of OpenVPN:

# openvpn --version
OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>

in the configuration file openssl-1.0.0.cnf, the [usr_cert] section contains an additional parameter: subjectAltName=email:copy.
Openssl – 1.0.0. CNF content:

[root@control 2.0]# cat openssl-1.0.0.cnf
# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
openssl_conf            = openssl_init

[ openssl_init ]
# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids
engines                 = engine_section

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = $ENV::KEY_DIR         # Where everything is kept
certs           = $dir                  # Where the issued certs are kept
crl_dir         = $dir                  # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir                  # default place for new certs.

certificate     = $dir/ca.crt           # The CA certificate
serial          = $dir/serial           # The current serial number
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/ca.key           # The private key
RANDFILE        = $dir/.rand            # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions        = crl_ext

default_days    = 3650                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = sha256                # use public key default MD
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_anything

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
name                    = optional
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
name                    = optional
emailAddress            = optional

####################################################################
[ req ]
default_bits            = $ENV::KEY_SIZE
default_keyfile         = privkey.pem
default_md              = sha256
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation after 2004).
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = $ENV::KEY_COUNTRY
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = $ENV::KEY_PROVINCE

localityName                    = Locality Name (eg, city)
localityName_default            = $ENV::KEY_CITY

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = $ENV::KEY_ORG

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

name                            = Name
name_max                        = 64

emailAddress                    = Email Address
emailAddress_default            = $ENV::KEY_EMAIL
emailAddress_max                = 40

# JY -- added for batch mode
organizationalUnitName_default = $ENV::KEY_OU
commonName_default = $ENV::KEY_CN
name_default = $ENV::KEY_NAME


# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "Easy-RSA Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
keyUsage = digitalSignature


# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ server ]

# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType                     = server
nsComment                      = "Easy-RSA Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

[ engine_section ]
#
# If you are using PKCS#11
# Install engine_pkcs11 of opensc (www.opensc.org)
# And uncomment the following
# verify that dynamic_path points to the correct location
#
#pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = $ENV::PKCS11_MODULE_PATH
PIN = $ENV::PKCS11_PIN
init = 0

Reference:
1 Error Loading the extension section usr_cert:http://stackoverflow.com/questions/24255205/error-loading-extension-section-usr-cert openvpn configuration file
2 a: http://www-2w.blog.163.com/blog/static/9793151820111010253869/

[wechat Payment] use OpenSSL command to generate apicclient_ key.pem Error report URL error 58

Problem description
At present, there are only files apiclient_cert.p12 in the development group, but PHP projects need apiclient_cert.pem and apiclient_key.pem as the certificate of refund operation
After WeChat payment document at https://pay.weixin.qq.com/wiki/doc/api/tools/mch_pay.php?Chapter = command in 4_3

openssl pkcs12 -nocerts -in apiclient_cert.p12 -out apiclient_key.pem

After the operation, the exported file should not only enter the merchant ID as the password, but also set the password
And after importing the project, the project reports an error cURL error 58
The solution
The exported command is corrected to

openssl pkcs12 -nodes -clcerts -in apiclient_cert.p12 -out apiclient_key.pem

Error 9 at 1 depth lookup:certificate is Not yet valid error

Environment: ubuntu16.04 does HTTPS server (implemented by libevent for server)
Arm developer board for HTTPS client (libcurl implementation)
Root certificate, server certificate and private key, client certificate and private key are generated on Ubuntu. Error “Error 9 at 1 Depth Lookup: Certificate is not Yet Valid” is reported when verifying the certificate on the development board or connecting HTTPS.

openssl verify -CAfile cacert.pem  cert.pem

Reason: The time zones don’t correspond. It is UTC time zone on the development board and CST time zone on Ubuntu. If the certificate is generated at 7 o ‘clock on the development board and executed on Ubuntu, the time on Ubuntu is only 11 o ‘clock and the certificate does not reach the legal start time. So the certificate will report an illegal error.
Solution: Change CST time zone on Ubuntu to UTC time zone:

ln -sf /usr/share/zoneinfo/UTC /etc/localtime

OpenLDAP main: TLS init def ctx failed: -1

problem error

system: Ubuntu 14.04
version: OpenLDAP 2.4.42
tool: slapd ldap-utils openssl libssl-dev

creates the certificate through openssl and adds it to the cn=config database. Restart the service failed. Syslog error
“main: TLS init def CTX failed: -1”

I created cert file by openssl in ubuntu 14.04. So I installed openssl/libssl-cert before, the error shown in this environment. When started the service, it failed with “main: TLS init def CTX failed: -1 “in syslog.

solution

It works after following steps:

check your certfile path whether it is correct. Check whether the certificate file path in the cn=config configuration exists and is correct
check your file permission. Inspection certificate file permissions
chown openldap. Openldap/etc/SSL/certs/ldapcert pem
chown openldap. Openldap/etc/SSL/private/ldapkey pem
chmod -r 0400/etc/SSL/certs/ldapcert. Pem
chmod -r 0400 The/etc/SSL/private/ldapkey. Pem
Example Example:
– rw – r – r – 1 root root 1383 Dec 1 09:47/etc/SSL/certs/cacert pem
– r – 1 the openldap openldap 3808 Dec 1 09:48/etc/SSL/certs/ldapcert pem
– r – 1 the openldap openldap 09:47 891 Dec 1 /etc/ssl/private/ldapkey.pem
Whether install libssl-dev/ssl-cert, especially ssl-cert. Whether libssl-dev/ssl-cert
Whether add user openldap to group ssl-cert. Adduser openldap ssl-cert adduser openldap ssl-cert
Whether certfile is correct. Verification certificate is correct
openssl verify - CAfile/etc/SSL/certs/cacert pem/etc/SSL/certs/ldapcert pem
Check apparmor. With the 1 st step, if your cert file is not under the path/etc/SSL /... Your should add your cert file path to/etc/apparmor. D/usr. Sbin. Slapd, then reload the apparmor service like this: /etc/init. D/apparmor reload check apparmor, cooperate with the first, if not in the/etc/SSL /.. Need to configure the/etc/apparmor. D/usr. Sbin. Slapd, and restart the apparmor service If you have any other question, do feel free to concat to me 32634366 @qq.com ps: I have stuck with this for a long time, it done work after installed ssl-cert and added user openldap to group ssl-cert. ref: http://readthefuckingmanual.net/error/1257/


		
		
			This entry was posted in How to Fix and tagged OpenLDAP, openssl, tls, ubuntu on 2020-10-26 by Robins.

ProgrammerAH

Programmer Guide, Tips and Tutorial