1

I have two machines (Ubuntu) running identical code to connect to a websocket via SSL.

On one machine it works perfectly (OpenSSL was installed via the Ubuntu package manager).

However, the second machine I built OpenSSL from source and now get an error whilst trying to establish the handshake:

OpenSSL failed - error:0A000086:SSL routines::certificate verify failed

My assumption is OpenSSL requires a file which the second machine cannot find due to the build from source?

This is a list of what I did:

I git-cloned the OpenSSL source and ran these instructions to build/install:

cd openssl
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -d shared no-asm no-ssl2 -g3 -ggdb -gdwarf-4 -fno-inline -O0 -fno-omit-frame-pointer -static
make
make install

CMake complained it couldn't find OpenSSL and recommended I set OPENSSL_ROOT_DIR. Below is the path where my libs were installed, so I set this:

set (OPENSSL_ROOT_DIR /usr/local/ssl/lib64/)

which seemed to work in terms of cmake, compiling and linking.

Below is all my CMake lines relating to OpenSSL:

set (OPENSSL_USE_STATIC_LIBS TRUE)
set (OPENSSL_ROOT_DIR /usr/local/ssl/lib64/)

if (NOT OPENSSL_FOUND)
    find_package(OpenSSL REQUIRED)
endif()

add_definitions(${OPENSSL_DEFINITIONS})

target_include_directories(my_project PUBLIC $<BUILD_INTERFACE:${OPENSSL_INCLUDE_DIR}>)
target_link_libraries(my_project PRIVATE ${OPENSSL_LIBRARIES})

What have I missed/not set?

UPDATE:

enter image description here

intrigued_66
  • 16,082
  • 51
  • 118
  • 189
  • Please check the path to the trust store (see linked post) and make sure that the trusted CA are actually there. Very likely they are not for the version of openssl you compiled yourself, since you've build with a different prefix. – Steffen Ullrich Aug 02 '22 at 16:45
  • @SteffenUllrich thank you for the response. Before I check, I only used that path because it was in a guide I followed. What path would you recommend I use? /usr/local/ssl? If I re-run using the "typical" path, perhaps that will fix it? – intrigued_66 Aug 02 '22 at 16:53
  • Using the path already used by the existing openssl installation will overwrite it - probably not what you want. Instead link the trust store to the expected path, i.e. something like `ln -s /usr/lib/ssl/certs/ca-certificates.crt /usr/local/ssl`. – Steffen Ullrich Aug 02 '22 at 17:00
  • @SteffenUllrich Actually, on the second machine I want to use the build I compile from source, so there is no "existing" installation. So I think I could just re-run with a different path? (But I am interested how I could have both co-exist) – intrigued_66 Aug 02 '22 at 17:04
  • Just checking those paths.... I'll update the question with screenshot – intrigued_66 Aug 02 '22 at 17:05
  • That file is located at: /usr/lib/ssl/certs/ca-certificates.crt – intrigued_66 Aug 02 '22 at 17:08
  • *"That file is located at: /usr/lib/ssl/certs/ca-certificates.crt"* - but this is not were you new openssl is looking for it. Check with `openssl version -d`, it will likely show `/usr/local/ssl` and thus will expect the file in `/usr/local/ssl/cacert.pem`. – Steffen Ullrich Aug 02 '22 at 17:19
  • @SteffenUllrich Correct. `openssl version -d` does return `/usr/local/ssl `. So the problem is simply that I used a different install path? If so, why is certificate path hard-coded? Surely a variable should represent the fact I changed the install path? – intrigued_66 Aug 02 '22 at 17:58
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/246978/discussion-between-steffen-ullrich-and-mezamorphic). – Steffen Ullrich Aug 02 '22 at 18:11
  • @SteffenUllrich Replying here as I was away for a few days. So i re-ran the config script with no arguments (for prefix and openssl dir ) but I still had the same problem- having to create a symlink for the certificates. So my question is: what arguments are we supposed to use so we don't need to create a symlink later? – intrigued_66 Aug 07 '22 at 16:32
  • *"config script with no arguments (for prefix and openssl dir )"* - there are defaults which might not match what you have on your system, see INSTALL file in the source code. If you want to match what you have on your system then call your system openssl with `openssl version -d` to check the OPENSSLDIR and then use this for the --openssldir argument – Steffen Ullrich Aug 07 '22 at 16:50

0 Answers0