Algo: Server deploys fail when LibreSSL is the system default

Created on 17 Jul 2017  Â·  3Comments  Â·  Source: trailofbits/algo

Deploys fail when the user has replaced their default SSL library with LibreSSL. This typically happens on macOS users that have messed with Homebrew a little too much. Here's an example error message:

TASK [vpn : Build the CA pair] *
fatal: [67.205.173.51 -> localhost]: FAILED! => {“changed”: true, “cmd”: “openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:\“1c0febfbd771b101c04485846a08a15f\” && touch 67.205.173.51_ca_generated”, “delta”: “0:00:00.039275", “end”: “2017-07-14 18:10:14.276884", “failed”: true, “rc”: 1, “start”: “2017-07-14 18:10:14.237609", “stderr”: “error on line 113 of openssl.cnf\n140734815302536:error:0E065068:configuration file routines:STR_COPY:variable has no value:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/conf/conf_def.c:573:line 113", “stdout”: “”, “stdout_lines”: [], “warnings”: []}
TASK [vpn : debug] *
ok: [67.205.173.51] => {
“fail_hint”: [
“Sorry, but something went wrong!“,
“Please check the troubleshooting guide.“,
“https://trailofbits.github.io/algo/troubleshooting.html”
]
}
TASK [vpn : fail] **
fatal: [67.205.173.51]: FAILED! => {“changed”: false, “failed”: true, “msg”: “Failed as requested from task”}

We should either fix the install scripts to work with LibreSSL or add an entry to the Troubleshooting page about it.

ansible_server_deploy documentation

Most helpful comment

macOS High Sierra has this issue, as it appears to ship with a version of Libressl:

% openssl version
LibreSSL 2.2.7

As a workaround, you can install openssl through brew, and export it into your path (as instructed in brew info openssl to get ./algo to succeed.
e.g.

brew install openssl;
export PATH="/usr/local/opt/openssl/bin:$PATH"
./algo

All 3 comments

Did you try to execute the failed line manually? That could offer additional insight as to what exactly goes wrong.

The command that seems to fail:

openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem && openssl req -utf8 -new -newkey ec:ecparams/prime256v1.pem -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:\“1c0febfbd771b101c04485846a08a15f\” && touch 67.205.173.51_ca_generated

This typically happens on macOS users that have messed with Homebrew a little too much

macOS High Sierra (beta) switched to LibreSSL as well

macOS High Sierra has this issue, as it appears to ship with a version of Libressl:

% openssl version
LibreSSL 2.2.7

As a workaround, you can install openssl through brew, and export it into your path (as instructed in brew info openssl to get ./algo to succeed.
e.g.

brew install openssl;
export PATH="/usr/local/opt/openssl/bin:$PATH"
./algo
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dmwyatt picture dmwyatt  Â·  3Comments

jwebbstevens picture jwebbstevens  Â·  4Comments

baimafeima picture baimafeima  Â·  5Comments

FiloSottile picture FiloSottile  Â·  5Comments

huntsin2 picture huntsin2  Â·  3Comments