You are linking against OpenSSL 0.9.8, which is no longer supported

Made the mistake of updating OS to Sierra. Now I’m running into an issue when I vagrant up saying I need to update openssl to newer version because OpenSSL 0.9.8 i s no longer supported.

I know this is not an issue with Trellis, I thought I would post regardless.

I’ve tried getting openssl updated with the following, but with no luck.

brew update
brew install openssl
brew link openssl --force

Has anyone run into this issue and resolved it?

Could you give us the output of:
$ which openssl
and
$ openssl version -a

My guess would be that macOS is still using the system version, not the homebrew version, there’s a good article on how to upgrade on AskDifferent, see Cheeso’s response in particular.

The trick is renaming the old openSSL directory and creating a link to your new one installed using brew.

This seems to be a problem with Homebrew?

What I get when I install and apply the system link.

Warning: Refusing to link: openssl
Linking keg-only openssl means you may end up linking against the insecure,
deprecated system OpenSSL while using the headers from Homebrew's openssl.
Instead, pass the full include/library paths to your compiler e.g.:
  -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib
My-MBP:bin mymbp$ which openssl
/usr/local/bin/openssl
My-MBP:bin mymbp$ openssl version -a
OpenSSL 1.0.2j  26 Sep 2016
built on: reproducible build, date unspecified
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: clang -I. -I.. -I../include  -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/etc/openssl"

Debugging I get this

Traceback (most recent call last):
  File "/usr/local/bin/ansible-playbook", line 92, in <module>
    exit_code = cli.run()
  File "/Library/Python/2.7/site-packages/ansible/cli/playbook.py", line 132, in run
    inventory = Inventory(loader=loader, variable_manager=variable_manager, host_list=self.options.inventory)
  File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 85, in __init__
    self.parse_inventory(host_list)
  File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 144, in parse_inventory
    group.vars = combine_vars(group.vars, self.get_group_variables(group.name))
  File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 509, in get_group_variables
    self._vars_per_group[groupname] = self._get_group_variables(groupname, vault_password=vault_password)
  File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 527, in _get_group_variables
    vars = combine_vars(vars, self.get_group_vars(group))
  File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 707, in get_group_vars
    return self._get_hostgroup_vars(host=None, group=group, new_pb_basedir=new_pb_basedir)
  File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 746, in _get_hostgroup_vars
    results = combine_vars(results, self._variable_manager.add_group_vars_file(base_path, self._loader))
  File "/Library/Python/2.7/site-packages/ansible/vars/__init__.py", line 578, in add_group_vars_file
    (name, data) = self._load_inventory_file(path, loader)
  File "/Library/Python/2.7/site-packages/ansible/vars/__init__.py", line 535, in _load_inventory_file
    _found, results = self._load_inventory_file(path=p, loader=loader)
  File "/Library/Python/2.7/site-packages/ansible/vars/__init__.py", line 550, in _load_inventory_file
    data = loader.load_from_file(path)
  File "/Library/Python/2.7/site-packages/ansible/parsing/dataloader.py", line 113, in load_from_file
    (file_data, show_content) = self._get_file_contents(file_name)
  File "/Library/Python/2.7/site-packages/ansible/parsing/dataloader.py", line 172, in _get_file_contents
    data = self._vault.decrypt(data)
  File "/Library/Python/2.7/site-packages/ansible/parsing/vault/__init__.py", line 169, in decrypt
    b_data = this_cipher.decrypt(b_data, self.b_password)
  File "/Library/Python/2.7/site-packages/ansible/parsing/vault/__init__.py", line 679, in decrypt
    key1, key2, iv = self.gen_key_initctr(password, salt)
  File "/Library/Python/2.7/site-packages/ansible/parsing/vault/__init__.py", line 621, in gen_key_initctr
    backend = default_backend()
  File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 35, in default_backend
    _default_backend = MultiBackend(_available_backends())
  File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 22, in _available_backends
    "cryptography.backends"
  File "/Users/bduzita/Library/Python/2.7/lib/python/site-packages/pkg_resources/__init__.py", line 2270, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 47, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/Library/Python/2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 250, in <module>
    _verify_openssl_version(Binding.lib.SSLeay())
  File "/Library/Python/2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 230, in _verify_openssl_version
    "You are linking against OpenSSL 0.9.8, which is no longer "
RuntimeError: You are linking against OpenSSL 0.9.8, which is no longer support by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.

Yeah, this a similar issue to the one which the users on AskDifferent (linked above :point_up: ) were dealing with. Installing your own version of OpenSSL doesn’t change the system version, and $ brew link won’t fix that.

From reading about on the home-brew github docs, $ brew link is intended to link your custom installation (OpenSSL 1.0.2j here), with any other Homebrew builds which may require OpenSSL. However, Homebrew won’t usurp the system installation (which is good- that will cause problems).

Since you need to use home-brew’s version in a non-homebrew software (Trellis), you’ll either have to (as I said before) rename the system OpenSSL directory and create a symlink to the brew OpenSSL directory- or, much much more advisable I now realise, tweak the playbook to use the brew version, or try any of the methods outlined in the brew docs.

Ultimately it’s not a problem with home-brew, but it may be something worth submitting as a bug to the Trellis github.

Any chance you could help with editing the playbook? I don’t have enough experience, learning :slight_smile:

Don’t want to touch the system openssl. I started that path and then thought I would post in the community before I attempted that. Sierra will also prohibit touching anything in /usr/bin/ until you reboot in command line and apply csrutil disable reboot.

Since this all stared with an OS update to Sierra it’s likely this will become an issue for others and it makes sense to have a config in Trellis to deal with it.

Bug submitted: https://github.com/roots/trellis/issues/669

Temp solution was to decrypt my vault.yml files which allowed vagrant up to run without any openssl errors.

If I leave them encrypted then I get the OpenSSL error output above.

See http://stackoverflow.com/questions/38670295/brew-refusing-to-link-openssl and http://stackoverflow.com/questions/37690054/python-and-openssl-version-reference-issue-on-os-x for potential solutions.

1 Like