Made the mistake of updating OS to Sierra. Now I’m running into an issue when I vagrant up saying I need to update openssl to newer version because OpenSSL 0.9.8 i s no longer supported.
I know this is not an issue with Trellis, I thought I would post regardless.
I’ve tried getting openssl updated with the following, but with no luck.
brew update
brew install openssl
brew link openssl --force
Has anyone run into this issue and resolved it?
Could you give us the output of:
$ which openssl
and
$ openssl version -a
My guess would be that macOS is still using the system version, not the homebrew version, there’s a good article on how to upgrade on AskDifferent, see Cheeso’s response in particular.
The trick is renaming the old openSSL directory and creating a link to your new one installed using brew.
This seems to be a problem with Homebrew?
What I get when I install and apply the system link.
Warning: Refusing to link: openssl
Linking keg-only openssl means you may end up linking against the insecure,
deprecated system OpenSSL while using the headers from Homebrew's openssl.
Instead, pass the full include/library paths to your compiler e.g.:
-I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib
My-MBP:bin mymbp$ which openssl
/usr/local/bin/openssl
My-MBP:bin mymbp$ openssl version -a
OpenSSL 1.0.2j 26 Sep 2016
built on: reproducible build, date unspecified
platform: darwin64-x86_64-cc
options: bn(64,64) rc4(ptr,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: clang -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/etc/openssl"
Debugging I get this
Traceback (most recent call last):
File "/usr/local/bin/ansible-playbook", line 92, in <module>
exit_code = cli.run()
File "/Library/Python/2.7/site-packages/ansible/cli/playbook.py", line 132, in run
inventory = Inventory(loader=loader, variable_manager=variable_manager, host_list=self.options.inventory)
File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 85, in __init__
self.parse_inventory(host_list)
File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 144, in parse_inventory
group.vars = combine_vars(group.vars, self.get_group_variables(group.name))
File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 509, in get_group_variables
self._vars_per_group[groupname] = self._get_group_variables(groupname, vault_password=vault_password)
File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 527, in _get_group_variables
vars = combine_vars(vars, self.get_group_vars(group))
File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 707, in get_group_vars
return self._get_hostgroup_vars(host=None, group=group, new_pb_basedir=new_pb_basedir)
File "/Library/Python/2.7/site-packages/ansible/inventory/__init__.py", line 746, in _get_hostgroup_vars
results = combine_vars(results, self._variable_manager.add_group_vars_file(base_path, self._loader))
File "/Library/Python/2.7/site-packages/ansible/vars/__init__.py", line 578, in add_group_vars_file
(name, data) = self._load_inventory_file(path, loader)
File "/Library/Python/2.7/site-packages/ansible/vars/__init__.py", line 535, in _load_inventory_file
_found, results = self._load_inventory_file(path=p, loader=loader)
File "/Library/Python/2.7/site-packages/ansible/vars/__init__.py", line 550, in _load_inventory_file
data = loader.load_from_file(path)
File "/Library/Python/2.7/site-packages/ansible/parsing/dataloader.py", line 113, in load_from_file
(file_data, show_content) = self._get_file_contents(file_name)
File "/Library/Python/2.7/site-packages/ansible/parsing/dataloader.py", line 172, in _get_file_contents
data = self._vault.decrypt(data)
File "/Library/Python/2.7/site-packages/ansible/parsing/vault/__init__.py", line 169, in decrypt
b_data = this_cipher.decrypt(b_data, self.b_password)
File "/Library/Python/2.7/site-packages/ansible/parsing/vault/__init__.py", line 679, in decrypt
key1, key2, iv = self.gen_key_initctr(password, salt)
File "/Library/Python/2.7/site-packages/ansible/parsing/vault/__init__.py", line 621, in gen_key_initctr
backend = default_backend()
File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 35, in default_backend
_default_backend = MultiBackend(_available_backends())
File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/__init__.py", line 22, in _available_backends
"cryptography.backends"
File "/Users/bduzita/Library/Python/2.7/lib/python/site-packages/pkg_resources/__init__.py", line 2270, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
from cryptography.hazmat.backends.openssl.backend import backend
File "/Library/Python/2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 47, in <module>
from cryptography.hazmat.bindings.openssl import binding
File "/Library/Python/2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 250, in <module>
_verify_openssl_version(Binding.lib.SSLeay())
File "/Library/Python/2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 230, in _verify_openssl_version
"You are linking against OpenSSL 0.9.8, which is no longer "
RuntimeError: You are linking against OpenSSL 0.9.8, which is no longer support by the OpenSSL project. You need to upgrade to a newer version of OpenSSL.
Yeah, this a similar issue to the one which the users on AskDifferent (linked above 
) were dealing with. Installing your own version of OpenSSL doesn’t change the system version, and $ brew link won’t fix that.
From reading about on the home-brew github docs, $ brew link is intended to link your custom installation (OpenSSL 1.0.2j here), with any other Homebrew builds which may require OpenSSL. However, Homebrew won’t usurp the system installation (which is good- that will cause problems).
Since you need to use home-brew’s version in a non-homebrew software (Trellis), you’ll either have to (as I said before) rename the system OpenSSL directory and create a symlink to the brew OpenSSL directory- or, much much more advisable I now realise, tweak the playbook to use the brew version, or try any of the methods outlined in the brew docs.
Ultimately it’s not a problem with home-brew, but it may be something worth submitting as a bug to the Trellis github.
Any chance you could help with editing the playbook? I don’t have enough experience, learning 
Don’t want to touch the system openssl. I started that path and then thought I would post in the community before I attempted that. Sierra will also prohibit touching anything in /usr/bin/ until you reboot in command line and apply csrutil disable reboot.
Since this all stared with an OS update to Sierra it’s likely this will become an issue for others and it makes sense to have a config in Trellis to deal with it.
Bug submitted: https://github.com/roots/trellis/issues/669
Temp solution was to decrypt my vault.yml files which allowed vagrant up to run without any openssl errors.
If I leave them encrypted then I get the OpenSSL error output above.