我使用的是centos 7.2,我将安装Nginx-CT,它需要OpenSSL 1.0.2,当前版本如下:
[root@i001 ~]# rpm -qa|grep openssl
openssl-libs-1.0.1e-51.el7_2.4.x86_64
openssl-devel-1.0.1e-51.el7_2.4.x86_64
openssl-1.0.1e-51.el7_2.4.x86_64
我尝试在 fedora 库中下载 SRPM 包,
openssl-1.0.2d-2.fc23.src.rpm
重建并安装,但有问题,
[root@i001 ~]# yum update openssl
Loaded plugins: axelget, langpacks
No metadata available for base
No metadata available for dockerrepo
No metadata available for elrepo
No metadata available for epel
No metadata available for extras
No metadata available for local
No metadata available for mariadb
No metadata available for nginx
No metadata available for remi-php70
No metadata available for remi-php70-test
No metadata available for remi-safe
No metadata available for salt-2015.8
No metadata available for updates
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 1:1.0.1e-51.el7_2.4 will be updated
---> Package openssl.x86_64 1:1.0.2d-2.el7.centos will be an update
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.2d-2.el7.centos for package: 1:openssl-1.0.2d-2.el7.centos.x86_64
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:openssl-1.0.2d-2.el7.centos.x86_64
--> Running transaction check
---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.4 will be updated
--> Processing Dependency: openssl-libs(x86-64) = 1:1.0.1e-51.el7_2.4 for package: 1:openssl-devel-1.0.1e-51.el7_2.4.x86_64
---> Package openssl-libs.x86_64 1:1.0.2d-2.el7.centos will be an update
--> Processing Dependency: crypto-policies for package: 1:openssl-libs-1.0.2d-2.el7.centos.x86_64
--> Running transaction check
---> Package openssl-devel.x86_64 1:1.0.1e-51.el7_2.4 will be updated
---> Package openssl-devel.x86_64 1:1.0.2d-2.el7.centos will be an update
---> Package openssl-libs.x86_64 1:1.0.2d-2.el7.centos will be an update
--> Processing Dependency: crypto-policies for package: 1:openssl-libs-1.0.2d-2.el7.centos.x86_64
--> Finished Dependency Resolution
Error: Package: 1:openssl-libs-1.0.2d-2.el7.centos.x86_64 (local)
Requires: crypto-policies
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
我应该怎么办?
答案1
第一的,让我这么说加雷思·红和布拉奇利是正确的,因为 CentOS 不支持您尝试安装的 OpenSSL 软件包,这样做是不建议。尝试执行此操作可能会导致您的系统出现问题。
如果你绝对必须安装这个...据我了解,你正在尝试安装nginx-ct,它需要 OpenSSL 1.0.2 或更高版本,因为它需要SSL_CTX_add_server_custom_ext和SSL_CTX_set_signed_cert_timestamp_list。
使用百胜
将其他不受支持的存储库中的软件包用于您的系统是一种馊主意,正如其他人指出的那样。从 yum 输出的外观来看,它抱怨对加密政策包(openssl-libs-1.0.2d-2 需要)。您可以首先尝试安装 crypto-policies 包(也来自 Fedora 23 存储库)。
从源代码编译
作为布拉奇利指出在这条评论,你可以尝试使用特定版本的 OpenSSL 从源代码编译 nginx。以下是该教程中更新的启动命令:
# Install dependencies
sudo yum install unzip gcc pcre-devel zlib-devel make golang
# Grab needed files, correct as of 2016-04-08
wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz
wget http://nginx.org/download/nginx-1.9.14.tar.gz
wget -O nginx-ct.zip https://github.com/grahamedgecombe/nginx-ct/archive/master.zip
tar zxf openssl-1.0.2g.tar.gz
tar zxf nginx-1.9.14.tar.gz
unzip nginx-ct.zip
# Build nginx with openssl 1.0.2 and CT module
cd nginx-1.9.14/
./configure --with-http_ssl_module \
--with-openssl=`realpath ../openssl-1.0.2g` \
--add-module=`realpath ../nginx-ct-master`
make # NOTE: when I tried building with -jN for speedup I encountered linker issues
sudo make install
cd ..
该教程中的其余命令应该能够按原样执行。
最后的选择
或者,您可以尝试使用 BoringSSL,因为nginx-ct 支持,尽管您似乎必须从源代码构建它。
答案2
作为替代方向,请考虑将这些工具安装在 Docker 容器内。这样,您就可以使用不同的 Linux 发行版(例如 Fedora 或 Ubuntu),并在隔离环境中仅运行这两个发行版,这样它们就不会通过强制执行这些工具的“非标准”版本来影响系统的其余部分。