Warning started showing this morning - Init: this version of mod_ssl was compiled against a newer library

I'm not sure if this is related to Let's Encrypt but I started seeing this warning in my logs this morning:

Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1n 15 Mar 2022, version currently loaded is OpenSSL 1.1.1k 25 Mar 2021) - may result in undefined or erroneous behavior

I haven't done anything to my server recently so I'm not sure why this would show all of a sudden.

Is it warning me that I need to update OpenSSL? If so, how come it's not updating with the standard update / upgrade commands?

Either way, what can I do to remedy this warning?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: videochums.com

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Apache/2.4.53

The operating system my web server runs on is (include version): Debian 11.3

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.25.0

Your OpenSSL might not be up to date. Make sure your system is fully updated:

sudo apt update && sudo apt upgrade

Finally, restart the server to ensure new libraries get loaded correctly.

[Additional details: Debian did push OpenSSL to 1.1.1.n as part of point release 11.3, released on March 26th, 2022. The error message suggests that an older version of libssl is currently loaded for whatever reason]

2 Likes

Thanks for the info - I did run update and upgrade multiple times but nothing further requires updates and the warning is still coming up. I'm guessing that I need to update something manually or configure something but I'm at a loss as to how to do so. I've researched this warning but everything I found either doesn't have a solution or the solution does not apply.

From what I gather, there has been a few iterations after OpenSSL 1.1.1k and for whatever reason, my server has not been applying the updates. Also, that version released almost exactly 1 year ago so perhaps this warning is due to my version being outdated by 1 year?

1 Like

You can start by checking the version of libssl currently installed (libssl is a package that belongs to openssl and is what's used by apache):

apt list libssl1.1

This should read something like:

libssl1.1/stable,stable,now 1.1.1n-0+deb11u1 amd64 [installed]

Arch and flags may vary, important is the version.

The warning is due to exactly what it says: The Apache module was compiled against a newer openssl version than what was found on your machine. As the Debian project compiles your binaries this is unexpected: The Debian team usually ensures that this does not happen. It indicates that for some reason only some packages were upgraded, but not all.

About the version: This is expected, 1.1.1k was the previous version shipped by Debian (until yesterday). Projects like Debian have a design philosophy of stable packages: On a stable OS release, no new versions are usually permitted, unless it's an important bugfix or security issue. Debian/Ubuntu prefer to backport changes to old versions rather than upgrade to new upstream releases. This is why version numbers on these distros can be multiple years old. This has no significance as to the actual age of the package.

4 Likes

I see - thanks!

Okay - so, apt list libssl1.1 returns this:
Listing... Done
libssl1.1/stable,now 1.1.1n-0+deb11u1 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switch to see it

And apt list libssl1.1 -a returns this:
Listing... Done
libssl1.1/stable,now 1.1.1n-0+deb11u1 amd64 [installed]
libssl1.1/stable-security 1.1.1k-1+deb11u2 amd64

With this info, is there something I can do to resolve the warning?

1 Like

Have you tried rebooting the machine? It's possible something went wrong when apache restarted after yesterday's upgrade.

2 Likes

I've done multiple graceful reloads (sudo service apache2 reload) but am hesitant to restart the whole machine since there are a lot of people visiting today. Is that my only option right now? If so, I may wait until tomorrow.

1 Like

I would definetly try a full reboot, especially as yesterdays upgrade was a point release: Those touch multiple things that will only become fully effective after a reboot.

If that's not convenient right now, that's fine. The two versions are most likely compatible, you just aren't getting the new fixes right now. Just reboot when convenient, I don't think this is urgent.

2 Likes

Perhaps you could check if Apache is using the correct library?

If I run lsof -n | grep apache | grep libssl, it says all libssl files are "REG" and do not have the "DEL" status in front of it. The latter would be expected if a file was overwritten since the time the previous file was loaded.

Personally I wouldn't reboot: usually it isn't necessary on Linux. Rebooting is a Windows thing except for kernel updates. Luckily Linux has many ways of debugging issues :slight_smile:

Just thinking: maybe a graceful reload is not enough for Apache to actually reload the newly installed library files, as a graceful reload just gracefully kills off worker processes, but as far as I know, the initial root owned process remains. Perhaps, but I'm not sure at all, as long as the initial root owned Apache process still uses the now-deleted file from memory, all the new workers do too? From memory? That's why I suggested the lsof command above :slight_smile:

3 Likes

Don't know how apache spawns those workers, but it sounds plausible.

I do however think that the package upgrade should have caused a full restart of apache anyway, so something may be stuck somewhere. The point release did include a new systemd, kernel, libc and whatnot anyway so a reboot is definetly what I recommend, as soon as convenient.

2 Likes

I see. I ran the lsof -n | grep apache | grep libssl command and it returned 110 records that all generally look identically to this:

apache2 2017953 2017985 apache2 www-data DEL REG 8,1 400333 /usr/lib/x86_64-linux-gnu/libssl.so.1.1

1 Like

Looking at the "DEL" part of the output this suggests Apache is still using the older now-deleted version of the libssl.so.1.1 file. The file from the new OpenSSL has an identical name, so we can't tell the difference from the name alone, but it seems it's still using the previous version from memory.

Try really restarting Apache when the visitors number allow it :slight_smile: It wouldn't be graceful, so some users might see an error, but it's faster than rebooting :wink:

4 Likes

Awesome - thanks! Just to be clear, a simple sudo service apache2 restart should do the trick? Is there any risk involved in doing so?

1 Like

If that message is the only problem I believe you can safely ignore it. The OpenSSL API doesn't change with the version "letter."

(They finally changed that messed up version numbering scheme with version 3.0.0)

But yeah, you should upgrade OpenSSL, the Debian security team doesn't publish stuff in their repositories for no reason.

2 Likes

I believe so.

Apache should run a configuration check before it initiates the restart, but it's always a good idea to run a config check before.

Although on my server that's done by the init script, not by Apache. So another reason to run the config check manually beforehand, in case your restart script doesn't automatically do it.

3 Likes

Hello again. It's been a while but I finally restarted apache and it worked - no more warning. Thanks!

4 Likes

I assume Debian updated their OpenSSL version.

My Debian 11 says

# openssl version
OpenSSL 1.1.1n  15 Mar 2022
# cat /etc/debian_version
11.3
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.