Solutions

Apache and IIS Web Agent (All versions) repeatedly reports failed to load SSL errors

Last updated Feb 6, 2020

The purpose of this article is to provide assistance if the Apache™ or IIS Web Agent repeatedly reports SSL errors such as "failed to load OPENSSL_init_ssl" (Apache) or "failed to load SSL_library_init" (IIS).


Symptoms

You will see errors as outlined below depending on which agent you are using.

Apache Agent

The Web Agent appears to be functioning normally, however, one of the following error snippets is shown repeatedly in your logs depending on which version of the Web Agent you are using:

  • Web Agents 5.5.1.0 and later:
    [Mon Aug 12 14:03:29.156134 2019] [amagent:notice] [pid 1234:tid 140277498116015] OpenSSL library status: trying libssl... libssl.so.1.1 dlopen error: libssl.so.1.1: cannot open shared object file: No such file or directory, found libssl.so.10, failed to load OPENSSL_init_ssl, failed to load TLS_client_method, failed to load SSL_get_state, trying libcrypto... libcrypto.so.1.1 dlopen error: libcrypto.so.1.1: cannot open shared object file: No such file or directory, found libcrypto.so.10, OpenSSL v1.0.x/0.9.8 library support is available
  • Pre-Web Agents 5.5.1.0:
    Aug 12 14:03:29.950273 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): trying libssl...
    [Mon Aug 12 14:03:29.950664  2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl():  libssl.so.1.1 dlopen error: libssl.so.1.1: cannot open shared object  file: No such file or directory
    [Mon Aug 12 14:03:29.950902 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): found libssl.so.10
    [Mon Aug 12 14:03:29.951107 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): failed to load OPENSSL_init_ssl
    [Mon Aug 12 14:03:29.951124 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): failed to load TLS_client_method
    [Mon Aug 12 14:03:29.951128 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): failed to load SSL_get_state
    [Mon Aug 12 14:03:29.951309 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): trying libcrypto...
    [Mon Aug 12 14:03:29.951534  2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl():  libcrypto.so.1.1 dlopen error: libcrypto.so.1.1: cannot open shared  object file: No such file or directory
    [Mon Aug 12 14:03:29.951707 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): found libcrypto.so.10
    [Mon Aug 12 14:03:29.951999  2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl():  OpenSSL v1.0.x/0.9.8 library support is available

You may see these error snippets in either, or both the Agent logs and Apache logs (located in /path/to/agent/log and /path/to/apache/logs/error_log respectively). The change in log output is due to AMAGENTS-1933 (init_ssl errors fill error_log), which made the messages less verbose.

IIS Agent

You will see the following error in your Install log:

2020-02-06 10:42:07 OpenSSL library status: trying ssleay32... found libssl-1_1.dll, failed to load SSL_library_init, failed to load SSLv23_client_method, failed to load SSL_state, failed to load SSL_load_error_strings, trying libeay32... found libcrypto-1_1.dll, failed to load CRYPTO_num_locks, failed to load CRYPTO_set_locking_callback, failed to load CRYPTO_set_id_callback, failed to load OPENSSL_add_all_algorithms_noconf, failed to load ERR_free_strings, failed to load ENGINE_cleanup, failed to load EVP_cleanup, failed to load CRYPTO_cleanup_all_ex_data, OpenSSL v1.1.x library support is available

Recent Changes

N/A

Causes

The Web Agent tries to load various OpenSSL libraries before finding the appropriate one, as evidenced by the following message:

  • Apache:
    OpenSSL v1.0.x/0.9.8 library support is available
  • IIS:
    OpenSSL v1.1.x library support is available

Apache agent only

The reason you see all the messages leading up to this point is because of how the Apache logger works when using MPM preforking. While the Agent is trying to load libraries, there are only two logging options available: Error and Notice. These messages are Notice level and are therefore shown.

Solution

Firstly, these messages can be safely ignored because the OpenSSL library is found in the end. Additionally, for the Apache agent, you can make them less verbose by upgrading to Agents 5.5.1.0 or later; you can download this from BackStage.

Apache agent only

The only way to completely prevent these messages is to change your Apache MPM configuration to use a threaded MPM like worker or event. This is documented on the Apache pages: Multi-Processing Modules (MPMs) but in essence:

  • A threaded MPM like worker or event is suitable for sites that need a lot of scalability.
  • The prefork MPM is suitable for sites that require stability or compatibility with older software.
Note

Managing your Apache configuration is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

See Also

Installing a Web Agent (All versions) fails with a no ssl/library support error

SSL in AM/OpenAM and Policy Agents

Related Training

N/A

Related Issue Tracker IDs

AMAGENTS-2716 (Remove init_ssl(): failed to load OPENSSL_init_ssl message in apache error_log)

AMAGENTS-1933 (init_ssl errors fill error_log)



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...