Solutions

Apache Web Agent (All versions) repeatedly reports failed to load OPENSSL_init_ssl errors

Last updated Aug 30, 2019

The purpose of this article is to provide assistance if the Apache™ Web Agent repeatedly reports SSL errors such as "failed to load OPENSSL_init_ssl".


Symptoms

The Web Agent appears to be functioning normally, however, one of the following error snippets is shown repeatedly in your logs depending on which version of the Web Agent you are using:

  • Web Agents 5.5.1.0 and later:
    [Mon Aug 12 14:03:29.156134 2019] [amagent:notice] [pid 1234:tid 140277498116015] OpenSSL library status: trying libssl... libssl.so.1.1 dlopen error: libssl.so.1.1: cannot open shared object file: No such file or directory, found libssl.so.10, failed to load OPENSSL_init_ssl, failed to load TLS_client_method, failed to load SSL_get_state, trying libcrypto... libcrypto.so.1.1 dlopen error: libcrypto.so.1.1: cannot open shared object file: No such file or directory, found libcrypto.so.10, OpenSSL v1.0.x/0.9.8 library support is available
    
  • Pre-Web Agents 5.5.1.0:
    Aug 12 14:03:29.950273 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): trying libssl...
    [Mon Aug 12 14:03:29.950664  2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl():  libssl.so.1.1 dlopen error: libssl.so.1.1: cannot open shared object  file: No such file or directory
    [Mon Aug 12 14:03:29.950902 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): found libssl.so.10
    [Mon Aug 12 14:03:29.951107 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): failed to load OPENSSL_init_ssl
    [Mon Aug 12 14:03:29.951124 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): failed to load TLS_client_method
    [Mon Aug 12 14:03:29.951128 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): failed to load SSL_get_state
    [Mon Aug 12 14:03:29.951309 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): trying libcrypto...
    [Mon Aug 12 14:03:29.951534  2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl():  libcrypto.so.1.1 dlopen error: libcrypto.so.1.1: cannot open shared  object file: No such file or directory
    [Mon Aug 12 14:03:29.951707 2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl(): found libcrypto.so.10
    [Mon Aug 12 14:03:29.951999  2019] [amagent:error] [pid 1234:tid 140277498116015] init_ssl():  OpenSSL v1.0.x/0.9.8 library support is available
    

You may see these error snippets in either, or both the Agent logs and Apache logs (located in /path/to/agent/log and /path/to/apache/logs/error_log respectively). The change in log output is due to AMAGENTS-1933 (init_ssl errors fill error_log), which made the messages less verbose.

Recent Changes

N/A

Causes

The Web Agent tries to load various OpenSSL libraries before finding the appropriate one, as evidenced by the following message:

OpenSSL v1.0.x/0.9.8 library support is available

The reason you see all the messages leading up to this point is because of how the Apache logger works when using MPM preforking. While the Agent is trying to load libraries, there are only two logging options available: Error and Notice. These messages are Notice level and are therefore shown.

Solution

Firstly, these messages can be safely ignored because the OpenSSL library is found in the end. Additionally, you can make them less verbose by upgrading to Agents 5.5.1.0 or later; you can download this from BackStage.

The only way to completely prevent these messages is to change your Apache MPM configuration to use a threaded MPM like worker or event. This is documented on the Apache pages: Multi-Processing Modules (MPMs) but in essence:

  • A threaded MPM like worker or event is suitable for sites that need a lot of scalability.
  • The prefork MPM is suitable for sites that require stability or compatibility with older software.
Note

Managing your Apache configuration is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

See Also

Installing a Web Agent (All versions) fails with a no ssl/library support error

SSL in AM/OpenAM and Policy Agents

Related Training

N/A

Related Issue Tracker IDs

AMAGENTS-2716 (Remove init_ssl(): failed to load OPENSSL_init_ssl message in apache error_log)

AMAGENTS-1933 (init_ssl errors fill error_log)



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...