[1 minute tutorial] LNMP architecture application practical OpenSSL upgrade operation

Time:2021-1-12

Due to the requirements of the actual production environment, it is necessary to upgrade the OpenSSL version in the LNMP environment to the latest version openssl-1.1.0c. The upgrade of this tool is really not a general trouble. Because it is related to various services of the system, such as SSH service, the upgrade is very cumbersome, So today I will write the upgrade process in the actual production environment for your reference (100% production environment)


1. Overall environment

System environment

[[email protected] ~]# **cat /etc/redhat-release** 

CentOS release 6.5 (Final)

[[email protected] ~]# **uname -r**

2.6.32-431.el6.x86_64

LNMP version

[[email protected] ~]# /application/nginx/sbin/nginx -v

nginx version: nginx/1.10.1

[[email protected] ~]# /application/mysql/bin/mysql -V

/application/mysql/bin/mysql  Ver 14.14 Distrib 5.5.54, for Linux (x86_64) using  EditLine wrapper

The PHP 5. X version has not been upgraded successfully, and the later version will be introduced


2. LNMP environment compilation process

Nginx and MySQL are all manually compiled and installed. The relevant parameters are given below


Nginx compilation process:

[[email protected] nginx-1.10.1]# ./configure --user=nginx \

--group=nginx --prefix=/application/nginx-1.10.1 \

--with-http_stub_status_module --with-http_ssl_module \

--with-pcre=/download/pcre-8.38

[[email protected] nginx-1.10.1]# make && make install

[[email protected] nginx-1.10.1]# ln -s /application/nginx-1.10.1 /application/nginx

[[email protected] nginx-1.10.1]# /application/nginx/sbin/nginx

[[email protected] nginx-1.10.1]# lsof -i :80

COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

nginx   16237  root    6u  IPv4  31404      0t0  TCP *:http (LISTEN)

nginx   16238 nginx    6u  IPv4  31404      0t0  TCP *:http (LISTEN)

[[email protected] nginx-1.10.1]# cd ../

MySQL compilation process:

[[email protected] download]# tar zxf cmake-2.8.8.tar.gz

[[email protected] download]# cd cmake-2.8.8

[[email protected] cmake-2.8.8]# useradd -s /sbin/nologin -M mysql

[[email protected] cmake-2.8.8]# ./configure


CMake has bootstrapped.  Now run gmake.

[[email protected] cmake-2.8.8]# gmake

[[email protected] cmake-2.8.8]# gmake install

[[email protected] cmake-2.8.8]# cd ../

[[email protected] download]# tar zxf mysql-5.5.54.tar.gz

[[email protected] download]# cd mysql-5.5.54

[[email protected] mysql-5.5.54]# cmake \

 -DCMAKE_INSTALL_PREFIX=/application/mysql-5.5.54 \

-DNYSQL_DATADIR=/application/mysql-5.5.54/data \

-DNYSQL_UNIX_ADDR=/application/mysql-5.5.54/tmp/mysql.sock \

-DDEFAULT_CHARSET=gbk \

-DDEFAULT_COLLATION=gbk_chinese_ci \

-DENABLED_LOCAL_INFILE=ON \

-DWITH_INNOBASE_STORAGE_ENGINE=1 \

-DWITH_FEDERATED_STORAGE_ENGINE=1

[[email protected] mysql-5.5.54]# make

[[email protected] mysql-5.5.54]# make install

[[email protected] mysql-5.5.54]# ln -s /application/mysql-5.5.54 /application/mysql

[[email protected] mysql-5.5.54]# cp support-files/my-small.cnf /etc/my.cnf

cp: overwrite `/etc/my.cnf'? y

[[email protected] mysql-5.5.54]# echo 'export PATH=/application/mysql/bin:$PATH'>>/etc/profile

[[email protected] mysql-5.5.54]# source /etc/profile

[[email protected] mysql-5.5.54]# tail -1 /etc/profile

export PATH=/application/mysql/bin:$PATH

[[email protected] mysql-5.5.54]# which mysql

/application/mysql/bin/mysql

[[email protected] mysql-5.5.54]# mkdir -p /application/mysql/data

[[email protected] mysql-5.5.54]# chown -R mysql.mysql /application/mysql/data

[[email protected] mysql-5.5.54]# chmod -R 1777 /tmp

[[email protected] mysql-5.5.54]# /application/mysql/scripts/mysql_install_db

--basedir=/application/mysql

--datadir=/application/mysql/data --user=mysql

[[email protected] mysql-5.5.54]# cp support-files/mysql.server /etc/init.d/mysqld

[[email protected] mysql-5.5.54]# chmod 700 /etc/init.d/mysqld

[[email protected] mysql-5.5.54]# /etc/init.d/mysqld start

Starting MySQL.Logging to '/application/mysql-5.5.54/data/centos6.5.err'.

. SUCCESS! 

[[email protected] mysql-5.5.54]# lsof -i :3306

COMMAND   PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

mysqld  61589 mysql   10u  IPv4 114206      0t0  TCP *:mysql (LISTEN)

[[email protected] mysql-5.5.54]# mysql

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 1

Server version: 5.5.54 Source distribution

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> quit

Bye

[[email protected] mysql-5.5.54]# chkconfig mysqld

[[email protected] mysql-5.5.54]# cd ../

3. Upgrade OpenSSL

[[email protected] download]# tar zxf openssl-1.1.0c.tar.gz

[[email protected] download]# cd openssl-1.1.0c

[[email protected] openssl-1.1.0c]# ./config --prefix=/usr/local/openssl shared zlib-dynamic

[[email protected] openssl-1.1.0c]# make

[[email protected] openssl-1.1.0c]# make install

[[email protected] openssl-1.1.0c]# cd ../

4. Library files required to install PHP


[[email protected] download]# wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.7.tar.gz  

[[email protected] download]# tar zxf libiconv-1.7.tar.gz

[[email protected] download]# cd libiconv-1.7

[[email protected] libiconv-1.7]# ./configure --prefix=/usr/local/libiconv

[[email protected] libiconv-1.7]# make && make install

[[email protected] libiconv-1.7]# cd ../


[[email protected] download]# wget ftp://mcrypt.hellug.gr/pub/crypto/mcrypt/libmcrypt/libmcrypt-2.5.7.tar.gz  

[[email protected] download]# tar zxf libmcrypt-2.5.7.tar.gz

[[email protected] download]# cd libmcrypt-2.5.7

[[email protected] libmcrypt-2.5.7]# ./configure

[[email protected] libmcrypt-2.5.7]# make && make install

[[email protected] libmcrypt-2.5.7]# /sbin/ldconfig

[[email protected] libmcrypt-2.5.7]# cd  libltdl/

[[email protected] libltdl]# ./configure --enable-ltdl-install

[[email protected] libltdl]# make 

[[email protected] libltdl]# make install

[[email protected] libltdl]# cd ../../


[[email protected] download]# wget http://download.csdn.net/tag/mhash-0.9.9.9.tar.gz  

[[email protected] download]# tar zxf mhash-0.9.9.9.tar.gz 

[[email protected] download]# cd mhash-0.9.9.9

[[email protected] mhash-0.9.9.9]# ./configure

[[email protected] mhash-0.9.9.9]# make

[[email protected] mhash-0.9.9.9]# make install

[[email protected] mhash-0.9.9.9]# cd ../

[[email protected] download]# rm -f /usr/lib/libmcrypt.\* 

[[email protected] download]# rm -f /usr/lib/libmhash\* 

[[email protected] download]# ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la 

[[email protected] download]# ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so 

[[email protected] download]# ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4 

[[email protected] download]# ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8 

[[email protected] download]# ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a 

[[email protected] download]# ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la 

[[email protected] download]# ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so 

[[email protected] download]# ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2

[[email protected] download]# ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1 

[[email protected] download]# ln -s /usr/local/bin/libmcrypt-config /usr/bin/libmcrypt-config

[[email protected] download]# rm -f /usr/lib64/libmcrypt.\* 

[[email protected] download]# rm -f /usr/lib64/libmhash\* 

[[email protected] download]# ln -s /usr/local/lib64/libmcrypt.so /usr/lib64/libmcrypt.so 

[[email protected] download]# ln -s /usr/local/lib64/libmcrypt.la /usr/lib64/libmcrypt.la 

[[email protected] download]# ln -s /usr/local/lib64/libmcrypt.so.4 /usr/lib64/libmcrypt.so.4 

[[email protected] download]# ln -s /usr/local/lib64/libmcrypt.so.4.4.8 /usr/lib64/libmcrypt.so.4.4.8 

[[email protected] download]# ln -s /usr/local/lib64/libmhash.a /usr/lib64/libmhash.a 

[[email protected] download]# ln -s /usr/local/lib64/libmhash.la /usr/lib64/libmhash.la 

[[email protected] download]# ln -s /usr/local/lib64/libmhash.so /usr/lib64/libmhash.so 

[[email protected] download]# ln -s /usr/local/lib64/libmhash.so.2 /usr/lib64/libmhash.so.2 

[[email protected] download]# ln -s /usr/local/lib64/libmhash.so.2.0.1 /usr/lib64/libmhash.so.2.0.1 

[[email protected] download]# ln -s /usr/local/bin/libmcrypt-config /usr/bin/libmcrypt-config


[[email protected] download]# wget http://download.csdn.net/tag/mcrypt-2.6.8.tar.gz  

[[email protected] download]# tar zxf mcrypt-2.6.8.tar.gz 

[[email protected] download]# cd mcrypt-2.6.8

[[email protected] mcrypt-2.6.8]# /sbin/ldconfig

[[email protected] mcrypt-2.6.8]# ./configure

[[email protected] mcrypt-2.6.8]# make 

[[email protected] mcrypt-2.6.8]# make install

[[email protected] mcrypt-2.6.8]# cd ../

5. Compiling PHP

[[email protected] download]# wget http://mirrors.sohu.com/php/php-7.1.0.tar.gz

[[email protected] download]# tar zxf php-7.1.0.tar.gz 

[[email protected] php-7.1.0]# ./configure  --prefix=/application/php-7.1.0

--with-config-file-path=/application/php-7.1.0/etc

--enable-fpm --enable-mbstring --enable-zip

--enable-bcmath --enable-pcntl --enable-ftp

--enable-intl --enable-exif --enable-calendar

--enable-sysvmsg --enable-sysvsem 

--enable-sysvshm --enable-wddx --with-curl

--with-mcrypt --with-iconv --with-gd

--with-jpeg-dir=/usr --with-png-dir=/usr

--with-zlib-dir=/usr --with-xpm-dir=/usr

--with-freetype-dir=/usr --enable-gd-native-ttf

--enable-gd-jis-conv --with-gettext=/usr

--with-zlib=/usr --with-bz2=/usr 

--with-recode=/usr --with-mysql

--with-mysqli --with-pdo-mysql** 

--enable-sockets --disable-ipv6** 

--with-fpm-user=nginx  --with-fpm-group=nginx

--with-openssl=/usr/local/openssl

[[email protected] php-7.1.0]# make

[[email protected] php-7.1.0]# make install

[[email protected] php-7.1.0]# cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm

[[email protected] php-7.1.0]# chmod 700 /etc/init.d/php-fpm 

[[email protected] php-7.1.0]# cp /application/php-7.1.0/etc/php-fpm.conf.default /application/php-7.1.0/etc/php-fpm.conf

[[email protected] php-7.1.0]# cp /application/php-7.1.0/etc/php-fpm.d/www.conf.default /application/php-7.1.0/etc/php-fpm.d/www.conf.defau

[[email protected] php-7.1.0]# cp /application/php-7.1.0/etc/php-fpm.d/www.conf.default /application/php-7.1.0/etc/php-fpm.d/www.conf.defa

[[email protected] php-7.1.0]# cp /application/php-7.1.0/etc/php-fpm.d/www.conf.default /application/php-7.1.0/etc/php-fpm.d/www.conf

[[email protected] php-7.1.0]# /etc/init.d/php-fpm start

[[email protected] php-7.1.0]# ps -ef|grep php

root      98304      1  0 00:04 ?    00:00:00 php-fpm: master process (/application/php-7.1.0/etc/php-fpm.conf)                                                             

nginx     98305  98304  0 00:04 ?        00:00:00 php-fpm: pool www 

nginx     98306  98304  0 00:04 ?        00:00:00 php-fpm: pool www 

root      98308   1265  0 00:04 pts/0    00:00:00 grep php

6. View phpinfo information


Before the upgrade, the version of OpenSSL was

openssl-1.0.1e-48.el6_8.3.x86_64

After upgrading, check the information of phpinfo

[1 minute tutorial] LNMP architecture application practical OpenSSL upgrade operation
The latest version of the official website, upgraded successfully


The reason why the upgrade was unsuccessful was that PHP could not recognize the latest version, and the old version was still in the phpinfo information. The upgrade was successful only when the PHP version was upgraded later

Although this article is an old one, the current version must be newer than this one. However, it only provides you with an idea. It is also recommended that you carefully upgrade the OpenSSL version. Unless it is necessary, we upgraded it at that time because we had a cooperation with a certain factory, so we had to upgrade it, otherwise we could not dock with the API.

Welcome to like, forward and share support

More dry cargo articles official account, technical resource sharing, job interview, etc., please pay attention to WeChat brother’s technical road.

[1 minute tutorial] LNMP architecture application practical OpenSSL upgrade operation