由于CENTOS7.2默认使用老版本的openssl(OpenSSL 1.0.1e) ,这个问题会导致yum nginx-1.12以上版本的时候会因为依赖libcrypto.so.10(OPENSSL_1.0.2)(64bit)的问题造成安装失败。

环境描述

如下:
系统版本检测

[root@z000w00~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 

openssl版本检测

[root@z00w00 ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

尝试YUM安装nginx

[root@z00w00~]# yum install nginx
Loaded plugins: fastestmirror
aliEpel                                                                                                                            | 3.2 kB  00:00:00     
(1/3): aliEpel/7/x86_64/group_gz                                                                                |  88 kB  00:00:00     
(2/3): aliEpel/7/x86_64/updateinfo                                                                              | 928 kB  00:00:00     
(3/3): aliEpel/7/x86_64/primary                                                                                 | 3.5 MB  00:00:00     
Loading mirror speeds from cached hostfile
aliEpel                                                                                                                          12614/12614
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 1:1.12.2-2.el7 will be installed
--> Processing Dependency: nginx-filesystem = 1:1.12.2-2.el7 for package: 1:nginx-1.12.2-2.el7.x86_64
--> Processing Dependency: nginx-all-modules = 1:1.12.2-2.el7 for package: 1:nginx-1.12.2-2.el7.x86_64
--> Processing Dependency: nginx-filesystem for package: 1:nginx-1.12.2-2.el7.x86_64
--> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit) for package: 1:nginx-1.12.2-2.el7.x86_64
--> Processing Dependency: libprofiler.so.0()(64bit) for package: 1:nginx-1.12.2-2.el7.x86_64
--> Running transaction check
.... 省略部分内容
Error: Package: 1:nginx-1.12.2-2.el7.x86_64 (aliEpel)
           Requires: libcrypto.so.10(OPENSSL_1.0.2)(64bit)
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

注意看报错,提示需要依赖libcrypto.so.10(OPENSSL_1.0.2)库文件

排查策略

查看一下openssl版本

[root@z00w00 ~]# rpm -q --provides openssl
openssl = 1:1.0.1e-51.el7_2.7
openssl(x86-64) = 1:1.0.1e-51.el7_2.7

查看一下当前的库文件,特别是libcrypto.so.10

[root@z00w00 ~]# rpm -q --provides openssl-libs | grep libcrypto.so.10
libcrypto.so.10()(64bit)
libcrypto.so.10(OPENSSL_1.0.1)(64bit)
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit)
libcrypto.so.10(libcrypto.so.10)(64bit)

既然知道问题所在,那么解决就好办了。就是升级openssl。centos7.2是没有办法通过yum update直接升级的。

解决办法

需要从http://rpm.pbone.net 搜索相关的RPM包下载
这个就不具体演示了。搜索技能应该是必备的

解决在centos7.2下YUM安装nginx-1.12.2依赖的问题
需要以上两个文件,下一步自然是下载本地,安装了。

我再解释一下为啥要同时下载和安装这两个RPM。因为这两个RPM彼此依赖,如果单安装一个RPM,会提示另一个需要依赖,有兴趣的童鞋可以试试。

[root@z00w00 tmp]# yum localinstall openssl-libs-1.0.2k-8.el7.x86_64.rpm openssl-1.0.2k-8.el7.x86_64.rpm 
Loaded plugins: fastestmirror 
Examining openssl-libs-1.0.2k-8.el7.x86_64.rpm: 1:openssl-libs-1.0.2k-8.el7.x86_64 
Marking openssl-libs-1.0.2k-8.el7.x86_64.rpm as an update to 1:openssl-libs-1.0.1e-51.el7_2.7.x86_64 
Examining openssl-1.0.2k-8.el7.x86_64.rpm: 1:openssl-1.0.2k-8.el7.x86_64 
Marking openssl-1.0.2k-8.el7.x86_64.rpm as an update to 1:openssl-1.0.1e-51.el7_2.7.x86_64 
Resolving Dependencies 
--> Running transaction check 
---> Package openssl.x86_64 1:1.0.1e-51.el7_2.7 will be updated 
---> Package openssl.x86_64 1:1.0.2k-8.el7 will be an update 
---> Package openssl-libs.x86_64 1:1.0.1e-51.el7_2.7 will be updated 
---> Package openssl-libs.x86_64 1:1.0.2k-8.el7 will be an update 
--> Finished Dependency Resolution 

Dependencies Resolved 

======================================================================================================================================= 
Package Arch Version Repository Size 
======================================================================================================================================= 
Updating: 
openssl(B x86_64 1:1.0.2k-8.el7 /openssl-1.0.2k-8.el7.x86_64 814 k 
openssl-libs(B x86_64 1:1.0.2k-8.el7 /openssl-libs-1.0.2k-8.el7.x86_64 3.1 M 

Transaction Summary 
======================================================================================================================================= 
Upgrade 2 Packages 

Total size: 3.8 M 
Is this ok [y/d/N]: y 
Downloading packages: 
Running transaction check 
Running transaction test 
Transaction test succeeded 
Running transaction 
Updating : 1:openssl-libs-1.0.2k-8.el7.x86_64 1/4 
Updating : 1:openssl-1.0.2k-8.el7.x86_64 2/4 
Cleanup : 1:openssl-1.0.1e-51.el7_2.7.x86_64 3/4 
Cleanup : 1:openssl-libs-1.0.1e-51.el7_2.7.x86_64 4/4 
Verifying : 1:openssl-1.0.2k-8.el7.x86_64 1/4 
Verifying : 1:openssl-libs-1.0.2k-8.el7.x86_64 2/4 
Verifying : 1:openssl-libs-1.0.1e-51.el7_2.7.x86_64 3/4 
Verifying : 1:openssl-1.0.1e-51.el7_2.7.x86_64 4/4 

Updated: 
openssl.x86_64 1:1.0.2k-8.el7 openssl-libs.x86_64 1:1.0.2k-8.el7 

Complete! 

接着检查一下openssl版本

[root@z00w00 tmp]# openssl version 
OpenSSL 1.0.2k-fips 26 Jan 2017 
ror.centos.org/centos/7/os/xls 

查看包

[root@z00w00 ~]# rpm -q --provides openssl
openssl = 1:1.0.2k-8.el7
openssl(x86-64) = 1:1.0.2k-8.el7

看看依赖库

[root@gbossapp-new1-2 ~]# rpm -q --provides openssl-libs | grep libcrypto.so.10
libcrypto.so.10()(64bit)
libcrypto.so.10(OPENSSL_1.0.1)(64bit)
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit)
libcrypto.so.10(OPENSSL_1.0.2)(64bit)
libcrypto.so.10(libcrypto.so.10)(64bit)

这个时候你就可以放心的yum 新版本NGINX了。

升级openssl还是要注意一下,因为有一些个别老应用会用到openssl1.0.1,这个时候就需要认真平衡了。