0

I'm trying to move from Alpine 3.16 to 3.17 which comes with a breaking change of OpenSSL from v1.1.1 to v3.x.

This method openssl_pkey_new always fails on Alpine 3.17 and is not able to apply key generation probably.

error:0480006C:PEM routines::no start line<br />
error:0200008A:rsa routines::invalid padding<br />
error:02000072:rsa routines::padding check failed<br />
error:1C880004:Provider routines::RSA lib<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:0480006C:PEM routines::no start line<br />
error:05000072:dsa routines::bad ffc parameters<br />

It looks like there is a need for valid openssl.cnf according to PHP documentation but can't find any valid example.

Env:

  • Alpine 3.17
  • OpenSSL 3.0.8
  • PHP 8.1

Did someone face a similar issue and could guide me?

Thanks :)

Ahmed Alaa El-Din
  • 1,813
  • 1
  • 16
  • 19
  • What exactly "fails"? What is the *exact text* of the error message you see? Can you give a [mre]? What led you to think "openssl.cnf" was the issue, and what kind of example are you looking for? – IMSoP Apr 26 '23 at 10:57
  • Hi @IMSoP sure, updated the post with the error message and what led me to think about the "openssl.cnf" -> the answer I got on https://github.com/docker-library/php/issues/1397 as well as the same code base working with alpine 3.16 with openssl 1.1.1 and it breaks with the default image https://github.com/docker-library/php/tree/b93e90a02e9834fe3865f5e7b61f62186b2d05f5/8.1 – Ahmed Alaa El-Din Apr 27 '23 at 11:09
  • @IMSoP Also this note on php documentation "Note: You need to have a valid openssl.cnf installed for this function to operate correctly. See the notes under the installation section for more information." so what is the definition of valid "openssl.cnf" and on installation guide: "Additionally, if you are planning to use the key generation and certificate signing functions, you will need to install a valid "openssl.cnf" file on your system." so I'm looking for example of valid "openssl.cnf" that can generate key on runtime – Ahmed Alaa El-Din Apr 27 '23 at 11:12
  • That makes sense. I guess the remaining question is whether your system has an `openssl.cnf` file at all - the [PHP manual](https://www.php.net/manual/en/openssl.installation.php) seems to imply that it will normally be there in some form for non-Windows systems. On the Ubuntu system I have to hand, `/etc/ssl/openssl.cnf` exists with a whole bunch of defaults, and `/usr/lib/ssl/openssl.cnf` is a symlink to it. – IMSoP Apr 27 '23 at 11:46
  • @IMSoP Yeah, it has a valid `openssl.cnf` and could read it as other methods works but the key generation on the runtime doesn't so I expect according to the installation guide that it requires some specific config in the `openssl.cnf` but the documentation of "valid openssl.cnf files" isn't enough information sadly :( – Ahmed Alaa El-Din Apr 28 '23 at 13:18

0 Answers0