Resolved Failed openssl-1.1.0f upgrade

[Servus]

Hi at all,
Think I made a big mistake. Would be great if you can help me resolving it.
Few months ago I installed openssl-1.0.1l in /usr/src/ I thought successfully, but know I'm not sure because I had never run "make test" during installation.
Today I wanted to upgrade to openssl-1.1.0f by the same tutorial which also @UFHH01 pointed as a decent and good one, I fully agree.
This time I ran "make test" and 1 of 5 subtests failed.
Sorry, I have only this little information about the reason why it failed. I tried to get informations about internet to solve the problem.

openssl Makefile:150: recipe for target 'tests' failed

I also wondered about the fact that md5 and rc2 were not supported by this build which was also displayed during the test.
I decided to give it a chance and made "make install".
Then I followed the tutorial

root@web:/usr/src/openssl-1.1.0f# mv /usr/bin/openssl /root/
root@web:/usr/src/openssl-1.1.0f# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

and got this results:

root@web:/usr/src/openssl-1.1.0f# openssl version
OpenSSL 1.0.2l  25 May 2017

root@web:/usr/src/openssl-1.1.0f# openssl version -a
OpenSSL 1.0.2l  25 May 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"

My questions are:
- Is it possible to delete the new failed installation of openssl-1.1.0f and how?
The output of:
openssl version -a
OpenSSL 1.0.2l 25 May 2017
built on: reproducible build, date unspecified
and the missing md2(int) leads me to the possibility that the first installation of the old openssl-1.0.2l wasn't successful as I thought or that I destroyed the whole openssl by my failed try today.
- How can I proof and be sure that openssl-1.0.2l is working?
- There would be also the little chance to repair the new upgraded version of openssl, would be fine if there is a real chance, but at this point it is far away of my wishes.

EDIT:
after reboot I get this output:

root@web:~# openssl version
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

So it's obvious that I destroyed whole openssl.
How to fix the problem, please? I have two openssl-old and openssl-new directories in /usr/src/?

Greets

 

[Servus]

I tried the following:
Deleted the whole directory of openssl-1.1.0f in /usr/src/
Then I restarted the installation of the latest build which is my old openssl-1.0.2l.
Everything seemed to work good, but in the end I get the following error:

openssl version
openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

I searched for libssl.so.1.1, the 1.1 looks for me like a fragment of the failed new installation. for me.
Because shouldn't it be 1.0 instead of 1.1 ????
I found it in /usr/local/lib/ with whereis. Renaming to 1.0, I really tried it, and restarted the installation of the old openssl-1.0.2l, but it failed also.
engines-1.1
libcrypto.so.1.1
libssl.so.1.1

Would be great if there is someone who knows how to repair or install the old openssl-1.0.2l. First to remove possible fragments of the new installation.

Greets

 

[UFHH01]

Hi Servus,

pls. step back and RE - install the openssl - version from your vendor with the following commands:

apt-get install --reinstall openssl

... or use "dpkg" with the option "force-overwrite", if you have a local *.deb - file stored on your server. ​

Afterwards, pls. consider to locate ( obsolete ) folders related to your miscompiled openssl - version and ( carefully ) delete them on your server.

 

[Servus]

Hi @UFHH01 ,
thanks for help I just did your advice. But since two hours I fixed it alone. But it was hard, very hard.
Today I tried to find and delete all openssl files which are related to this (additional) installed openssl versions 1.0.2l and 1.1.0f (binaries).
For example I deleted the in install tutorial adviced to copy the openssl binary file to /root/ (the most unimportant one), /usr/bin/openssl and both files (openssl + c.rehash) in /usr/local/ssl/bin/openssl and very important /usr/local/bin/openssl.
I was very afraid to delete Plesk openssl files and fully destroy everything.
Then after the 5th reinstallation of 1.0.2l. it worked.
Problem: I'm not sure if it works, if it is secure, openssl is pure security (encryption).
I wish there would be a real test to be sure that everything works like expected.
After reinstallation of openssl 5 minutes ago (your advice) I will now make an (over-)installation of openssl-1.0.2l.
Think it is perhaps no need to delete the files again and make a new installation for the reason that I already have the (successful) openssl 1.0.2l since few hours.
If I'm wrong, please tell me, to change my way.

Greets and thanks a lot

 

[Servus]

I did also the installation of openssl-1.0.2l after installation of openssl by vendor adviced by you.
This is the result:

root@web:/usr/src/openssl-1.0.2l# openssl version
OpenSSL 1.0.2l  25 May 2017

and

root@web:/usr/src/openssl-1.0.2l# openssl version -a
OpenSSL 1.0.2l  25 May 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"
root@web:/usr/src/openssl-1.0.2l#

 

[Servus]

or use "dpkg" with the option "force-overwrite", if you have a local *.deb - file stored on your server

Hi @UFHH01, I think I know what you mean. To upgrade the vendor openssl version.
But I don't know the way to upgrade openssl by vendor with dpkg. Therefor I need to download the openssl**.deb file. Would be also great to compile nginx with it afterwards.
If you could help me, would be great. I open a new thread "Upgrade openssl by vendor". Problem would be only to perhaps take another mirror, don't know if 1and1 have it.
Here is what I have:

root@web:~# which openssl
/usr/local/bin/openssl

root@web:~# /usr/local/bin/openssl version
OpenSSL 1.0.2l  25 May 2017

root@web:~# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                      Version                   Architecture              Description
+++-=========================================-=========================-=========================-=======================================================================================
ii  openssl                                   1.0.2g-1ubuntu4.8         amd64                     Secure Sockets Layer toolkit - cryptographic utility

root@web:~# apt-cache policy openssl
openssl:
  Installed: 1.0.2g-1ubuntu4.8
  Candidate: 1.0.2g-1ubuntu4.8
  Version table:
 *** 1.0.2g-1ubuntu4.8 500
        500 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.2g-1ubuntu4.6 500
        500 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-security/main amd64 Packages
     1.0.2g-1ubuntu4 500
        500 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial/main amd64 Packages

 

[UFHH01]

Hi Servus,

sorry, as I don't see a decent documentation WHAT you changed and HOW, any possible suggestion may lead to issues/errors/problems. This is an absolute "No-Go", when you administrate a server. You changed so many things to non-standards, experimented here and there and I for myself am not able anymore to follow you with all these posts and threads. It would simply be irresponsible of me to give you more tips because it can no longer be excluded, that dependencies have been violated and the entire server could be insecure and vulnerable by now.