Question Upgrade openssl by vendor

[Servus]

I would like to upgrade my openssl 1.0.2g release by vendor to actual stable 1.0.2l.

apt-cache policy openssl
openssl:
  Installed: 1.0.2g-1ubuntu4.8
  Candidate: 1.0.2g-1ubuntu4.8
  Version table:
 *** 1.0.2g-1ubuntu4.8 500
        500 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.2g-1ubuntu4.6 500
        500 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-security/main amd64 Packages
     1.0.2g-1ubuntu4 500
        500 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial/main amd64 Packages

Would be fine if someone could help to do this without breaking Plesk functionality used by the vendors openssl.
Greets

 

[UFHH01]

Hi Servus,

using a ( trusted ) PPA from launchpad is a good solution to upgrade to non-standard packages, if you don't want to use the packages from your vendor on Debian/Ubuntu based systems.

A wonderfull example are the PPA's from => Ondřej Surý for example: They are used by thousands of people and these PPA's are well maintained.

Example: => ***** The main PPA for PHP (5.6, 7.0, 7.1) with many PECL extens... : Ondřej Surý

As you can see, he provides not only very usefull PHP - versions ( with lots of common additional modules ) at this PPA, but as well a ( current ) OpenSSL - package "1.1.0f-2~ubuntu16.04.1+deb.sury.org+1"​

Pls. read the informations carefully which are provided at each PPA and follow the always existent instructions on how to install it on your server.

 

[Servus]

Is it correct, only an example, or did I misunderstand something? You posted an openssl release for Ubuntu 17.10.1. Do you suggest to install this release in my case, perhaps for future upgraded system, or is it an example for the great bandwidth of Ondřej Surý's work? Because I only use 16.04.3 at the moment.

Packages in “PPA for NGINX Mainline with HTTP/2 on Ubuntu 14.04 ...” : PPA for NGINX Mainline with HTTP/2 on Ubuntu 14.04 LTS and higher : Ondřej Surý

I would choose amd64 build of openssl 1.1.0f-1+deb.sury.org+ubuntu16.04+2 : PPA for NGINX Mainline with HTTP/2 on Ubuntu 14.04 LTS and higher : Ondřej Surý. or better this one https://launchpadlibrarian.net/321256765/openssl_1.1.0f-1+deb.sury.org+ubuntu16.04+2_amd64.changes
I registered on UbuntuOne but I can't find the way how to install it nor instructions, except the ones to update the repository for future updates.
Seems to be a little far away. Or someone like you is so kindly and write an tutorial like for compiling nginx with pagespeed and brotli.
That's what I wanted to do in real. I wanted to upgrade openssl only to immediately install the new nginx 1.13.5 to get the new point 3 pagespeed.
If it is possible without upgrading openssl, I would do it right now.
Greets and thanks for a great tipp, sorry, the ubuntu one side is something totally special, no usual ways to get the necessary downloads and instructions.

 

[UFHH01]

Hi Servus,

Is it correct, only an example

To reduce your ( possible ) confusion about an installed package at one of my Ubuntu - testing servers, I corrected my above posts. I hope that suits you more.

No, you wouldn't choose the nginx - mainline - version for your system, as this will remove dependent Plesk packages... I would have recommended this launchpad PPA, if this wouldn't cause issues with Plesk.

You STILL have to compile nginx on your very own and don't want to use sources.lists or *.deb - packages, in order to install them on your server. Pls. don't mix that, please. Currently, I wanted to point out, how you could easily upgrade your current a openssl - package from your vendor, when you use Debian/Ubuntu based systems, as the "compile-it-own-your-own-goal" seems to be a bit to tricky for you with tutorials from the web.


Btw.:

​

... just to show you, that IT WORKS this way - Just tested it...


... but to finish this somehow endless discussions for your nginx compilation with TLS1.3 support, I will now update ( again ) my contribution thread, with a solution for CentOS/Debian/Ubuntu... so pls. visit ( a bit later ):

=> Contribution - How to compile NGINX with additional modules ( pagespeed / cache_purge / headers-more / and others )​

 

[Servus]

Hi and THANKS A LOT @UFHH01 Just done...lol...I fired the new openssl from Ondřej Surý's in my apt/sources.list.d and upgraded (dist-upgrade) openssl. Just one minute ago.

root@web:~# sudo add-apt-repository ppa:ondrej/nginx-mainline
 This branch follows latest NGINX Mainline packages compiled against OpenSSL 1.0.2 for HTTP/2 support with ALPN.

BUGS&FEATURES: This PPA now has a issue tracker: https://deb.sury.org/#bug-reporting

PLEASE READ: If you like my work and want to give me a little motivation, please consider donating: https://donate.sury.org
 More info: https://launchpad.net/~ondrej/+archive/ubuntu/nginx-mainline
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp_uoniibo/secring.gpg' created
gpg: keyring `/tmp/tmp_uoniibo/pubring.gpg' created
gpg: requesting key E5267A6C from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp_uoniibo/trustdb.gpg: trustdb created
gpg: key E5267A6C: public key "Launchpad PPA for Ondřej Surý" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
OK
root@web:~# sudo apt-get update
Hit:1 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial InRelease
Hit:2 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-updates InRelease
Hit:3 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-backports InRelease
Hit:4 http://mirror.eu.oneandone.net/ubuntu/ubuntu xenial-security InRelease
Hit:5 http://autoinstall.plesk.com/debian/NODE_0.0.1 all InRelease
Hit:6 http://ftp.hosteurope.de/mirror/autoinstall.plesk.com/ubuntu/PSA_17.5.3 xenial InRelease
Hit:7 http://autoinstall.plesk.com/ubuntu/RUBY_0.0.1 xenial InRelease
Hit:8 http://autoinstall.plesk.com/ubuntu/PSA_17.5.3 xenial InRelease
Hit:9 http://ftp.hosteurope.de/mirror/autoinstall.plesk.com/ubuntu/PMM_0.1.10 xenial InRelease
Hit:10 http://autoinstall.plesk.com/ubuntu/PHP70_17 xenial InRelease
Hit:11 http://autoinstall.plesk.com/ubuntu/PHP71_17 xenial InRelease
Hit:12 http://autoinstall.plesk.com/ubuntu/NGINX17 xenial InRelease
Get:13 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial InRelease [23.9 kB]
Hit:14 https://apt.dockerproject.org/repo ubuntu-xenial InRelease
Get:15 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial/main amd64 Packages [6,920 B]
Get:16 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial/main i386 Packages [6,908 B]
Get:17 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial/main Translation-en [6,120 B]
Fetched 43.8 kB in 2s (17.7 kB/s)
Reading package lists... Done
root@web:~# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  openssl
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
root@web:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  libssl1.1
The following packages will be upgraded:
  openssl
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,048 kB of archives.
After this operation, 3,731 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial/main amd64 libssl1.1 amd64 1.1.0f-2~ubuntu16.04.1+deb.sury.org+1 [1,335 kB]
Get:2 http://ppa.launchpad.net/ondrej/nginx-mainline/ubuntu xenial/main amd64 openssl amd64 1.1.0f-2~ubuntu16.04.1+deb.sury.org+1 [714 kB]
Fetched 2,048 kB in 1s (1,295 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libssl1.1:amd64.
(Reading database ... 185833 files and directories currently installed.)
Preparing to unpack .../libssl1.1_1.1.0f-2~ubuntu16.04.1+deb.sury.org+1_amd64.deb ...
Unpacking libssl1.1:amd64 (1.1.0f-2~ubuntu16.04.1+deb.sury.org+1) ...
Preparing to unpack .../openssl_1.1.0f-2~ubuntu16.04.1+deb.sury.org+1_amd64.deb ...
Unpacking openssl (1.1.0f-2~ubuntu16.04.1+deb.sury.org+1) over (1.0.2g-1ubuntu4.8) ...
Processing triggers for libc-bin (2.23-0ubuntu9) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up libssl1.1:amd64 (1.1.0f-2~ubuntu16.04.1+deb.sury.org+1) ...
Setting up openssl (1.1.0f-2~ubuntu16.04.1+deb.sury.org+1) ...
Installing new version of config file /etc/ssl/openssl.cnf ...
Processing triggers for libc-bin (2.23-0ubuntu9) ...
root@web:~#

For nginx I fully agree with you. I will follow your tutorial like I did the first time. For me, or better for the whole system and installation of pagespeed compiled by nginx I was sure to have a lil newer openssl which fits the needs of future innovations (TLSv1.3). I know you know what I mean. Better to build a system from ground of, instead compiling nginx with an older openssl.
But I will edit this post to let you know what my openssl by Ondřej Surý gave me as a gift.
Well done, thanks to YOU @UFHH01 :

 dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  openssl        1.1.0f-2~ubu amd64        Secure Sockets Layer toolkit - cr
root@web:~#

But for the other thread with additional openssl-1.0.2l, you are right. It was worse. Now it would be necessary to remove the additional openssl. For nginx 1.13.5 I can now use the official openssl by Ondřej.
Enough for today and the whole year. Good night Uwe.