<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p><br>
</p>
<p>I'm running bind 9.18.28 on OpenSuSE Leap 15.6. I also run
'certbot' with some home-brewed scripts for DNS validation.</p>
<p>Something happened between January 6th and yesterday that caused
'certbot' renewals to fail with OpenSSL errors:</p>
<pre>tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)</pre>
<p><br>
</p>
<p>Digging deeper I found out that 'certbot' defines several
environment variables when it runs external scripts ('hooks') and
among those is also:</p>
<pre>export OPENSSL_FORCE_FIPS_MODE="0"</pre>
<p><br>
</p>
<p>And when this variable is defined (regardless of it's value),
named related commands, such as rndc, named-checkzone and
named-checkconf fail with that error.</p>
<pre># named-checkconf
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
# named-checkzone
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
# rndc
tls.c:90:tls_initialize(): fatal error: RUNTIME_CHECK(OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL) == 1) failed
Aborted (core dumped)
</pre>
<p>So my workaround is to 'unset' this variable in my script.</p>
<p><br>
</p>
<p>I guess the issue was caused by one of the OpenSuSE package
updates (glibc, maybe?) and has probably nothing to do with Bind
itself, but I thought someone else might run into it.<br>
</p>
<p><br>
</p>
<p> Danilo</p>
<p><br>
</p>
<div class="moz-signature">
<div></div>
</div>
</body>
</html>