Skip to main content
avillanueva
23-Emerald I
avillanueva23-Emerald I
23-Emerald I
June 13, 2025
Solved

RHEL 9, SSO, Shibboleth and fun with linux libraries - Webserver fails to start

  • June 13, 2025
  • 1 reply
  • 909 views

Nothing too critical but documenting this for future. This is me after this week battling Windchill configuration:

avillanueva_0-1749846099039.png

The latest saga is with SSO. I have my notes from last year which is pretty straight forward except now I am running RHEL 9.2, SELinux (we'll get to you later), Windchill 13.0.2.4, Shibboleth 3.5. When I went to configure Apache to load the Shibboleth modules, it failed to start with this error:

00-1mod_shib.conf: Cannot load /usr/lib64/shibboleth/mod_shib_24.so into server: /lib64/libldap.so.2: undefined symbol: EVP_md2, version OPENSSL_3.0.0
Jun 13 14:53:47 systemd[1]: windchill-httpd.service: Control process exited, code=exited, status=1/FAILURE

Now, I've seen this type of thing before on my 12.0.2 server. I followed CS352455 and it fixed it but this error

00-1mod_shib.conf: Cannot load /usr/lib64/shibboleth/mod_shib_24.so into server: /lib64/libldap.so.2: undefined symbol: EVP_md2, version OPENSSL_3.0.0 was different talking about a different library. Searching knowledge base leads me to this wonderful article CS444585 with no resolution documented and a similar one CS341852. Closer but wrong Windchill version, wrong OS and that file does not even exist there. 

While Shibboleth install script pull 3.5 for RHEL 9, at the time of this writing, 13.0.2.4 does not support this version (supports 3.4.1+) CS434427 just a few CPS's away. 

 

Google tells me that this are a ton is issues related to this error with other application. Any clue as to what I need to downgrade or what I need to add to the Apache conf to make this all work?

 

So, yes Shibboleth clearly states that SELinux is not supported (https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335559/SELinux ) but I will battle that another day. Seems like no one wants to support it but Gov. is requiring it. 

    Best answer by avillanueva

    I think I may have solved or worked around this. The version of openldap that was installed was 2.6.2-3 which showed a release date of 5/2022.  I upgraded via yum openldap the latest version 2.6.8-4 and Apache started up without issue. This might have been compiled properly with OpenSSL 3.0.  I did not need to add any special LoadFile calls in 00-1mod_shib.conf to library files. 

    1 reply

    avillanueva
    23-Emerald I
    avillanueva23-Emerald IAuthor
    23-Emerald I
    June 16, 2025

    Conversed with Tech Support. They are looking into that article with missing resolution. They indicated that CPS 6 fixes this issue but what is strange is how? Perhaps some linux experts can chime in. This is a library issue between shibboleth, openldap and openssl. I know Redhat 9 has upgrading to openssl 3.0. Just wondering how a CPS update resolves this since this does not appear to be a PTC/Windchill issue. Any fix could be something I can do right now. That was my question back to them. Also the message indicates something about MD2 which is a legacy framework and has a number of CVE's against it. The fix should not be to enable it. 

    avillanueva
    23-Emerald I
    avillanueva23-Emerald IAuthorAnswer
    23-Emerald I
    June 16, 2025

    I think I may have solved or worked around this. The version of openldap that was installed was 2.6.2-3 which showed a release date of 5/2022.  I upgraded via yum openldap the latest version 2.6.8-4 and Apache started up without issue. This might have been compiled properly with OpenSSL 3.0.  I did not need to add any special LoadFile calls in 00-1mod_shib.conf to library files. 

      Terms & ConditionsAccessibility statement