F35 to F37 upgrade breaks (?) my ssl config (dhparameters)

Being new to linux, my first linux os was F35, had a nextcloud instance running, upgraded to F37, now nextcloud unavailable. Found that httpd would not start. Http/ssl_error log showed:

[Tue Dec 20 18:36:05.764828 2022] [ssl:emerg] [pid 2821:tid 2821] AH02407: “SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/xxx.com/dhparam.pem” failed for xxx.com:443

[Tue Dec 20 18:36:05.764846 2022] [ssl:emerg] [pid 2821:tid 2821] SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: PEM)

I checked that file /etc/letsencrypt/live/xxx.com/dhparam.pem does indeed exist.

After much frustration I found that removing
[ SSLOpenSSLConfCmd DHParameters “/etc/letsencrypt/live/xxx.com/dhparam.pem” ]
directive from my http conf solves the problem and httpd starts (with the directive included in http conf file, httpd syntax check still passes in F37 as was the case in F35).

Question is why did my configuration break? Was it due to openssl version 1.11 → 3.0.5 ?
Also, do I actually need DHParameter…xx… directive for a proper secure config?


F35 I had:
~# dnf list installed | grep openssl
apr-util-openssl.x86_64 1.6.1-17.fc35 @fedora
openssl.x86_64 1:1.1.1q-1.fc35 @updates
openssl-libs.x86_64 1:1.1.1q-1.fc35 @updates
openssl-pkcs11.x86_64 0.4.11-4.fc35 @fedora
xmlsec1-openssl.x86_64 1.2.29-4.fc35 @fedora

F37 I now have:
~# dnf list installed | grep openssl
apr-util-openssl.x86_64 1.6.1-22.fc37 @fedora
openssl.x86_64 1:3.0.5-3.fc37 @fedora
openssl-libs.x86_64 1:3.0.5-3.fc37 @fedora
openssl-pkcs11.x86_64 0.4.12-2.fc37 @fedora
xmlsec1-openssl.x86_64 1.2.34-4.fc37 @updates

From What’s the purpose of DH Parameters?, it looks like you could probably just create a new file that the newer version of openssl would be happy with by running the following command (I would back up the previous one first just in case it doesn’t work).

openssl dhparam -out /etc/letsencrypt/live/xxx.com/dhparam.pem 4096
1 Like

That worked like a charm, I had been struggling with this for some time!

Thanks Greg