LetsEncrypt SSL Certificates on Bahmni 92

bhiravabhatla · December 31, 2019, 5:56am

Hi Community,

While installing Letsencrypt certificate on one of the 92 instances using wiki guide, I faced an issue due to multiple library versions of Zlib

 Error:  Multilib version problems found. This often means that the root
   cause is something else and multilib version checking is just
   pointing out that there is a problem. Eg.:

     1. You have an upgrade for zlib which is missing some
        dependency that another package requires. Yum is trying to
        solve this by installing an older version of zlib of the
        different architecture. If you exclude the bad architecture
        yum will tell you what the root cause is (which package
        requires what). You can try redoing the upgrade with
        --exclude zlib.otherarch ... this should give you an error
        message showing the root cause of the problem.

     2. You have multiple architectures of zlib installed, but
        yum can only see an upgrade for one of those architectures.
        If you don't want/need both architectures anymore then you
        can remove the one with the missing update and everything
        will work.

     3. You have duplicate versions of zlib installed already.
        You can use "yum check" to get yum show these errors.

   ...you can also use --setopt=protected_multilib=false to remove
   this checking, however this is almost never the correct thing to
   do as something else is very likely to go wrong (often causing
   much more problems).

As part of bahmni-installation we install zlib [1.2.11] from fedora’s repo -

yum install https://kojipkgs.fedoraproject.org//packages/zlib/1.2.11/18.fc30/x86_64/zlib-1.2.11-18.fc30.x86_64.rpm

As part of letsencrypt cert installation, yum tries to install zlib-devel as a dependency (required for openssl-devel) and fails with above error.

To overcome this, I had to follow below steps.

Installed zlib-1.2.11-19 - As I could not find compatible zlib-devel for zlib-1.2.11-18 in fedora repo.

yum install http://download-ib01.fedoraproject.org/pub/fedora/linux/updates/30/Everything/x86_64/Packages/z/zlib-1.2.11-19.fc30.x86_64.rpm
Installed zlib-devel-1.2.11-19 from fedora

yum install http://download-ib01.fedoraproject.org/pub/fedora/linux/updates/30/Everything/x86_64/Packages/z/zlib-devel-1.2.11-19.fc30.x86_64.rpm
Continued with letsencrypt cert installation

@angshuonline @binduak @mksrom Have you faced this - If yes, could you please let me know, if I can handle this in a better way

angshuonline · January 5, 2020, 1:50pm

no. but then we haven’t had the need to recently to regenerate certs. also note, the WIKI page lists out go checkout letsencrypt from master (github) - which usually should work, but it maybe latest codes require such dependencies upgrade.

I would also ask to create the cert where you didn’t have 1.2.11 zlib upgraded? maybe its specifically to do with the zlib upgraded lib.

bhiravabhatla · January 5, 2020, 2:44pm

@angshuonline - yes it looks like it has to do with zlib library we install from fedora repo. I will try installing cert before bahmni installation ( as zlib is required for bahmni installation ). Will let you know. Thanks!

bhiravabhatla · February 10, 2020, 10:50am

Hi @angshuonline,

Sorry to reply late on this.

You are right, it is because with install zlib-1.2.11 explicitly. As part of letsencrypt installation, it tries to to install zlib-devel and doesnot find a compatible version for the installed zlib.

Thats why I had to explicitly install zlib-devel-1.2.11-19.

eddyprasetyo · February 13, 2020, 2:13am

I’d do something similar to this, generating cert from another machine, and later transfer cert and key file to bahmni’s httpd.