NGINX 1.25.2 mainline with HTTP/3 support added to EL7, EL8, EL9 repositories. brotli compression module from Google, http2, ngx cache purge and ngx http geoip2 modules added or built-in. OpenSSL built dynamically using OpenSSL+QUIC 3.0.10.
Major changes:
- Feature: the “http2” directive, which enables HTTP/2 on a per-server basis; the “http2” parameter of the “listen” directive is now deprecated.
- Change: HTTP/2 server push support has been removed.
- Change: the deprecated “ssl” directive is not supported anymore.
- Bugfix: in HTTP/3 when using OpenSSL.
RHEL 7 / CentOS 7:
yum upgrade -y codeit-repo-release yum-config-manager --disable CodeIT-quic --save yum-config-manager --enable CodeIT-mainline --save
RHEL 8-9 / Alma Linux 8-9 / Rocky Linux 8-9 / CentOS 8-9 / Other EL8/EL9 repos are modular now. To install nginx with HTTP/3 support, you need to enable the appropriate stream:
dnf module reset -y nginx dnf module enable -y nginx:codeit-mainline
We build OpenSSL+QUIC 3.0 separately since v1.21.6, installing it separately to /lib64 with .so.81.3 suffix to ensure it won’t interfere with your system libraries.
Exerimental HTTP/3 support added in NGINX 1.25.0 Mainline. We build it with the corresponding module (–with-http_v3_module).
Hi,
I try to install mainline nginx on Rocky linux 9 with this step:
dnf install epel-release -y
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
yum install -y https://repo.codeit.guru/codeit-repo-release.el9.rpm epel-release
dnf module enable -y nginx:codeit-mainline
dnf install nginx -y
systemctl enable nginx
systemctl start nginx
but, when i try to run nginx -t command, this error appear:
nginx: [alert] OPENSSL_init_ssl() failed (SSL: error:030000A9:digital envelope routines::unknown option:name=rh-allow-sha1-signatures, value=yes error:0700006D:configuration file routines::module initialization error:module=alg_section, value=evp_properties retcode=-1 )
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
is there any step i missing? please help.
Regards.
Hello, looks like you have rh-allow-sha1-signatures = true somewhere in your configs (openssl.conf) and openssl-quic tries to enable this feature. At the same time we build quictls-openssl without any patches. Could you please check:
1) the value of rh-allow-sha1-signatures
2) give me exact versions (rpm -q) of nginx and openssl-quic-libs.
Thanks for the report!
Thanks for reply, sorry don’t know how to check that version, is there any command to do that, or file location so i can see it?
Regards.
with nginx -v command : nginx version: nginx/1.25.2
and with openssl version command : OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
perhaps that can help.
I see openssl.cnf at /etc/pki/tls/openssl.cnf but i can’t find rh-allow-sha1-signatures inside this cnf file.
rpm -q openssl-quic-libs
Here is openssl-quic-libs-3.0.11-1.codeit.el9.x86_64
forget to add for nginx, here is nginx-1.25.2-1.module_codeit_mainline.codeit.el9.x86_64
Hmm, I just tried rockylinux/rockylinux:9 docker image and following commands:
No error is shown:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Could you please try to reproduce it on the clean system to understand which package/setting does that?
Yes, i was try many times with clean system and try with your step above but still same error appear.
I am use vultr btw, maybe related with their config server, will try another vps service like linode or digital ocean.
Thanks for help.
Regards.
And on fresh docker, as I suggested?
Also can you search for “rh-allow-sha1-signatures” in all /etc?
Yes, i was try with docker is working fine, not any error appear and i can’t find rh-allow-sha1-signatures at /etc.