Build on Fedora 36 (aka without "--openssl-legacy-provider" )

waby38b commented 2 years ago

I've just try to build AdGuardHome with latest release ( v0.108.0-b.7 or master as of today) of Fedora 36 on x86_64 and it seem to failed due to OpenSSL compatibility issue(?)

Prerequisites

Fedora 36 / x86_64 up-to-date as of today nodejs v16.14.0 golang v1.18.2 openssl v3.0.2 npm v8.3.1 yarn v1.22.17 (...) <= feel free to ask more!

Issue Details

Version of AdGuard Home server:
- Using git tag v0.108.0-b.7 or master as of today
How did you install AdGuard Home:
- Built from source
CPU architecture:
- x86_64
Operating system and version:
- Fedora 36 x86_64

Expected Behavior

build without failure ### Actual Behavior failed to build due to openssl issue(?) ``` ja@fedora ~/GIT/AdGuardHome ((v0.108.0-b.7)) $ make npm --prefix client --quiet --no-progress --ignore-engines --ignore-optional --ignore-platform --ignore-scripts ci npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN deprecated ini@1.3.5: Please update to ini >=1.3.6 to avoid a prototype pollution issue npm WARN deprecated request-promise-native@1.0.8: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated @stylelint/postcss-markdown@0.36.1: Use the original unforked package instead: postcss-markdown npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated har-validator@5.1.3: this library is no longer supported npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated eslint-loader@4.0.2: This loader has been deprecated. Please use eslint-webpack-plugin npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410 npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1 npm WARN deprecated core-js@1.2.7: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js. added 1841 packages, and audited 1842 packages in 46s 121 packages are looking for funding run `npm fund` for details 59 vulnerabilities (10 low, 17 moderate, 27 high, 5 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. yarnpkg --cwd client2 --network-timeout 120000 --silent --ignore-engines --ignore-optional --ignore-platform --ignore-scripts install warning "recharts > react-resize-detector@5.2.0" has incorrect peer dependency "react@^16.0.0". warning "recharts > react-resize-detector@5.2.0" has incorrect peer dependency "react-dom@^16.0.0". warning "recharts > react-smooth@1.0.6" has incorrect peer dependency "react@^15.0.0 || ^16.0.0". warning "recharts > react-smooth@1.0.6" has incorrect peer dependency "react-dom@^15.0.0 || ^16.0.0". warning "eslint-config-airbnb-typescript > eslint-config-airbnb@18.2.0" has unmet peer dependency "eslint-plugin-jsx-a11y@^6.3.0". warning " > less-loader@5.0.0" has incorrect peer dependency "webpack@^2.0.0 || ^3.0.0 || ^4.0.0". warning " > optimize-css-assets-webpack-plugin@5.0.4" has incorrect peer dependency "webpack@^4.0.0". warning Ignored scripts due to flag. env COMMIT='$( git rev-parse --short HEAD )' CHANNEL='development' GPG_KEY='devteam@adguard.com' GPG_KEY_PASSPHRASE='not-a-real-password' DIST_DIR='dist' GO="${GO:-go}" GOPROXY='https://goproxy.cn|https://proxy.golang.org|direct' GOSUMDB='sum.golang.google.cn' PATH="${PWD}/bin:$( "${GO:-go}" env GOPATH )/bin:${PATH}" RACE='0' SIGN='1' V1API='0' VERBOSE='0' VERSION='v0.0.0' "/bin/sh" ./scripts/make/go-deps.sh npm --prefix client run build-prod > dashboard@0.1.0 build-prod > cross-env BUILD_ENV=prod webpack --config webpack.prod.js Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53) at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16) at handleParseError (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:471:10) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:503:5 at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:358:12 at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:373:3 at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:214:10) at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:221:10) at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:236:3 at runSyncOrAsync (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:130:11) at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:232:2) at Array. (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:205:4) at Storage.finished (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9 at /home/ja/GIT/AdGuardHome/client/node_modules/graceful-fs/graceful-fs.js:123:16 at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3) Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53) at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16) at handleParseError (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:471:10) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:503:5 at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:358:12 at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:373:3 at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:214:10) at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:221:10) at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:236:3 at runSyncOrAsync (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:130:11) at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:232:2) at Array. (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:205:4) at Storage.finished (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9 at /home/ja/GIT/AdGuardHome/client/node_modules/graceful-fs/graceful-fs.js:123:16 at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3) Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53) at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16) at handleParseError (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:471:10) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:503:5 at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:358:12 at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:373:3 at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:214:10) at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:221:10) at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:236:3 at runSyncOrAsync (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:130:11) at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:232:2) at Array. (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:205:4) at Storage.finished (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9 at /home/ja/GIT/AdGuardHome/client/node_modules/graceful-fs/graceful-fs.js:123:16 at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3) node:internal/crypto/hash:67 this[kHandle] = new _Hash(algorithm, xofLen); ^ Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53) at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16) at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:452:10 at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:323:13 at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:367:11 at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:233:18 at context.callback (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:111:13) at /home/ja/GIT/AdGuardHome/client/node_modules/babel-loader/lib/index.js:59:103 { opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ], library: 'digital envelope routines', reason: 'unsupported', code: 'ERR_OSSL_EVP_UNSUPPORTED' } make: *** [Makefile:95 : js-build] Erreur 1 ``` as a workarround describe [here](https://stackoverflow.com/questions/69692842/error-message-error0308010cdigital-envelope-routinesunsupported), I've try to force --openssl-legacy-provider NODE_OPTION flags ``` ja@fedora ~/GIT/AdGuardHome ((v0.108.0-b.7)) $ export NODE_OPTIONS=--openssl-legacy-provider ja@fedora ~/GIT/AdGuardHome ((v0.108.0-b.7)) $ make npm --prefix client --quiet --no-progress --ignore-engines --ignore-optional --ignore-platform --ignore-scripts ci /usr/bin/node: --openssl-legacy-provider is not allowed in NODE_OPTIONS make: *** [Makefile:98 : js-deps] Erreur 9 ``` but, seem not supported / disabled by Fedora .... Any tips to fix this issue?

shacky commented 2 years ago

Fedora 36 uses openssl 3.0, so it won't work with stock nodejs. You have to uninstall it: sudo dnf remove nodejs npm

Install nvm as your user and install nodejs LTS with it: nvm install --lts nvm alias default "lts/*"

aydewa commented 2 years ago

Thanks @shacky. It works!

waby38b commented 2 years ago

Thanks @shacky It help me a bit to understand where to check. Now it's a bit better!

In fact, seem that Fedora 36 (which come with openssl3) use nodejs v16.14.0 which not (yet!) provide --openssl-legacy-provider flags Looking at src , seem that nodejs v 16.15.0 is coming, but still no --openssl-legacy-provider flags

I found this pull request from nodejs project which backport --openssl-legacy-provider flags into node v16.x. Unfortunatly, this is not yet merge into stable 16.x series.... Anyway, I've rebuild nodejs-16.15.0-3.fc36.src adding this patch 0003-Improve-legacy-openssl.patch.zip Here modification to SPEC file to enable this patch

----8<---------8<---------8<---------8<---------8<----
diff -r -Nup old/nodejs-16.15.0-3.fc36.src/nodejs.spec new/nodejs-16.15.0-3.fc36.src/nodejs.spec
--- old/nodejs-16.15.0-3.fc36.src/nodejs.spec   2022-05-06 15:19:57.000000000 +0200
+++ new/nodejs-16.15.0-3.fc36.src/nodejs.spec   2022-06-03 23:33:46.000000000 +0200
@@ -154,6 +154,7 @@ Patch1: 0001-Disable-running-gyp-on-shar

 # Patch to install both node and libnode.so, using the correct libdir
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
+Patch3: 0003-Improve-legacy-openssl.patch

 BuildRequires: make
 BuildRequires: python%{python3_pkgversion}-devel

----8<---------8<---------8<---------8<---------8<----

This generate some new RPMS, So I update my build fs (mock in my case)

nodejs-16.15.0-3.fc36.x86_64.rpm
nodejs-debuginfo-16.15.0-3.fc36.x86_64.rpm
nodejs-debugsource-16.15.0-3.fc36.x86_64.rpm
nodejs-devel-16.15.0-3.fc36.x86_64.rpm
nodejs-docs-16.15.0-3.fc36.noarch.rpm
nodejs-full-i18n-16.15.0-3.fc36.x86_64.rpm
nodejs-libs-16.15.0-3.fc36.x86_64.rpm
nodejs-libs-debuginfo-16.15.0-3.fc36.x86_64.rpm
npm-8.5.5-1.16.15.0.3.fc36.x86_64.rpm
v8-devel-9.4.146.24-1.16.15.0.3.fc36.x86_64.rpm

I also need to edit /etc/ssl/openssl.cnf (openssl configuration) to enable legacy provider (was disabled by default)

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

After that, I'm able to build again without errors !!!

export NODE_OPTIONS=--openssl-legacy-provider
make

Now, the main question is: It's it something nice to enable legacy provider ? (quote from /etc/ssl/openssl.cnf )

# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
# Key Derivation Function (KDF): PBKDF1
# In general it is not recommended to use the above mentioned algorithms for
# security critical operations, as they are cryptographically weak or vulnerable
# to side-channel attacks and as such have been deprecated.

I do not know which one you are using , but maybe something to replace ? => other distro than Fedora will also switch to openssl3 soon or later....

tkosci commented 2 years ago

Fedora 36 uses openssl 3.0, so it won't work with stock nodejs. You have to uninstall it: sudo dnf remove nodejs npm

Install nvm as your user and install nodejs LTS with it: nvm install --lts nvm alias default "lts/*"

Thanks @shacky, this fixed the issue for me as well.

Is this issue still active? Can it be resolved using @shacky's answer?

aydewa commented 2 years ago

For me, @shacky 's answer solved the issue. Thanks again

waby38b commented 2 years ago

Issue is now understand, BUT question still there for OpenSSL3 usage....

which component of AdGuardHome is using legacy (aka not recommanded) crypto algorithms?

And second point, even if @shacky workarround is working, it's still "better" to rely on the distro component.... Fedora 36 is using both OpenSSL3 & NodeJS 16.04, so it's better to use it... (to avoid duplication code in memory) ...others distro will switch to these component soon or later....

I have a (personnal) repo for armv7 which provide AdGuardHome with patched NodeJS (Fedora 35 & 36)

You can recompile these package for other arch if you want nodejs-16.14.0-3.fc36.src.rpm AdGuardHome-0.107.8-1.fc36.src.rpm

peterneutron commented 1 year ago

@Blakhard @waby38b Bumping this issue as it still persists. Seems like this is related to the use of an old webpack version. See related issue at https://github.com/webpack/webpack/issues/14532

ainar-g commented 1 year ago

@waby38b, we've recently updated the frontend build, including switching to Node.JS 16. Is this issue still occurring?

waby38b commented 1 year ago

@waby38b, we've recently updated the frontend build, including switching to Node.JS 16. Is this issue still occurring?

Hi, and thx to back to this topic ! In fact I (for now) alway use workarround with "NODE_OPTIONS=--openssl-legacy-provider"... And many peoples (like WRT) on the web seem to do the same....

Anyway, I just try to build again latest branch "release-v0.107.39" on my Fedora 38 and I go same error (without NODE_OPTIONS=--openssl-legacy-provider ) => Error: error:0308010C:digital envelope routines::unsupported

Enabling legacy in /etc/ssl/openssl.cnf & build with NODE_OPTIONS=--openssl-legacy-provider still fix the issue....

Fedora 38 components: nodejs-18.18.0-1.fc38.x86_64 golang-1.20.8-1.fc38.x86_64 openssl-3.0.9-2.fc38.x86_64

Edit: Another point

Enabling legacy in /etc/ssl/openssl.cnf is just requiered during build, but not for execution...

AdguardTeam / AdGuardHome