A simple guide to installing the current version of the OpenSSL utility on Ubuntu Linux

Being over 25 years old, OpenSSL can be found on just about any system you work with today; but this does not imply that the version installed is current (or even close).

During its life, there have been many instances where OpenSSL has been in the news, where some new vulnerability has being discovered, and quickly after, patched.

The Swiss Army Knive of SSL Certificate’s, this is a tool that everyone should have at least used once in their administrative duties.

To check if OpenSSL is on your system, and more importantly, the version installed, we can use the following simple command.

openssl version

In my case “OpenSSL 1.1.1 ” was the result.

Installing the Current Release

We will go directly to the OpenSSL.org source, and download the current stable version, which at the time of writing is now openssl-1.1.1k and save it into ~/Downloads directory:

cd ~/Downloads
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

Create Working Folder

We will install the new version at /opt/openssl. To do that we need to create and change directory

sudo mkdir /opt/openssl
cd /opt/openssl

Extract the downloaded compressed file into this directory:

sudo tar xfzv ~/Downloads/openssl-1.1.1k.tar.gz --directory /opt/openssl
cd /opt/openssl

Configure the Build

Before we proceed to compile the utility, we first must set some of the configuration settings, which will be used to let OpenSSL know where it is to be installed, and what folder it can use for its working space.

The is quite trivial, as we use the provide config script and pass in the parameters required. We are running this with sudo to ensure the script can check the system for dependencies and create any folders necessary.

The folders I will be using for the installation include /opt/openssl as the home directory and /opt/openssl/ssl as the directory where OpenSSL will store certificates and private keys.

sudo ./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl 

Building and Installing OpenSSL

With the configuration complete, we now can use the Makefile which has just being customized, to build, and then install the new version of OpenSSL. Depending on the speed of your system this can take some time to complete.

sudo make 
sudo make install

Congratulations, OpenSSL current version is installed.

Multiple Instances

Wait - we do have a small issue. Right now there are two installations of OpenSSL on your system:

• The original installation
• and this New Current release we built from source.

Swapping the Binaries

I won’t delete the original version, instead I will simply rename it to openssl.old, keeping this in the original installation path location.

sudo mv /usr/bin/openssl /usr/bin/openssl.old 

In the literature there are references to applications that expect openssl to be at the original directory. To maintain compatibility, and avoiding the need to alter the environment variable PATH, we will create a symbolic link /usr/bin/openssl pointing to /opt/openssl/bin/openssl

sudo ln -s /opt/openssl/bin/openssl /usr/bin/openssl
ls -lisah /usr/bin/openssl

The ls command above, just offers up a view to ensure that the symbolic link was established from the original path to our new installation.

Setting the Module

OpenSSL is a dependency for a lot of different applications, therefore we should complete the installation, by updating the module library configuration to ensure any application we deploy will find and use this release.

Modify the module loader configuration in /etc/ld.so.conf.d/openssl.conf, open the file and edit it using vi /etc/ld.so.conf.d/openssl.conf so that it reads as follows

/opt/openssl/lib

Now, reload the modules

sudo ldconfig 

Sanity Check

And finally, we can verify that everything is correct

which openssl
openssl version
openssl

Clean up

Reboot your system to make things permanent and execute the last three commands again, targeting, obviously, the same outcome.

By now you have OpenSSL new version installed and working correctly. But if you try to download any of the previous files, for instance openssl-1.1.1k.tar.gz, you will get the following error:

This error is to be expected. The Certificate Authority “Let’s Encrypt Authority X3” that issued the server certificate is not in OpenSSL certificate and private key directory /opt/openssl/ssl. If this is the desired behavior skip what follows and you have OpenSSL 1.1.1k completely installed.

If this is not your desired behavior, you have two options

1. Copy all certificates in /etc/ssl/certs/ to /opt/openssl/ssl/certs
2. Make /opt/openssl/ssl/certs a symbolic link pointing /etc/ssl/certs/ files (preferred).

To Implement the preferred approach, issue the following command

sudo ln -s /etc/ssl/certs/. /opt/openssl/ssl/certs/