Build on Fedora 36 (aka without "--openssl-legacy-provider" )

[waby38b]

I've just try to build AdGuardHome with latest release ( v0.108.0-b.7 or master as of today) of Fedora 36 on x86_64
and it seem to failed due to OpenSSL compatibility issue(?)

Prerequisites

Fedora 36 / x86_64 up-to-date as of today
nodejs v16.14.0
golang v1.18.2
openssl v3.0.2
npm v8.3.1
yarn v1.22.17
(...) <= feel free to ask more!

Issue Details

• Version of AdGuard Home server:
  • Using git tag v0.108.0-b.7 or master as of today
• How did you install AdGuard Home:
  • Built from source
• CPU architecture:
  • x86_64
• Operating system and version:
  • Fedora 36 x86_64

Expected Behavior

build without failure

Actual Behavior

failed to build due to openssl issue(?)

ja@fedora ~/GIT/AdGuardHome ((v0.108.0-b.7))
$ make
npm --prefix client --quiet --no-progress --ignore-engines --ignore-optional --ignore-platform --ignore-scripts ci
npm WARN old lockfile 
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile 
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile 
npm WARN deprecated ini@1.3.5: Please update to ini >=1.3.6 to avoid a prototype pollution issue
npm WARN deprecated request-promise-native@1.0.8: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated @stylelint/postcss-markdown@0.36.1: Use the original unforked package instead: postcss-markdown
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.3: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated eslint-loader@4.0.2: This loader has been deprecated. Please use eslint-webpack-plugin
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410
npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
npm WARN deprecated core-js@1.2.7: core-js@<3.4 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 1841 packages, and audited 1842 packages in 46s

121 packages are looking for funding
  run `npm fund` for details

59 vulnerabilities (10 low, 17 moderate, 27 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
yarnpkg --cwd client2 --network-timeout 120000 --silent --ignore-engines --ignore-optional --ignore-platform --ignore-scripts install
warning "recharts > react-resize-detector@5.2.0" has incorrect peer dependency "react@^16.0.0".
warning "recharts > react-resize-detector@5.2.0" has incorrect peer dependency "react-dom@^16.0.0".
warning "recharts > react-smooth@1.0.6" has incorrect peer dependency "react@^15.0.0 || ^16.0.0".
warning "recharts > react-smooth@1.0.6" has incorrect peer dependency "react-dom@^15.0.0 || ^16.0.0".
warning "eslint-config-airbnb-typescript > eslint-config-airbnb@18.2.0" has unmet peer dependency "eslint-plugin-jsx-a11y@^6.3.0".
warning " > less-loader@5.0.0" has incorrect peer dependency "webpack@^2.0.0 || ^3.0.0 || ^4.0.0".
warning " > optimize-css-assets-webpack-plugin@5.0.4" has incorrect peer dependency "webpack@^4.0.0".
warning Ignored scripts due to flag.
env COMMIT='$( git rev-parse --short HEAD )' CHANNEL='development' GPG_KEY='devteam@adguard.com' GPG_KEY_PASSPHRASE='not-a-real-password' DIST_DIR='dist' GO="${GO:-go}" GOPROXY='https://goproxy.cn|https://proxy.golang.org|direct' GOSUMDB='sum.golang.google.cn' PATH="${PWD}/bin:$( "${GO:-go}" env GOPATH )/bin:${PATH}" RACE='0' SIGN='1' V1API='0' VERBOSE='0' VERSION='v0.0.0'  "/bin/sh" ./scripts/make/go-deps.sh
npm --prefix client run build-prod

> dashboard@0.1.0 build-prod
> cross-env BUILD_ENV=prod webpack --config webpack.prod.js

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:471:10)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:503:5
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:358:12
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:236:3
    at runSyncOrAsync (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:232:2)
    at Array.<anonymous> (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
    at Storage.finished (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
    at /home/ja/GIT/AdGuardHome/client/node_modules/graceful-fs/graceful-fs.js:123:16
    at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3)
Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:471:10)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:503:5
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:358:12
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:236:3
    at runSyncOrAsync (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:232:2)
    at Array.<anonymous> (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
    at Storage.finished (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
    at /home/ja/GIT/AdGuardHome/client/node_modules/graceful-fs/graceful-fs.js:123:16
    at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3)
Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16)
    at handleParseError (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:471:10)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:503:5
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:358:12
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:373:3
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:221:10)
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:236:3
    at runSyncOrAsync (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:130:11)
    at iterateNormalLoaders (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:232:2)
    at Array.<anonymous> (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
    at Storage.finished (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
    at /home/ja/GIT/AdGuardHome/client/node_modules/graceful-fs/graceful-fs.js:123:16
    at FSReqCallback.readFileAfterClose [as oncomplete] (node:internal/fs/read_file_context:68:3)
node:internal/crypto/hash:67
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at module.exports (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/util/createHash.js:135:53)
    at NormalModule._initBuildHash (/home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:417:16)
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:452:10
    at /home/ja/GIT/AdGuardHome/client/node_modules/webpack/lib/NormalModule.js:323:13
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:367:11
    at /home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:233:18
    at context.callback (/home/ja/GIT/AdGuardHome/client/node_modules/loader-runner/lib/LoaderRunner.js:111:13)
    at /home/ja/GIT/AdGuardHome/client/node_modules/babel-loader/lib/index.js:59:103 {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'
}
make: *** [Makefile:95 : js-build] Erreur 1

as a workarround describe here, I've try to force --openssl-legacy-provider NODE_OPTION flags

ja@fedora ~/GIT/AdGuardHome ((v0.108.0-b.7))
$ export NODE_OPTIONS=--openssl-legacy-provider

ja@fedora ~/GIT/AdGuardHome ((v0.108.0-b.7))
$ make
npm --prefix client --quiet --no-progress --ignore-engines --ignore-optional --ignore-platform --ignore-scripts ci
/usr/bin/node: --openssl-legacy-provider is not allowed in NODE_OPTIONS
make: *** [Makefile:98 : js-deps] Erreur 9

but, seem not supported / disabled by Fedora ....

Any tips to fix this issue?

[shacky]

Fedora 36 uses openssl 3.0, so it won't work with stock nodejs.
You have to uninstall it:
sudo dnf remove nodejs npm

Install nvm as your user and install nodejs LTS with it:
nvm install --lts
nvm alias default "lts/*"

[aydewa]

Thanks @shacky. It works!

[waby38b]

Thanks @shacky
It help me a bit to understand where to check. Now it's a bit better!

In fact, seem that Fedora 36 (which come with openssl3) use nodejs v16.14.0
which not (yet!) provide --openssl-legacy-provider flags
Looking at src , seem that nodejs v 16.15.0 is coming, but still no --openssl-legacy-provider flags

I found this pull request from nodejs project which backport --openssl-legacy-provider flags into node v16.x.
Unfortunatly, this is not yet merge into stable 16.x series....
Anyway, I've rebuild nodejs-16.15.0-3.fc36.src adding this patch
0003-Improve-legacy-openssl.patch.zip
Here modification to SPEC file to enable this patch

----8<---------8<---------8<---------8<---------8<----
diff -r -Nup old/nodejs-16.15.0-3.fc36.src/nodejs.spec new/nodejs-16.15.0-3.fc36.src/nodejs.spec
--- old/nodejs-16.15.0-3.fc36.src/nodejs.spec	2022-05-06 15:19:57.000000000 +0200
+++ new/nodejs-16.15.0-3.fc36.src/nodejs.spec	2022-06-03 23:33:46.000000000 +0200
@@ -154,6 +154,7 @@ Patch1: 0001-Disable-running-gyp-on-shar
 
 # Patch to install both node and libnode.so, using the correct libdir
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
+Patch3: 0003-Improve-legacy-openssl.patch
 
 BuildRequires: make
 BuildRequires: python%{python3_pkgversion}-devel

----8<---------8<---------8<---------8<---------8<----

This generate some new RPMS, So I update my build fs (mock in my case)

nodejs-16.15.0-3.fc36.x86_64.rpm
nodejs-debuginfo-16.15.0-3.fc36.x86_64.rpm
nodejs-debugsource-16.15.0-3.fc36.x86_64.rpm
nodejs-devel-16.15.0-3.fc36.x86_64.rpm
nodejs-docs-16.15.0-3.fc36.noarch.rpm
nodejs-full-i18n-16.15.0-3.fc36.x86_64.rpm
nodejs-libs-16.15.0-3.fc36.x86_64.rpm
nodejs-libs-debuginfo-16.15.0-3.fc36.x86_64.rpm
npm-8.5.5-1.16.15.0.3.fc36.x86_64.rpm
v8-devel-9.4.146.24-1.16.15.0.3.fc36.x86_64.rpm

I also need to edit /etc/ssl/openssl.cnf (openssl configuration) to enable legacy provider (was disabled by default)

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

After that, I'm able to build again without errors !!!

export NODE_OPTIONS=--openssl-legacy-provider
make

Now, the main question is:
It's it something nice to enable legacy provider ? (quote from /etc/ssl/openssl.cnf )

# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
# Key Derivation Function (KDF): PBKDF1
# In general it is not recommended to use the above mentioned algorithms for
# security critical operations, as they are cryptographically weak or vulnerable
# to side-channel attacks and as such have been deprecated.

I do not know which one you are using , but maybe something to replace ?
=> other distro than Fedora will also switch to openssl3 soon or later....

[tkosci]

Fedora 36 uses openssl 3.0, so it won't work with stock nodejs. You have to uninstall it: sudo dnf remove nodejs npm

Install nvm as your user and install nodejs LTS with it: nvm install --lts nvm alias default "lts/*"

Thanks @shacky, this fixed the issue for me as well.

Is this issue still active? Can it be resolved using @shacky's answer?

[aydewa]

For me, @shacky 's answer solved the issue. Thanks again

[waby38b]

Issue is now understand, BUT question still there for OpenSSL3 usage....

• which component of AdGuardHome is using legacy (aka not recommanded) crypto algorithms?

And second point, even if @shacky workarround is working, it's still "better" to rely on the distro component....
Fedora 36 is using both OpenSSL3 & NodeJS 16.04, so it's better to use it... (to avoid duplication code in memory)
...others distro will switch to these component soon or later....

I have a (personnal) repo for armv7 which provide AdGuardHome with patched NodeJS (Fedora 35 & 36)

You can recompile these package for other arch if you want
nodejs-16.14.0-3.fc36.src.rpm
AdGuardHome-0.107.8-1.fc36.src.rpm

[peterneutron]

@Blakhard @waby38b Bumping this issue as it still persists. Seems like this is related to the use of an old webpack version. See related issue at webpack/webpack#14532

[ainar-g]

@waby38b, we've recently updated the frontend build, including switching to Node.JS 16. Is this issue still occurring?

[waby38b]

@waby38b, we've recently updated the frontend build, including switching to Node.JS 16. Is this issue still occurring?

Hi, and thx to back to this topic ! In fact I (for now) alway use workarround with "NODE_OPTIONS=--openssl-legacy-provider"... And many peoples (like WRT) on the web seem to do the same....

Anyway, I just try to build again latest branch "release-v0.107.39" on my Fedora 38
and I go same error (without NODE_OPTIONS=--openssl-legacy-provider )
=> Error: error:0308010C:digital envelope routines::unsupported

Enabling legacy in /etc/ssl/openssl.cnf & build with NODE_OPTIONS=--openssl-legacy-provider still fix the issue....

Fedora 38 components:
nodejs-18.18.0-1.fc38.x86_64
golang-1.20.8-1.fc38.x86_64
openssl-3.0.9-2.fc38.x86_64

Edit: Another point

Enabling legacy in /etc/ssl/openssl.cnf is just requiered during build, but not for execution...