Homebrew refusing to link OpenSSL
Solution 1
As the update to the other answer suggests, the workaround of installing the old openssl101 brew will no longer work. For a right-now workaround, see this comment on dotnet/cli#3964.
The most relevant part of the issue copied here:
I looked into the other option that was suggested for setting the rpath on the library. I think the following is a better solution that will only effect this specific library.
sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.0/System.Security.Cryptography.Native.dylib
and/or if you have NETCore 1.0.1 installed perform the same command for 1.0.1 as well:
sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.1/System.Security.Cryptography.Native.dylib
In effect, rather than telling the operating system to always use the homebrew version of SSL and potentially causing something to break, we're telling dotnet how to find the correct library.
Also importantly, it looks like Microsoft are aware of the issue and and have both a) a somewhat immediate plan to mitigate as well as b) a long-term solution (probaby bundling OpenSSL with dotnet).
Another thing to note: /usr/local/opt/openssl/lib
is where the brew is linked by default:
13:22 $ ls -l /usr/local/opt/openssl
lrwxr-xr-x 1 ben admin 26 May 15 14:22 /usr/local/opt/openssl -> ../Cellar/openssl/1.0.2h_1
If for whatever reason you install the brew and link it in a different location, then that path is the one you should use as an rpath.
Once you've update the rpath of the System.Security.Cryptography.Native.dylib libray, you'll need to restart your interactive session (i.e., close your console and start another one).
Solution 2
This is what worked for me:
brew update
brew install openssl
ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/
ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/
ln -s /usr/local/Cellar/openssl/1.0.2j/bin/openssl /usr/local/bin/openssl
Thanks to @dorlandode on this thread https://github.com/Homebrew/brew/pull/597
NB: I only used this as a temporary fix until I could spend time correctly installing Openssl again from scratch. As I remember I spent best part of a day debugging and having issues before I realised the best way was to manually install the certs I needed one by one. Please read the link in @bouke's comment before attempting this.
Solution 3
None of these solutions worked for me on OS X El Capitan 10.11.6. Probably because OS X has a native version of openssl that it believes is superior, and as such, does not like tampering.
So, I took the high road and started fresh...
Manually install and symlink
cd /usr/local/src
-
If you're getting "No such file or directory", make it:
cd /usr/local && mkdir src && cd src
Download openssl:
curl --remote-name https://www.openssl.org/source/openssl-1.0.2h.tar.gz
Extract and cd in:
tar -xzvf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
Compile and install:
./configure darwin64-x86_64-cc --prefix=/usr/local/openssl-1.0.2h shared
make depend
make
make install
Now symlink OS X's openssl to your new and updated openssl:
ln -s /usr/local/openssl-1.0.2h/bin/openssl /usr/local/bin/openssl
Close terminal, open a new session, and verify OS X is using your new openssl:
openssl version -a
Solution 4
Just execute brew info openssl
and read the information where it says:
If you need to have this software first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.bash_profile
Solution 5
If migrating your mac breaks homebrew:
I migrated my mac, and it unlinked all my homebrew installs - including OpenSSL. This broke gem install
, which is how I first noticed the problem and started trying to repair this.
After a million solutions (when migrating to OSX Sierra - 10.12.5), the solution ended up being comically simple:
brew reinstall ruby
brew reinstall openssl
Edit much later: as Gal Bracha noted in the comments, you ?might? need to delete /usr/local/opt/openssl
before doing the reinstalls, just to be safe. I didn't need to at the time, but if you're still having trouble, give that a try.
Related videos on Youtube
Comments
-
daviddeath almost 2 years
I'm on: OSX 10.11.6, Homebrew version 0.9.9m OpenSSL 0.9.8zg 14 July 2015
I'm trying to play with with dotnetcore and by following their instructions,
I've upgraded/installed the latest version of openssl:
> brew install openssl ==> Downloading https://homebrew.bintray.com/bottles/openssl-1.0.2h_1.el_capitan.bottle.tar.gz Already downloaded: /Users/administrator/Library/Caches/Homebrew/openssl-1.0.2h_1.el_capitan.bottle.tar.gz ==> Pouring openssl-1.0.2h_1.el_capitan.bottle.tar.gz ==> Caveats A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in /usr/local/etc/openssl/certs and run /usr/local/opt/openssl/bin/c_rehash This formula is keg-only, which means it was not symlinked into /usr/local. Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries Generally there are no consequences of this for you. If you build your own software and it requires this formula, you'll need to add to your build variables: LDFLAGS: -L/usr/local/opt/openssl/lib CPPFLAGS: -I/usr/local/opt/openssl/include
But when I try to link openssl I continue to run into this linking error:
> brew link --force openssl Warning: Refusing to link: openssl Linking keg-only OpenSSL means you may end up linking against the insecure, deprecated system version while using the headers from the Homebrew version. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib
The option to include compiler flags doesn't make sense to me, since I'm not compiling these libraries that I'm dependent on.
EDIT dotnetcore has updated their instructions:
brew update brew install openssl ln -s /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib /usr/local/lib/ ln -s /usr/local/opt/openssl/lib/libssl.1.0.0.dylib /usr/local/lib/
-
bartonjs almost 8 yearsFor .NET Core you need a supported version of OpenSSL, which would be a 1.0.1 or 1.0.2 version. Since you're reporting a 0.9.8 version maybe you need to
brew upgrade openssl
first? -
daviddeath almost 8 yearsI've already done that. I should have clarified, but I didn't add those steps to the question. But I've already done the
brew update
andbrew install openssl
. This is trying to install the supported version. -
bartonjs almost 8 yearsLooks like Homebrew has explicitly blocked it: github.com/Homebrew/brew/commit/….
-
bartonjs almost 8 yearsPerhaps using a different HOMEBREW_PREFIX would work; but that's definitely beyond my experience.
-
bartonjs almost 8 yearsAnd.. to continue rounding out my rambling, you might be interested in whatever develops on github.com/Homebrew/brew/pull/597
-
jww almost 8 years"... when I try to link openssl I continue to run into this linking error:.." - Also see How to set the runtime path (-rpath) of an executable with gcc under Mac OSX?. It may help you always load the correct library at runtime, if Brew is not adding it.
-
daviddeath almost 8 years@bartonjs - the linking worked with 1.0.1 version. As per the commit you posted, which was just a few days ago, my guess is that the older versions have a different HOMEBREW_PREFIX. I'm good for now, but in the future I'll try your suggestion of trying a different prefix.
-
Paul Keister over 7 yearsI tried most of the solutions on this page, and none worked. I was however able to get .Net core working with this solution: github.com/dotnet/cli/issues/3964#issuecomment-236485454
-
songololo over 7 years@PaulKeister's link to the github discussion worked for me. Basically just run:
sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.0/System.Security.Cryptography.Native.dylib
-
bfontaine over 7 yearsThe
rpath
solution is better. There’s a reason Homebrew now prevents you from linking OpenSSL; it is a bad idea and may break stuff on your computer. -
rogerdpack over 6 yearsYou should probably put your "dotnetcore has updated their install instructions" into an answer here to your own question :\
-
-
daviddeath almost 8 yearsThis did it! Seems that 1.0.2 didn't want to link. Next question is why does .netcore suggest something that is not recommended in the community.
-
Gustav almost 8 years1.0.2 worked for me on another mac a few days ago, so maybe there is a recent brew or openssl change. Anyway, for dot net core, we are good :)
-
daviddeath almost 8 yearsThe github link posted by @bartonjs shows that brew was updated just a few days ago. Looking at the commit, the change is ` if HOMEBREW_PREFIX.to_s == "/usr/local" && keg.name == "openssl"` so I'm guessing that the 1.0.1 version uses a different HOMEBREW_PREFIX.
-
dark_ruby almost 8 yearsdidn't work for me, still gives error
Refusing to link: openssl101 Linking keg-only openssl101 means you may end up linking against the insecure, deprecated system OpenSSL while using the headers from Homebrew's openssl101. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl101/include -L/usr/local/opt/openssl101/lib
-
Joshka over 7 yearsThis answer is no longer correct given the change made by homebrew devs at github.com/Homebrew/brew/pull/612
-
Gerry over 7 yearsThis is awful... don't do this but... vi /usr/local/Library/Homebrew/cmd/link.rb (line 28)
if false &&
. Thenbrew install --force openssl
. Don't do this, I'm likely a terrible person for even suggesting it. -
mcgwier over 7 yearsIf you're trying to install .NET core on OS X you should wrap it in Docker.
-
mrahhal over 7 yearsWhere am I supposed to add that line? I'm trying to get this to work in CI. I'm getting a
/usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.0.0/System.Security.Cryptography.Native.dylib (No such file or directory)
. -
Evan Nagle over 7 years@mrahhal that's the installation path of the
dotnet
tooling. Its possible that you either don't have it installed or you installed or to another location. If its installed and on your part, you could usewhich dotnet
to find it. -
mrahhal over 7 yearsOh, just realized I'm adding this line before installing
dotnet
. Will retry and come back. -
mrahhal over 7 yearsWorked for me, in my case the sdk was installed to a different directory so I had to change the path.
-
AsimRazaKhan over 7 yearsAfter doing all this: OpenSSL 0.9.8zh 14 Jan 2016 built on: May 15 2016 platform: darwin64-x86_64-llvm
-
Mohamed Hafez over 7 yearsis the full path for the last link
/usr/local/bin/openssl
? -
Will Hitchcock over 7 yearsThis is a really simple solution and I was pretty hopeful that it would work for me but no luck here. Even after updating my PATH and restarting my shell session
which openssl
still points to/usr/bin/openssl
-
wukong over 7 yearsWhy this answer is not accepted, you saved my life man. ::thumb up::
-
drtf over 7 yearsFound this one useful for installing pysqlcipher
-
Sagar over 7 yearsUseful for installing
cryptography
. I was missing thePKG_CONFIG_PATH
variable -
Olivier over 7 yearsCreating a symlink in the following way worked for me:
ln -s /usr/local/openssl-1.0.2h/bin/openssl /usr/local/bin/openssl
. After restarting your Terminal session, typewhich openssl
to make sure you are using the updated 1.0.2 version (/usr/local/bin/openssl
) instead of the built-in one (/usr/bin/openssl
). -
Big Tree Energy over 7 yearsIn order to get this working I had to edit my .bash_profile as well. But the only thing that worked was telling it to look in /usr/local/bin instead of /usr/bin. I did this by adding
export PATH=/usr/local/bin:$PATH
-
Chris over 7 yearsI followed these instructions but when I type in which openssl, I get (/opt/local/bin/openssl). How do I get it to be /usr/local/bin/openssl?
-
Onikoroshi over 7 yearsI followed these instructions (thank you so much for the step-by-step), and it still said 0.9.8. Thank you to Olivier for the alternate linking method that worked.
-
Bouke over 7 yearsThere's a good reason brew is refusing to do this. See also this: github.com/Homebrew/brew/pull/597.
-
Bouke over 7 yearsWith dotnet 1.1.0 I had to do:
sudo install_name_tool -add_rpath /usr/local/opt/openssl/lib /usr/local/share/dotnet/shared/Microsoft.NETCore.App/1.1.0/System.Security.Cryptography.Native.OpenSsl.dylib
-
dmerlea over 7 yearsthis one saved me
-
macloo about 7 yearsWhat if
which dotnet
reveals I don't have it? -
Evan Nagle about 7 years@macloo I've heard reports from acquaintances that the installer on macOS sometimes doesn't properly update the path, so you may have it on your file system but unable to use it normally. The other possibility is that you really don't have it, in which case you should install it from dot.net.
-
PanPipes about 7 years
brew info openssl
gave the same helpful information for me. Running the suggested command above and then runningsource ~/.bash_profile
or opening a new terminal solved it for me. -
Jeff about 7 yearsThis solution worked for me, but I had to change
1.0.2j
to1.0.2k
because of version differences. So users beware, you may need to adjust paths for the current version -
shaneparsons about 7 yearsI saw @Jeff's comment a little too late. If you did too, I believe
ln -s -f /usr/local/Cellar/openssl/1.0.2k/bin/openssl /usr/local/bin/openssl
fixes it -
user124384 about 7 yearsFINALLY. This also worked for me. The other answers above did not!
-
B.Ma over 6 yearsor
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.zshrc
-
Mark Reed over 6 yearsFor this to work, you need to add
/usr/local/opt/openssl/bin
, without the/openssl
on the end, to the front of the PATH, not the end:PATH=/usr/local/opt/openssl/bin:$PATH
Using/usr/local/opt/openssl
instead of/usr/local/Cellar/openssl/$version
means you'll automatically keep the most up-to-date version in your $PATH without having to change it every time you upgrade. -
Bruno de Oliveira over 6 yearsThis worked for me, trying to compile PHP 7.2.1 with phpbrew on Mac OS High Sierra - Thanks!
-
Naomi See about 6 yearsAfter hours of dumbness this did the trick for me along with @MarkReed's additional notes
-
sea26.2 almost 6 yearsStill doesn't work: a new version of OpenSSL is installed. But- it is not used by apps such as Composer. $ openssl version -a OpenSSL 1.0.2o 27 Mar 2018 However output from Composer diagnose says otherwise. $ composer diagnose Checking composer.json: WARNING No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license. Checking platform settings: WARNING The OpenSSL library (0.9.8r) used by PHP does not support TLSv1.2 or TLSv1.1. If possible you should upgrade OpenSSL to version 1.0.1 or above.
-
David Ansermot almost 6 yearsWorked nice for me, just skipped la part './configure && make'
-
David almost 6 yearsAnd a year later, this happened to me migrating my Mac, and your fix worked for me as well. Thanks so much; I was getting to the point of considering wiping my new Mac and doing a fresh install and setting everything up again manually.
-
tobybot almost 6 years@David glad I could keep you from going over the brink! I almost did the same.
-
Gal Bracha over 5 yearsYou might also need to delete this folder before doing the above.
rm -rf /usr/local/opt/openssl
-
Karthik N G about 5 yearsI was able to use this and get it working for me. Thank you. I have 1.0.2q version of openssl.
-
Neevai about 4 yearsI'm using macOS Catalina 10.15.4 and this is the only solution that worked.
-
AlxVallejo over 3 yearsCalling Non-checksummed download of openssl formula file from an arbitrary URL is disabled!
-
Tarun over 2 yearsI would kiss you if you were next to me. This is what worked for me after 3 hrs of struggle.
-
cegprakash over 2 yearshow do I uninstall something installed like this??