KB Article #193060

VA Server UI Startup Failure Caused by OpenSSL Version Conflict

Overview

After upgrading the operating system to RHEL 9.7 or performing a system update, VA Server may fail to start when initiated from the UI, while starting the server from the command line continues to work. This issue is caused by an OpenSSL version mismatch affecting how system services are started from the UI and applies to VA versions prior to 5.2 UP202602 on systems upgraded from RHEL 9.6 to RHEL 9.7.


Symptoms

  • VA Server does not start when started from the UI
  • No error message is displayed in the UI
  • No new VA server log files are generated
  • VA Server starts successfully from the command line using: 
    vaservicectl va-server start
  • The following error is logged in the Apache error log (/var/lib/va/apache/logs/error_log): 
    systemctl: /opt/axway/va/entserv/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by /usr/lib64/systemd/libsystemd-shared-252.so)


Root Cause

After upgrading to RHEL 9.7, the system OpenSSL library is updated to a newer version required by systemd.

When VA services are started from the UI, Apache invokes systemctl in an environment that includes a VA-specific LD_LIBRARY_PATH. Because systemctl is a system utility, it must use system libraries, including the system-provided OpenSSL version.

Due to the inherited LD_LIBRARY_PATH, systemctl attempts to load the VA-delivered OpenSSL instead of the system OpenSSL. The VA OpenSSL library does not contain the OpenSSL symbols required by the updated systemd libraries, resulting in a startup failure.

When VA services are started from the command line, the VA-specific LD_LIBRARY_PATH is not applied, allowing systemctl to correctly use the system OpenSSL and start the service successfully.


Resolution

Starting with VA 5.2 UP202602, this issue has been resolved.

The VA service start and stop logic has been updated to use the systemd D-Bus interface directly, instead of invoking systemctl through a shell. This prevents system utilities from inheriting product-specific environment variables.

As a result:

  • systemctl and systemd always use system libraries, including system OpenSSL
  • VA services continue to use the OpenSSL version delivered with the product, as intended

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.