Configuration in openssl.conf file

Question

How do I set the configuration in the /etc/ssl/openssl.conf file as the default.

I need to remove the comment from the lines:

line 61
##legacy = legacy_sect

line 66
##[legacy_sect]

line 67
##activate = 1

Because every time there is a restart, I need to do the same manually.

I need to automate this.

I'm waiting.

Danish Tamboli · Answer

Hey,

There are several ways to do this.

1. You can bake this change in a new AMI, please refer to [this doc](https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-create-ami-from-instance.html) for steps and guidance.

2. You can configure your EC2 Userdata to do this:
* **CloudFormation**: You can make use of the [UserData property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-instance.html#cfn-ec2-instance-userdata) of the instance.
* **CDK**: You can make use of the ["ec2.UserData.custom()"](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.UserData.html#static-customcontent) method to specify userdata for the instance within the instance properties.
* While the userdata runs only on the first boot cycle, these file-level changes should persist across EC2 reboots, I've been able to test this.

The command you can use is as below, it makes all the changes and automatically creates a backup of your .cnf file:

```
sudo sed -i.bak '/##legacy = legacy_sect/s/^##//g;/##$$legacy_sect$$/s/^##//g;/##activate = 1/s/^##//g' 
```

PATH_TO_CONF_FILE would depend on your AMI and can likely be identified by running the below command on the instance:

```
sudo openssl version -d
```

I hope this helps. Please feel free to comment if you require any specific assistance.

Thanniru Anil Kumar · Answer

Step-by-Step Guide:

**Create a Backup:**

Before making any changes, create a backup of the original openssl.conf file.

```
sudo cp /etc/ssl/openssl.conf /etc/ssl/openssl.conf.backup

```

**Edit the Configuration File:**

You can use sed to remove the comments from the desired lines. Here’s how you can do it:

```
sudo sed -i 's/^##legacy = legacy_sect/legacy = legacy_sect/' /etc/ssl/openssl.conf
sudo sed -i 's/^##$$legacy_sect$$/$$legacy_sect$$/' /etc/ssl/openssl.conf
sudo sed -i 's/^##activate = 1/activate = 1/' /etc/ssl/openssl.conf

```

**Automate the Script:**

To ensure the script runs automatically, you can place it in a location like /usr/local/bin/, make it executable, and create a cron job to run the script after every reboot.

**Create the script:**

```
sudo nano /usr/local/bin/fix_openssl_conf.sh

```
Add the following content:

```
#!/bin/bash
sed -i 's/^##legacy = legacy_sect/legacy = legacy_sect/' /etc/ssl/openssl.conf
sed -i 's/^##$$legacy_sect$$/$$legacy_sect$$/' /etc/ssl/openssl.conf
sed -i 's/^##activate = 1/activate = 1/' /etc/ssl/openssl.conf

```
**Make the script executable:**

```
sudo chmod +x /usr/local/bin/fix_openssl_conf.sh

```
Set Up a Cron Job:

You can set up a cron job to run this script at reboot.

```
sudo crontab -e

```
Add the following line to the cron file:

```
@reboot /usr/local/bin/fix_openssl_conf.sh

```
Test the Script:

To test the script without rebooting, you can run it manually:

```
sudo /usr/local/bin/fix_openssl_conf.sh

```

Configuration in openssl.conf file

Add your answer

Relevant content