Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)

WARNING: This post was originally published in 2010 and hasn't been updated since.
The tips, techniques and technology explained here may be outdated. If you spot any errors, please let me know in the comments so I can adjust the article. Thanks!

If you're using Plesk 9.x on a CentOS system, don't upgrade the openssl package from version 0:0.9.8e-12.el5_4.1 to 0:0.9.8e-12.el5_4.6. It will break your Plesk Controlpanel, causing it to no longer start up. You'll see a message similar to this.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       failed

There won't be an obvious error message in any log file location (/var/log/*, /usr/local/psa/var/log/*, /usr/local/psa/admin/logs/*), but it will most likely be caused by your recent openssl upgrade. Solution is this.

Edit April 2nd: There's now a Knowledge Base article available by Parallels on this issue: "Latest update of openssl breaks Parallels panel". You might want to read that too, same solutions as stated below.

Edit April 2nd²: Parallels has release an official solution, using a Plesk update: http://kb.parallels.com/en/8338

1) Downgrade method

If this works, it's the easiest solution. Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along. If you see any psa* or plesk* packages in the dependency list, MOVE TO METHOD 2!!
[root@srv~]# yum downgrade openssl openssl-devel

2) Using RPM packages

Download the OpenSSL version 0.9.8e-12 5_4.6 for your architecture (these apply to CentOS).

You have to download these first! After completing the next steps, you'll be without openssl -- and downloading through wget or curl won't  work because of missing libraries. Please take note: the following is at your own risk (and if you lose your SSH connection in the meanwhile, you're screwed).

Find your current OpenSSL version, it should read version "el5_4.6″.

[root@srv~]# rpm -qa | grep -i openssl
openssl-0.9.8e-12.el5_4.6

Remove the package (if you haven't downloaded the openssl package yet, do so first !!). (due to the font of this blog, it's confusing, but the parameter = ' -- -- nodeps').

[root@srv ~]# rpm -e --nodeps openssl-0.9.8e-12.el5_4.6

And re-install the correct version (replace the RPM with the one for your achitecture).

[root@srv  ~]# rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm
warning: openssl-0.9.8e-12.el5_4.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
Preparing...                ########################################### [100%]
1:openssl                ########################################### [100%]

Afterwards, you'll be able to start Plesk again.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       done
Since there's no update on Plesk yet, this is something to look out for!
Update: An official message from Parallels

For now the only workaround is to downgrade openssl, either with yum or with rpm (if yum is not configured):

# wget -c http://mirrors.kernel.org/centos/5/updates/x86_64/RPMS/{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

Good luck!

16 comments on “Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)
  1. Mihai Limbasan says:

    why not simply use

    yum downgrade openssl

    or

    yum downgrade openssl openssl-devel

    instead of manually futzing with the rpms?

  2. Matti says:

    Because due to dependencies, you’ll also remove PSA (the controlpanel) itself as well.

  3. Mihai Limbasan says:

    That shouldn’t happen – have you tested it? On my systems, downgrading openssl and openssl-devel does not try to remove any package dependent on openssl. If you try downgrading just openssl and have openssl-devel installed, then yes, yum will offer to remove every package depending on openssl, but just include the -devel package on the same yum downgrade command line and you should be fine. You might have to include mod_ssl there, and/or other packages which depend *directly* on openssl (look at the depsolving output to figure out which).

    Can you check what your specific Plesk packages depend on?

  4. Matti says:

    I used RPM for 2 main reasons:
    -1) On Virtuozzo systems, yum isn’t enabled by default, but the use of RPM packages are (otherwise, the host needs to ‘vzpkg install -p [CTID] yum’ to install yum within the container)

    -2) I tested it on a new server, a downgrade would have also removed a lot of PSA packages, as well as some others (who I forgot now). On a Virtuozzo system, a downgrade seems to work though (just verified). I’ve updated the original article, does seem worth mentioning – Thx!

  5. Mihai Limbasan says:

    Most welcome. Wasn’t aware of that limitation of Virtuozzo containers, thanks.

  6. Matti says:

    FYI, this is the dependency removal list on some other systems. For this, you’d want to use the RPM method.

    [root@srv ~]# yum downgrade openssl
    Dependencies Resolved

    ==================================================
    Package Arch
    ==================================================
    Installing:
    openssl i686
    openssl x86_64
    Removing:
    openssl i686
    openssl x86_64
    Removing for dependencies:
    SSHTerm noarch
    mod_ssl x86_64
    psa x86_64
    psa-api-rpc noarch
    psa-atmail noarch
    psa-awstats-configurator noarch
    psa-backup-manager x86_64
    psa-horde noarch
    psa-imp noarch
    psa-ingo noarch
    psa-kronolith noarch
    psa-libpam-plesk x86_64
    psa-migration-manager x86_64
    psa-mimp noarch
    psa-mnemo noarch
    psa-passwd noarch
    psa-spamassassin x86_64
    psa-turba noarch
    psa-updates noarch

    Transaction Summary
    ================================================
    Install 2 Package(s)
    Update 0 Package(s)
    Remove 21 Package(s)

  7. keith D Mitchell says:

    Hey Gang,

    Parallel’s has released a fix for this. It was just released / revised today.

    http://kb.parallels.com/en/8338

    Resolution
    It is necessary to update Parallels Panel web-engine:

    1. Download the appropriate package using the wget utility. Example for CentOS 5 x86:
    #wget -c http://kb.parallels.com/Attachments/12669/Attachments/sw-cp-server-1.0-6.201004011105.centos5.i386.rpm

    A list of fixed packages:

    CentOS 5 x86
    CentOS 5 x86_64
    CentOS 4 x86
    CentOS 4 x86_64
    RHEL 4 x86
    RHEL 4 x86_64

    2. Install the downloaded package. Example for CentOS 5 x86:
    #rpm -Uhv sw-cp-server-1.0-6.201004011105.centos5.i386.rpm

  8. perk says:

    Yep, I disabled the control panel by installing subversion that installed the updated OpenSSL. About an hour later, control panel no – worky. Thanks for the “yum downgrade openssl openssl-devel” to fix. Saved me a ton of time.

  9. Matti says:

    In case anyone’s wondering, Parallels now has a KB on this too: http://kb.parallels.com/en/8338

  10. Ali says:

    @Matti

    ‘yum downgrade openssl’ removed my psa by removing all dependencies (110 in total). Is there a way I can fix this, or should I throw in the towel and re-image the server?

  11. Matti says:

    @Ali; afraid you’ll have to reinstall/re-image. As stated in the article:
    1) Downgrade method:
    If this works, it’s the easiest solution. **Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along.**

    If it happens again, you’ll have to switch to the RPM package removal.

  12. morgan says:

    Yet more evidence that you should not use Centos/Plesk ever…

    We have 100’s of servers, it is always the Centos ones that randomly break (bind/apache/plesk) with updates, Debian/Ubuntu are generally fine.

    Although to get a long support life do you really want to be running PHP 5.1.6 in 5 years time (when it is already next useless for web application support)

    Centos is like running Linux half a decade ago….

  13. Matti says:

    @Morgan; I disagree, we run a fair share of CentOS systems as well, and it’s those systems that are the most stable. We experience more troubles with Ubuntu’s/Debian that break services upon upgrade. Besides, this openssl update would’ve also broken every other Linux-distro out there, in combination with Plesk.

    It’s a matter of applying the correct Plesk update, and the problem is fixed (which goes for Apache/Bind/MySQL/… as well!).

  14. sam says:

    Friend

    saw this post

    yum downgrade openssl removed plesk

    http://forum.parallels.com/showthread.php?t=100574

  15. Ryan says:

    What to do in the case of Plesk 8.6.x with openssl if we don’t want to upgrade to Plesk 9.x

    • Matti says:

      @Ryan: I can’t say, I haven’t had that problem. For now, I can only think of upgrading to Plesk 9, as I think Plesk 8 is considdered “outdated”, and probably won’t be receiving these updates any more.

2 Pings/Trackbacks for "Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)"
  1. Social comments and analytics for this post…

    This post was mentioned on Reddit by Moocha: Do **not** remove the openssl package as detailed in the article. It’s certainly a possibility, but it’s a very fragile and error-prone process. Instead, just use yum’s builtin downgrade facility: yum dow…

  2. Bail Bonds Los Angeles…

    […]these are several web page links to places which I link to seeing as we believe they will be worthwhile checking out[…]…

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Advertisement

Why ads?

I'm glad you made it to this blogpost. I hope it helps solve your problem. So why then do I show ads on the site? Writing content, testing it and making sure the layout isn't totally b0rked takes time. A lot of time. The ads are a way to pay back a small portion of that time.

And as you know running a site costs (a bit of) money: the domain name, webhosting, time spent writing and updating content, ... So if you like the content of this blog, consider disabling your AdBlocker for this domain. Thanks!

Recent posts

Looking for help?

Tired of fixing all these tech-problems yourself? We've got an excellent team at Nucleus, a top-class Belgian hosting provider, that can help you.

Discover our Managed Hosting, where skilled engineers manage your servers and keep them up-to-date, so you can focus on your core business. We use a variety of Configuration Management Systems such as Puppet to make sure every config is reviewed, unit-tested and guaranteed to be working.

Want to get in touch? Find me as @mattiasgeniar on Twitter or via the contact-page on this blog.