Don't Upgrade OpenSSL If You're Using Plesk (= Broken Controlpanel)

If you’re using Plesk 9.x on a CentOS system, don’t upgrade the openssl package from version 0:0.9.8e-12.__e****l5_4.1 to 0:0.9.8e-12.el5_4.6. It will break your Plesk Controlpanel, causing it to no longer start up. You’ll see a message similar to this.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       failed

There won’t be an obvious error message in any log file location (/var/log/*, /usr/local/psa/var/log/*, /usr/local/psa/admin/logs/*), but it will most likely be caused by your recent openssl upgrade. Solution is this.

Edit April 2nd: There’s now a Knowledge Base article available by Parallels on this issue: “Latest update of openssl breaks Parallels panel ”. You might want to read that too, same solutions as stated below.

Edit April 2nd²: Parallels has release an official solution, using a Plesk update: http://kb.parallels.com/en/8338

1) Downgrade method#

If this works, it's the easiest solution. Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along. If you see any psa* or plesk* packages in the dependency list, MOVE TO METHOD 2!!
[root@srv~]# yum downgrade openssl openssl-devel

2) Using RPM packages#

Download the OpenSSL version 0.9.8e-12 5_4.6 for your architecture (these apply to CentOS).

You have to download these first! After completing the next steps, you’ll be without openssl – and downloading through wget or curl won’t  work because of missing libraries. Please take note: the following is at your own risk (and if you lose your SSH connection in the meanwhile, you’re screwed).

Find your current OpenSSL version, it should read version “el5_4.6”.

[root@srv~]# rpm -qa | grep -i openssl

openssl-0.9.8e-12.el5_4.6

Remove the package (if you haven’t downloaded the openssl package yet, do so first !!). (due to the font of this blog, it’s confusing, but the parameter = ’ -- – nodeps’).

[root@srv ~]# rpm -e –nodeps openssl-0.9.8e-12.el5_4.6

And re-install the correct version (replace the RPM with the one for your achitecture).

[root@srv  ~]# rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm

warning: openssl-0.9.8e-12.el5_4.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897

Preparing…                ########################################### [100%]

1:openssl                ########################################### [100%]

Afterwards, you’ll be able to start Plesk again.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       done
Since there's no update on Plesk yet, this is something to look out for!
Update: An official message from Parallels

For now the only workaround is to downgrade openssl, either with yum or with rpm (if yum is not configured):

# wget -c http://mirrors.kernel.org/centos/5/updates/x86_64/RPMS/{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

Good luck!