Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)

Author: 16 Comments

If you're using Plesk 9.x on a CentOS system, don't upgrade the openssl package from version 0:0.9.8e-12.el5_4.1 to 0:0.9.8e-12.el5_4.6. It will break your Plesk Controlpanel, causing it to no longer start up. You'll see a message similar to this.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       failed

There won't be an obvious error message in any log file location (/var/log/*, /usr/local/psa/var/log/*, /usr/local/psa/admin/logs/*), but it will most likely be caused by your recent openssl upgrade. Solution is this.

Edit April 2nd: There's now a Knowledge Base article available by Parallels on this issue: "Latest update of openssl breaks Parallels panel". You might want to read that too, same solutions as stated below.

Edit April 2nd²: Parallels has release an official solution, using a Plesk update: http://kb.parallels.com/en/8338

1) Downgrade method

If this works, it's the easiest solution. Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along. If you see any psa* or plesk* packages in the dependency list, MOVE TO METHOD 2!!
[root@srv~]# yum downgrade openssl openssl-devel

2) Using RPM packages

Download the OpenSSL version 0.9.8e-12 5_4.6 for your architecture (these apply to CentOS).

You have to download these first! After completing the next steps, you'll be without openssl -- and downloading through wget or curl won't  work because of missing libraries. Please take note: the following is at your own risk (and if you lose your SSH connection in the meanwhile, you're screwed).

Find your current OpenSSL version, it should read version "el5_4.6″.

[root@srv~]# rpm -qa | grep -i openssl
openssl-0.9.8e-12.el5_4.6

Remove the package (if you haven't downloaded the openssl package yet, do so first !!). (due to the font of this blog, it's confusing, but the parameter = ' -- -- nodeps').

[root@srv ~]# rpm -e --nodeps openssl-0.9.8e-12.el5_4.6

And re-install the correct version (replace the RPM with the one for your achitecture).

[root@srv  ~]# rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm
warning: openssl-0.9.8e-12.el5_4.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
Preparing...                ########################################### [100%]
1:openssl                ########################################### [100%]

Afterwards, you'll be able to start Plesk again.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       done
Since there's no update on Plesk yet, this is something to look out for!
Update: An official message from Parallels

For now the only workaround is to downgrade openssl, either with yum or with rpm (if yum is not configured):

# wget -c http://mirrors.kernel.org/centos/5/updates/x86_64/RPMS/{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

Good luck!

Comments
  1. Posted by Mihai Limbasan
  2. Posted by Matti
  3. Posted by Mihai Limbasan
  4. Posted by Matti
  5. Posted by Mihai Limbasan
  6. Posted by Matti
  7. Posted by keith D Mitchell
  8. Posted by perk
  9. Posted by Matti
  10. Posted by Ali
  11. Posted by Matti
  12. Posted by morgan
  13. Posted by Matti
  14. Posted by sam
  15. Posted by Ryan
    • Posted by Matti

Add Your Comment