Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)

Mattias Geniar, Monday, March 29, 2010 - last modified: Thursday, July 28, 2011

If you're using Plesk 9.x on a CentOS system, don't upgrade the openssl package from version 0:0.9.8e-12.el5_4.1 to 0:0.9.8e-12.el5_4.6. It will break your Plesk Controlpanel, causing it to no longer start up. You'll see a message similar to this.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       failed

There won't be an obvious error message in any log file location (/var/log/*, /usr/local/psa/var/log/*, /usr/local/psa/admin/logs/*), but it will most likely be caused by your recent openssl upgrade. Solution is this.

Edit April 2nd: There's now a Knowledge Base article available by Parallels on this issue: "Latest update of openssl breaks Parallels panel". You might want to read that too, same solutions as stated below.

Edit April 2nd²: Parallels has release an official solution, using a Plesk update:

1) Downgrade method

If this works, it's the easiest solution. Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along. If you see any psa* or plesk* packages in the dependency list, MOVE TO METHOD 2!!
[root@srv~]# yum downgrade openssl openssl-devel

2) Using RPM packages

Download the OpenSSL version 0.9.8e-12 5_4.6 for your architecture (these apply to CentOS).

You have to download these first! After completing the next steps, you'll be without openssl -- and downloading through wget or curl won't  work because of missing libraries. Please take note: the following is at your own risk (and if you lose your SSH connection in the meanwhile, you're screwed).

Find your current OpenSSL version, it should read version "el5_4.6".

[root@srv~]# rpm -qa | grep -i openssl

Remove the package (if you haven't downloaded the openssl package yet, do so first !!). (due to the font of this blog, it's confusing, but the parameter = ' -- -- nodeps').

[root@srv ~]# rpm -e --nodeps openssl-0.9.8e-12.el5_4.6

And re-install the correct version (replace the RPM with the one for your achitecture).

[root@srv  ~]# rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm
warning: openssl-0.9.8e-12.el5_4.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
Preparing...                ########################################### [100%]
1:openssl                ########################################### [100%]

Afterwards, you'll be able to start Plesk again.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       done
Since there's no update on Plesk yet, this is something to look out for!
Update: An official message from Parallels

For now the only workaround is to downgrade openssl, either with yum or with rpm (if yum is not configured):

# wget -c{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

Good luck!

Share this post

Did you like this post? Will you help me share it on social media? Thanks!


Mihai Limbasan Monday, March 29, 2010 at 15:31

why not simply use

yum downgrade openssl


yum downgrade openssl openssl-devel

instead of manually futzing with the rpms?


Matti Monday, March 29, 2010 at 17:51

Because due to dependencies, you’ll also remove PSA (the controlpanel) itself as well.


Mihai Limbasan Monday, March 29, 2010 at 20:50

That shouldn’t happen – have you tested it? On my systems, downgrading openssl and openssl-devel does not try to remove any package dependent on openssl. If you try downgrading just openssl and have openssl-devel installed, then yes, yum will offer to remove every package depending on openssl, but just include the -devel package on the same yum downgrade command line and you should be fine. You might have to include mod_ssl there, and/or other packages which depend *directly* on openssl (look at the depsolving output to figure out which).

Can you check what your specific Plesk packages depend on?


Matti Monday, March 29, 2010 at 21:36

I used RPM for 2 main reasons:
-1) On Virtuozzo systems, yum isn’t enabled by default, but the use of RPM packages are (otherwise, the host needs to ‘vzpkg install -p [CTID] yum’ to install yum within the container)

-2) I tested it on a new server, a downgrade would have also removed a lot of PSA packages, as well as some others (who I forgot now). On a Virtuozzo system, a downgrade seems to work though (just verified). I’ve updated the original article, does seem worth mentioning – Thx!


Mihai Limbasan Monday, March 29, 2010 at 22:23

Most welcome. Wasn’t aware of that limitation of Virtuozzo containers, thanks.


Matti Tuesday, March 30, 2010 at 09:35

FYI, this is the dependency removal list on some other systems. For this, you’d want to use the RPM method.

[root@srv ~]# yum downgrade openssl
Dependencies Resolved

Package Arch
openssl i686
openssl x86_64
openssl i686
openssl x86_64
Removing for dependencies:
SSHTerm noarch
mod_ssl x86_64
psa x86_64
psa-api-rpc noarch
psa-atmail noarch
psa-awstats-configurator noarch
psa-backup-manager x86_64
psa-horde noarch
psa-imp noarch
psa-ingo noarch
psa-kronolith noarch
psa-libpam-plesk x86_64
psa-migration-manager x86_64
psa-mimp noarch
psa-mnemo noarch
psa-passwd noarch
psa-spamassassin x86_64
psa-turba noarch
psa-updates noarch

Transaction Summary
Install 2 Package(s)
Update 0 Package(s)
Remove 21 Package(s)


keith D Mitchell Thursday, April 1, 2010 at 17:42

Hey Gang,

Parallel’s has released a fix for this. It was just released / revised today.

It is necessary to update Parallels Panel web-engine:

1. Download the appropriate package using the wget utility. Example for CentOS 5 x86:
#wget -c

A list of fixed packages:

CentOS 5 x86
CentOS 5 x86_64
CentOS 4 x86
CentOS 4 x86_64
RHEL 4 x86
RHEL 4 x86_64

2. Install the downloaded package. Example for CentOS 5 x86:
#rpm -Uhv sw-cp-server-1.0-6.201004011105.centos5.i386.rpm


perk Thursday, April 1, 2010 at 22:04

Yep, I disabled the control panel by installing subversion that installed the updated OpenSSL. About an hour later, control panel no – worky. Thanks for the “yum downgrade openssl openssl-devel” to fix. Saved me a ton of time.


Matti Friday, April 2, 2010 at 05:38

In case anyone’s wondering, Parallels now has a KB on this too:


Ali Friday, April 2, 2010 at 19:04


‘yum downgrade openssl’ removed my psa by removing all dependencies (110 in total). Is there a way I can fix this, or should I throw in the towel and re-image the server?


Matti Sunday, April 4, 2010 at 09:41

@Ali; afraid you’ll have to reinstall/re-image. As stated in the article:
1) Downgrade method:
If this works, it’s the easiest solution. **Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along.**

If it happens again, you’ll have to switch to the RPM package removal.


morgan Wednesday, April 7, 2010 at 16:09

Yet more evidence that you should not use Centos/Plesk ever…

We have 100’s of servers, it is always the Centos ones that randomly break (bind/apache/plesk) with updates, Debian/Ubuntu are generally fine.

Although to get a long support life do you really want to be running PHP 5.1.6 in 5 years time (when it is already next useless for web application support)

Centos is like running Linux half a decade ago….


Matti Thursday, April 8, 2010 at 06:42

@Morgan; I disagree, we run a fair share of CentOS systems as well, and it’s those systems that are the most stable. We experience more troubles with Ubuntu’s/Debian that break services upon upgrade. Besides, this openssl update would’ve also broken every other Linux-distro out there, in combination with Plesk.

It’s a matter of applying the correct Plesk update, and the problem is fixed (which goes for Apache/Bind/MySQL/… as well!).


sam Friday, April 9, 2010 at 00:33


saw this post

yum downgrade openssl removed plesk


Ryan Monday, July 12, 2010 at 21:59

What to do in the case of Plesk 8.6.x with openssl if we don’t want to upgrade to Plesk 9.x


    Matti Monday, July 12, 2010 at 23:12

    @Ryan: I can’t say, I haven’t had that problem. For now, I can only think of upgrading to Plesk 9, as I think Plesk 8 is considdered “outdated”, and probably won’t be receiving these updates any more.


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links