Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)

If you're using Plesk 9.x on a CentOS system, don't upgrade the openssl package from version 0:0.9.8e-12.el5_4.1 to 0:0.9.8e-12.el5_4.6. It will break your Plesk Controlpanel, causing it to no longer start up. You'll see a message similar to this.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       failed

There won't be an obvious error message in any log file location (/var/log/*, /usr/local/psa/var/log/*, /usr/local/psa/admin/logs/*), but it will most likely be caused by your recent openssl upgrade. Solution is this.

Edit April 2nd: There's now a Knowledge Base article available by Parallels on this issue: "Latest update of openssl breaks Parallels panel". You might want to read that too, same solutions as stated below.

Edit April 2nd²: Parallels has release an official solution, using a Plesk update:

1) Downgrade method

If this works, it's the easiest solution. Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along. If you see any psa* or plesk* packages in the dependency list, MOVE TO METHOD 2!!
[root@srv~]# yum downgrade openssl openssl-devel

2) Using RPM packages

Download the OpenSSL version 0.9.8e-12 5_4.6 for your architecture (these apply to CentOS).

You have to download these first! After completing the next steps, you'll be without openssl -- and downloading through wget or curl won't  work because of missing libraries. Please take note: the following is at your own risk (and if you lose your SSH connection in the meanwhile, you're screwed).

Find your current OpenSSL version, it should read version "el5_4.6″.

[root@srv~]# rpm -qa | grep -i openssl

Remove the package (if you haven't downloaded the openssl package yet, do so first !!). (due to the font of this blog, it's confusing, but the parameter = ' -- -- nodeps').

[root@srv ~]# rpm -e --nodeps openssl-0.9.8e-12.el5_4.6

And re-install the correct version (replace the RPM with the one for your achitecture).

[root@srv  ~]# rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm
warning: openssl-0.9.8e-12.el5_4.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
Preparing...                ########################################### [100%]
1:openssl                ########################################### [100%]

Afterwards, you'll be able to start Plesk again.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       done
Since there's no update on Plesk yet, this is something to look out for!
Update: An official message from Parallels

For now the only workaround is to downgrade openssl, either with yum or with rpm (if yum is not configured):

# wget -c{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

Good luck!

The Social Box

You can sign up for more updates via Twitter or Facebook below. On Twitter, I regularly talk about technology or tweet about interesting stories. Topics that don't necessarily make it to this blog. Facebook contains a steady update of blogposts and some more lightweight stories.

The @mattiasrss account has an automated RSS feed of all blogposts that get published.

Write a Comment

Do you care about the markup if your comment? You can use the following HTML tags:

<code>command</code>: command highlighting
<pre>text</pre>: pre-formatted code, can be multi-line (black background, white letters)

example <pre> tag
<blockquote>text</blockquote> quoted text
quoted example

None of this is needed of course, it's all optional!




  1. That shouldn’t happen – have you tested it? On my systems, downgrading openssl and openssl-devel does not try to remove any package dependent on openssl. If you try downgrading just openssl and have openssl-devel installed, then yes, yum will offer to remove every package depending on openssl, but just include the -devel package on the same yum downgrade command line and you should be fine. You might have to include mod_ssl there, and/or other packages which depend *directly* on openssl (look at the depsolving output to figure out which).

    Can you check what your specific Plesk packages depend on?

  2. I used RPM for 2 main reasons:
    -1) On Virtuozzo systems, yum isn’t enabled by default, but the use of RPM packages are (otherwise, the host needs to ‘vzpkg install -p [CTID] yum’ to install yum within the container)

    -2) I tested it on a new server, a downgrade would have also removed a lot of PSA packages, as well as some others (who I forgot now). On a Virtuozzo system, a downgrade seems to work though (just verified). I’ve updated the original article, does seem worth mentioning – Thx!

  3. FYI, this is the dependency removal list on some other systems. For this, you’d want to use the RPM method.

    [root@srv ~]# yum downgrade openssl
    Dependencies Resolved

    Package Arch
    openssl i686
    openssl x86_64
    openssl i686
    openssl x86_64
    Removing for dependencies:
    SSHTerm noarch
    mod_ssl x86_64
    psa x86_64
    psa-api-rpc noarch
    psa-atmail noarch
    psa-awstats-configurator noarch
    psa-backup-manager x86_64
    psa-horde noarch
    psa-imp noarch
    psa-ingo noarch
    psa-kronolith noarch
    psa-libpam-plesk x86_64
    psa-migration-manager x86_64
    psa-mimp noarch
    psa-mnemo noarch
    psa-passwd noarch
    psa-spamassassin x86_64
    psa-turba noarch
    psa-updates noarch

    Transaction Summary
    Install 2 Package(s)
    Update 0 Package(s)
    Remove 21 Package(s)

  4. Hey Gang,

    Parallel’s has released a fix for this. It was just released / revised today.

    It is necessary to update Parallels Panel web-engine:

    1. Download the appropriate package using the wget utility. Example for CentOS 5 x86:
    #wget -c

    A list of fixed packages:

    CentOS 5 x86
    CentOS 5 x86_64
    CentOS 4 x86
    CentOS 4 x86_64
    RHEL 4 x86
    RHEL 4 x86_64

    2. Install the downloaded package. Example for CentOS 5 x86:
    #rpm -Uhv sw-cp-server-1.0-6.201004011105.centos5.i386.rpm

  5. Yep, I disabled the control panel by installing subversion that installed the updated OpenSSL. About an hour later, control panel no – worky. Thanks for the “yum downgrade openssl openssl-devel” to fix. Saved me a ton of time.

  6. @Matti

    ‘yum downgrade openssl’ removed my psa by removing all dependencies (110 in total). Is there a way I can fix this, or should I throw in the towel and re-image the server?

  7. @Ali; afraid you’ll have to reinstall/re-image. As stated in the article:
    1) Downgrade method:
    If this works, it’s the easiest solution. **Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along.**

    If it happens again, you’ll have to switch to the RPM package removal.

  8. Yet more evidence that you should not use Centos/Plesk ever…

    We have 100’s of servers, it is always the Centos ones that randomly break (bind/apache/plesk) with updates, Debian/Ubuntu are generally fine.

    Although to get a long support life do you really want to be running PHP 5.1.6 in 5 years time (when it is already next useless for web application support)

    Centos is like running Linux half a decade ago….

  9. @Morgan; I disagree, we run a fair share of CentOS systems as well, and it’s those systems that are the most stable. We experience more troubles with Ubuntu’s/Debian that break services upon upgrade. Besides, this openssl update would’ve also broken every other Linux-distro out there, in combination with Plesk.

    It’s a matter of applying the correct Plesk update, and the problem is fixed (which goes for Apache/Bind/MySQL/… as well!).

    • @Ryan: I can’t say, I haven’t had that problem. For now, I can only think of upgrading to Plesk 9, as I think Plesk 8 is considdered “outdated”, and probably won’t be receiving these updates any more.