Resolved Dr. Web will not start after Upgrade to Plesk 17.5.3

[TimReeves]

The vServer (at Hetzner, Germany) runs Debian 8, all Packages are current.

Today I ran the Upgrade from Plesk 7.0.17 to Plesk 17.5.3 via Plesk Installer GUI. That ran through fine, but afterwards Dr.Web (drwebd) would no longer start, not even after a Reboot of the vServer.

# /etc/init.d/drwebd restart
Restarting Dr.Web drwebd...
Dr.Web (R) daemon for Linux/Plesk Edition v6.0.2.1
Copyright (c) Igor Daniloff, 1992-2017
Doctor Web, Moscow, Russia
Support service: Dr.Web — Technical support service
To purchase: Dr.Web — Антивирус для бизнеса
Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
A path to a valid license key file was not specified.
Plesk authorization failed: HTTP request error [35]
Error: Plesk Software not running.

That there is no key file is expected - on a Ubuntu-VPS at HostEurope I ran the Upgrade and Dr.Web starts there with no problems, also without key file.

I found this article: DrWeb produces the following error during startup: "Plesk authorization failed: HTTP request error [6] Plesk Software not running."

and ran "curl -d "challenge=123&checker=drweb" https://localhost:8443/check-plesk.php -k":

response=###hidden###
team@<hidden>
alexander@<hidden>
secret@<hidden>
marlies@<hidden>
rolf@<hidden>

According to this article: DrWeb Key Issues
"Parallels Premium Antivirus supports only the first 14 eMail - accounts on your server for free" - on my problem server only 5 are registered, see above.

I cannot find the cause of the problem, has anyone got a tip for me?

Thanks!

Tim Reeves

 

[Bitpalast]

It is possible that this issue is caused by a DNS issue between Hetzner DNS and DrWeb DNS: Currently the Hetzner AG local DNS servers are blocked by the DrWeb DNS servers, so that updates.drweb.com and drweb.com cannot be resolved to the corresponding IP addresses if you use the /etc/resolv.conf configuration provided by the default Hetzner OS images. To circumvent the issue, please edit /etc/resolv.conf and insert these two lines before the other nameserver entries:
nameserver 8.8.8.8
nameserver 4.4.4.4
Save /etc/resolv.conf and DrWeb should be able to connect.

 

[TimReeves]

Thanks Peter, I tried this but the problem was not solved. I also put the same question to Hetzner Support and got this reply:
es gab temporär Probleme bei der Auflösung der Dr.Web Hostnamen. Diese sind nun wieder erreichbar.
Wenn Sie das Update nun nochmals laufen lassen, sollte Dr.Web erfolgreich upgedated werden.
Which to me looks like they did'nt read my report properly. Indeed there has been a problem updating Dr.Web AV definitions from Hetzner machines in recent days, but it went away late this morning. Since then the update runs fine again. My problem is that on Startup, Dr.Web first looks if an own Plesk licence for it exists, at /opt/drweb/drweb32.key, and only if not then interrogates Plesk on port 8443 to see if it can get an authorisation, depending on what Plesk says about the situation. I assume that Plesk should normally say "ok", but will say "nope" e.g. if the server has too many mail accounts for a "free license".
Since the AV-Updates now run fine, I can only assume we have a real Plesk problem here.
My use of Dr.Web ("Plesk Premium Antivirus") dates back to the days when it was the only option. I have noticed that nowadays Plesk also offers Kaspersky as an option, so I'll just try that.
Cheers,
Tim

 

[TimReeves]

Rolle rückwärts === Scrub that (re Kaspersky).
Plesk Installer allows you to install it - but then you need a licence - which costs 26.99€ / Month + VAT, see here.
So I checked out alternative solutions:

• Waiting for a reply from Hetzner
• A Plesk page mentions "E-Mail Security Packs" combining Dr.Web + MagicSpam OR Kaspersky + MagicSpam - but I find no other mentions on the web
• Quite a bit cheaper would be the newish Plesk Extension "SpamExperts Email Security", which does both Spam and AV, available over the extensions catalogue in Plesk.
  It has various options, the one "10 Domains, Incoming only, No E-Mail Archiving" costs 18,00 €/Month + VAT, which is a lot cheaper than Kaspersky + MagicSpam.
  But is it a good solution - can anyone give feedback on it? The company selling it is from Holland.

Cheers, Tim

 

[UFHH01]

Hi TimReeves,

( first, pls. REMOVE your current license - key from your pasted link ( => SpamExperts... ). This license key should NEVER been published in open forums at all )

My problem is that on Startup, Dr.Web first looks if an own Plesk licence for it exists, at /opt/drweb/drweb32.key, and only if not then interrogates Plesk on port 8443 to see if it can get an authorisation, depending on what Plesk says about the situation. I assume that Plesk should normally say "ok", but will say "nope" e.g. if the server has too many mail accounts for a "free license".

You see this message, EVEN that you have less than 14 eMails - accounts on your server, because DrWeb desires to sell you the "additional" license. There are no problems at all with this ... let's call it NOTICE ... DrWeb still updates/upgrades, but the message will only disappear, when you installed an additional license key.
DrWeb will still protect the first 14 eMail - accounts and will ignore the following accounts, if you don't install an additional license. Pls. consider to test it for yourself, to validate my statements.


Temporary updates/upgrades issues for DrWeb as described in the starting post can be solved with the solution from @Peter Debik ( see: => #2 ).

 

[TimReeves]

Thanks @UFHH01 - not your first reply to topics of mine, I really do appreciate the help!
I have not published my key file - I don't have one; I only noted the file path where it would be / is looked for, a standard location. But the reminder to all of us is never amiss!
Maybe we're all tired at the end of a long hard week, but it seems that everyone involved (Hetzner support and here in the forum) is confusing my issue with a known one.

• The known issue is with the DNS issues between Hetzner and DrWeb DNS Servers, which can lead to updates of the AV definitions failing.
• MY issue is that since the Plesk Upgrade drwebd does not run at all.

# systemctl status drwebd.service
● drwebd.service - Plesk Premium Antivirus
Loaded: loaded (/lib/systemd/system/drwebd.service; enabled)
Active: failed (Result: exit-code) since Fri 2017-04-21 17:13:13 CEST; 4h 59min ago
Main PID: 24497 (code=exited, status=255)

Apr 21 17:13:13 my.server.de drwebd[24497]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Apr 21 17:13:13 my.server.de drwebd.real[24497]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Apr 21 17:13:13 my.server.de drwebd.real[24497]: A path to a valid license key file was not specified.
Apr 21 17:13:13 my.server.de drwebd[24497]: A path to a valid license key file was not specified.
Apr 21 17:13:13 my.server.de drwebd[24497]: Plesk authorization failed: HTTP request error [35]
Apr 21 17:13:13 my.server.de drwebd.real[24497]: Plesk authorization failed: HTTP request error [35]
Apr 21 17:13:13 my.server.de drwebd[24497]: Error: Plesk Software not running.
Apr 21 17:13:13 my.server.de drwebd.real[24497]: Error: Plesk Software not running.
Apr 21 17:13:13 my.server.de systemd[1]: drwebd.service: main process exited, code=exited, status=255/n/a
Apr 21 17:13:13 my.server.de systemd[1]: Unit drwebd.service entered failed state.

BTW the actual TLD is ".report".

I tried several times to start it - via Plesk GUI, via /etc/init.d/drwebd, and systemctl start drwebd.service but no joy: It just. wont. run.

Will now check the config files against the previous version (from Plesk 17.0)

 

[TimReeves]

Hi all,

@UFHH01 now I see what you mean about privacy - I included the response from the curl request to Plesk, will remove. However experiment has shown that that request always delivers exactly the same "response=..." - on Debian and Ubuntu, before and after upgrade. So it's not very personal

Now I have checked the DrWeb files:

• I can find no difference in the set of files for DrWeb before or after upgrade
• The files (binaries, scripts, config) are all very old - from November 2012 / February 2013.
• Which does not exactly make one confident that this is cutting-edge software...

 

[TimReeves]

Footnote: The server in question only has one domain with a small number of mail accounts, not heavily used - so the SpamExperts Extension (1 Domain, Incoming only, no archiving) would only cost 2,70 € + VAT / month. At that price I could give it a try - tomorrow...

 

[UFHH01]

Quite a bit cheaper would be the newish Plesk Extension "PLEASE CHECK THIS LINK" , which does both Spam and AV, available over the extensions catalogue in Plesk.

 

[TimReeves]

After a tip from Plesk support (thanks to Hetzner for submitting my report) I finally found the problem:
I had been using an explicit set of SSL ciphers, which I researched a couple of years ago, and which were state of the art at the time.

When you set them via the Plesk CLI command:
/usr/local/psa/bin/server_pref -u -ssl-ciphers '...'
then they also get set for Plesk engine (in /etc/sw-cp-server/conf.d/ssl.conf).

The new Plesk version has problems with my now "slightly old" cipher set which had been working fine up until now.
I researched again and chose to go with the current Mozilla Intermediate recommendation:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

If you want to do the same as me, you'll need the (root) command:

/usr/local/psa/bin/server_pref -u -ssl-ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'

This works - for Apache, for Nginx (with HTTP/2 + ALPN - but you need to manually restart nginx) - and for Dr.Web authorisation.

Hope this helps! Tim

 

[UFHH01]

Hi TimReeves,

tip: consider to use CODE - brackets here in the forum for commands which includes defined BB-Codes.


In addition, you might find it usefull to read as well:

=> HTTP/2 Support in Plesk
=> server_pref: Interface and System Preferences

 

[TimReeves]

CODE Brackets added - good tip. And thanks for the 2 links - I had read earlier versions (Plesk 12.5), but these are the current ones, very useful.

 

[Ohya]

I get exactly same issue

Plesk authorization failed: HTTP request error [35]
Error: Plesk Software not running.

And not is ssl problem, and drweb pass all test from KB recomendations.

 

[TimReeves]

I have noticed that:
/usr/local/psa/bin/server_pref -u -ssl-ciphers '...'
is not always enough to establish new ciphers, it seems to depend on the order you do things in - I *think* it works if you first establish your preferences and then activate http/2. But in any case; THIS command does set the ciphers - for Apache, nginx, dovecot, postfix and proftpd:

plesk sbin sslmng -v -v --custom --ciphers='ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' --protocols='TLSv1 TLSv1.1 TLSv1.2'

Hope this helps - if not then you have a problem which is different to mine.
Tim

P.S. Just added a needed option "--custom"

 

[Ohya]

In my case this was rencent installed plesk 17.5

I uninstall and install multiple times drweb

And always get this

Plesk authorization failed: HTTP request error [35]

I restart PSA ( service psa stopall )

And I saw than drweb say "Unused"

So drweb was disabled in systemctl I just enable it and drweb restart without problems.