License key update fails on OpenSuSE 11.1

[Christian Gassmann]

The license key update fails on OpenSuSE 11.1 with the dreaded "SSL connect error". Downgrading libcurl is not an option, as there is no suitable rpm available.

# curl -k https://ka.parallels.com:5224 -2
curl: (35) error:1406D0CB:SSL routines:GET_SERVER_HELLOeer error no cipher

# curl -k https://ka.parallels.com:5224 -3
<html><head><title>Apache Tomcat/6.0.18 - Error report</title>[...]<u>Access to the specified resource (Only PKP XML-RPC requests to /xmlrpc are allowed on the port 5224) has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.18</h3></body></html>

Plesk Panel on my server is currently deactivated due to the invalid license. Please fix this urgently! Is there any other workaround?

Thanks very much,
Christian

 

[IgorG]

Christian,

I have submitted urgent request to developers regarding this problem. I will update this thread with results as soon as I receive it.

 

[IgorG]

Developers can't reproduce this problem. They have informed that there is the same curl error but all works fine with it. Seems you have very old certificate there.
They wants to know Plesk key number, output of

# host ka.parallels.com
# rpm -qa

 

[Christian Gassmann]

My Plesk key number is "PLSK.01132884.0004" (1&1 lease).

# host ka.parallels.com
ka.parallels.com has address 64.131.90.38

I've attached the package list.

Please let me know if there's anything else I can provide.

Thanks,
Christian

 

[IgorG]

Thank you. I have forwarded it to developers.

 

[Flat-Jack]

same problem

is there a workaround? I have the same problem...

OpenSuSE 11.1 - update from 9.3 to 9.5.1

 

[IgorG]

Problem still under developer's investigation. I will update thread with results.

 

[IgorG]

Could you please provide us output of following commands:

# host ka.swsoft.com
# ping -c 4 ka.swsoft.com
# openssl s_client -connect ka.swsoft.com:5224 -tls1
# /usr/lib64/plesk-9.0/key-upgrade; echo $?

 

[Christian Gassmann]

Here are the results:

# host ka.swsoft.com
ka.swsoft.com has address 64.131.90.38

# fping -c 4 ka.swsoft.com
ka.swsoft.com : [0], 96 bytes, 94.7 ms (94.7 avg, 0% loss)
ka.swsoft.com : [1], 96 bytes, 94.6 ms (94.6 avg, 0% loss)
ka.swsoft.com : [2], 96 bytes, 94.8 ms (94.7 avg, 0% loss)
ka.swsoft.com : [3], 96 bytes, 94.6 ms (94.7 avg, 0% loss)

ka.swsoft.com : xmt/rcv/%loss = 4/4/0%, min/avg/max = 94.6/94.7/94.8

# openssl s_client -connect ka.swsoft.com:5224 -tls1
CONNECTED(00000003)
6492:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1087:SSL alert number 10
6492:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

# /usr/lib64/plesk-9.0/key-upgrade; echo $?

1

 

[kevin anderson]

I'm not sure if this helps Suse customers, but running debian 5 and upgrading to plesk 9.5, I was having issues with the keys as well on a few of my servers. In each case, the server was using odd versions of php mixed with lenny's current versions of curl/libcurl/php5-curl . Making sure all php packages were upgraded correctly to the latest versions resolved the issue. (for example, I had to fix the servers sources.list to have the correct dotdeb.org repository settings, and re-ran apt)

Kevin

 

[glenkinchie]

My results:

# host ka.swsoft.com
ka.swsoft.com has address 64.131.90.38

# ping -c 4 ka.swsoft.com
PING ka.swsoft.com (64.131.90.38) 56(84) bytes of data.
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=1 ttl=50 time=97.7 ms
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=2 ttl=50 time=96.8 ms
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=3 ttl=50 time=97.0 ms
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=4 ttl=50 time=97.4 ms

--- ka.swsoft.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3011ms
rtt min/avg/max/mdev = 96.886/97.267/97.731/0.506 ms

# openssl s_client -connect ka.swsoft.com:5224 -tls1
CONNECTED(00000003)
1825:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1087:SSL alert number 10
1825:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

# /usr/lib64/plesk-9.0/key-upgrade; echo $?

1

 

[Martin Torke]

I have the same problem with Plesk 9.3 on SuSE 11.1

Here my results:

# host ka.swsoft.com
ka.swsoft.com has address 64.131.90.38

# ping -c 4 ka.swsoft.com
PING ka.swsoft.com (64.131.90.38) 56(84) bytes of data.
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=1 ttl=54 time=108 ms
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=2 ttl=54 time=110 ms
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=3 ttl=54 time=112 ms
64 bytes from ka.parallels.com (64.131.90.38): icmp_seq=4 ttl=54 time=112 ms

--- ka.swsoft.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 108.826/111.058/112.548/1.574 ms

# openssl s_client -connect ka.swsoft.com:5224 -tls1
CONNECTED(00000003)
3557:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1087:SSL alert number 10
3557:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

# /usr/lib/plesk-9.0/key-upgrade; echo $?

1

My Plesk-Key for version 9.3 is "PLSK.00882214.0000" and for Plesk 9.5 ist the new key "PLSK.01231904.0000"

 

[Roger Nordseth]

i got the same result with my debian server and the licencekey got updateted on 24 april and now i am stuck with 1 domain after update to 9.5. Do swsoft have problem with the finance? i just wonder

 

[IgorG]

I have received following information from developers:

He has broken SSL connect to ka.swsoft.com. The issue looks as an openssl bug. Didn't he compile openssl himself? Propose him to reinstall openssl:
# zypper install -f openssl openssl-certs
The correct output of openssl should be:
# openssl s_client -connect ka.swsoft.com:5224 -tls1
CONNECTED(00000003)
depth=0 /C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
.........

 

[Christian Gassmann]

I've only installed standard OpenSuSE packages.

However, it looks like this is caused by OpenSSL's support for RFC4507bis session ticket. If this is disabled (with "-no_ticket"), the connection can be established. I'll try to recompile the srpm with disabled RFC4507bis.

# openssl s_client -connect ka.swsoft.com:5224 -tls1 -no_ticket
CONNECTED(00000003)
depth=0 /C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/O=ka.plesk.com/OU=Business Registration: https://services.choicepoint.net/get.jsp?4110196571/OU=See www.geotrust.com/quickssl/cps (c)03/OU=Domain Control Validated/CN=ka.plesk.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
[...]
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 4BE0145F8FAC1D8C7AA58455871A39FF44410D619AB30A1E895573B9BE327A62
Session-ID-ctx:
Master-Key: 44A5286A8F0CF84BFF50BFEFDDD370BC826276DAF22C2992FEB901CF2C8BA5EDFD666426ECD76189CBF42AACE7433469
Key-Arg : None
Start Time: 1272976479
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

 

[Christian Gassmann]

Heureka! I successfully recompiled and installed OpenSSL SRPM and that fixed the issue!

Steps:

1. Download openssl-0.9.8h-28.15.1.src.rpm from OpenSuSE update site.
2. Install it with

# rpm -i openssl-0.9.8h-28.15.1.src.rpm

3. Modify the spec file /usr/src/packages/SPECS/openssl.spec. Search for text "enable-tlsext" and remove it.
4. Rebuild srpm with

# rpmbuild -bb openssl.spec

5. When the build is complete, install the RPMs from /usr/src/packages/RPMS/<arch>.

 

[Martin Torke]

I have now kopiliert openssl even with the instructions of Christian Gassmann.
Now, does the SSL connection to the Parallels server but unfortunately the system tells me that the key is invalid: (

Fehler: Der Lizenzkey ist ungültig. Um das Parallels Plesk Panel verwenden zu können, erwerben und installieren Sie bitte einen neuen funktionsfähigen Lizenzkey.
Die Anzahl der aktuell verwendeten Ressourcen überschreitet die durch Ihre Lizenz definierten Limits.
Die Anzahl der auf dem Server gehosteten Websites überschreitet die durch Ihre Lizenz definierten Limits. Sie hosten 20 Sites; Ihre Lizenz erlaubt jedoch nur 1 Sites.
Die Anzahl der verwalteten Kunden-Accounts überschreitet die durch Ihre Lizenz definierten Limits. Sie verwalten derzeit 3 Kunden-Accounts, Ihre Lizenz erlaubt jedoch nur 2 Kunden-Accounts.
Die Anzahl der verwalteten E-Mail-Accounts überschreitet die durch Ihre Lizenz definierten Limits. Sie verwalten derzeit 33 E-Mail-Accounts, Ihre Lizenz erlaubt jedoch nur 1 E-Mail-Accounts.



Key-Update-Status
License key PLSK.01231904.0002 is up-to-date.

My provider Strato has me and all other customers have a key for Plesk version 9.5 which made it really should work.

Currently I have installed yet Plesk 9.3 as the version 9.5 can not even install without the key.

Unfortunately, the report comes in the reuse of old keys, which this was invalid.

 

[IgorG]

Ok. I have informed developers about your experience with openssl recompiling. Let's wait their answer.

 

[pstadler]

Same on debian lenny

I have exactly the same problem but on debian lenny.

I updated from psa 9.3.0 (debian etch) to psa 9.5.1 (debian lenny).
Now my panel is blocked and when i try to retrieve the key it just says "Software Update Service (SUS) is not found for the given license key. Automatic upgrade is not possible "

I tried to use the old versions of openssl / libcurl, but if I do so the panel is not reachable (error 500).
Has anyone a solution? Is there a CLI option for key retrieval?

Thanks in advance.

 

[Martin Torke]

This is the Plesk Key care, because after the log out and log back in Plesk, the system has accepted the key.

thx, christian