updated key yesterday (SUS) now psa refuses to start!

[David Cottle]

IgorG,

I purchased 2 years of SUS. I had to open a ticket as I only got 1 year, its been resolved.

However this morning I went to log into plesk to mark some spam messages and found I can't connect to port 8443.

Luckily ftp / http / dns / mail still seem to be running.

I try to restart psa and all I get is failed.

Rebooted the server and its the same. Luckily other services came back up.

I am at a loss as nothing has been touched since the key update and how the GUI has quit.

I found one thread here that talks about the owners and permissions in /etc/sw these all seem fine.

Can someone help me?

Thanks!

 

[IgorG]

It is very difficult to say what is wrong there without any error messages, logs, etc. I'm not usual supporter and I can't login to your server and check and fix all there, right? Therefore I need more details as forum's resident.
First of all check that you have enough free disk space there. Then try to start /etc/init.d/psa service and find any related errors in /var/log/sw-cp-server/error_log

 

[David Cottle]

Hi IgorG,

Thanks for the reply. Looks like I got another bug. Fedora update openssl from 0.9.8k to 0.9.8m and now also 0.9.8n

Its this stopping plesk. I filled a bugzilla but its not much help. Is plesk compiled hard against openssl version?

Somehow I need to get fedora + parallels together to fix this as there are some mahor CVS security issues so updating openssl is now critical.

https://bugzilla.redhat.com/show_bug.cgi?id=577082

2010-03-26 05:14:04: (log.c.135) server stopped
2010-03-26 05:14:04: (log.c.75) server started
2010-03-26 05:14:04: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:14:05: (log.c.75) server started
2010-03-26 05:14:05: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:19:07: (log.c.75) server started
2010-03-26 05:19:07: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:19:07: (log.c.75) server started
2010-03-26 05:19:07: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:24:09: (log.c.75) server started
2010-03-26 05:24:09: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:24:09: (log.c.75) server started
2010-03-26 05:24:09: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:29:11: (log.c.75) server started
2010-03-26 05:29:11: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:29:11: (log.c.75) server started
2010-03-26 05:29:11: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:34:14: (log.c.75) server started
2010-03-26 05:34:14: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 05:34:14: (log.c.75) server started
2010-03-26 05:34:14: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 09:56:13: (log.c.75) server started
2010-03-26 09:56:13: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 09:56:13: (log.c.75) server started
2010-03-26 09:56:13: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 09:56:34: (log.c.75) server started
2010-03-26 09:56:34: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 09:56:34: (log.c.75) server started
2010-03-26 09:56:34: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 09:57:41: (log.c.75) server started
2010-03-26 09:57:41: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 09:57:41: (log.c.75) server started
2010-03-26 09:57:41: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 10:03:05: (log.c.75) server started
2010-03-26 10:03:05: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)
2010-03-26 10:03:05: (log.c.75) server started
2010-03-26 10:03:05: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)

Rollback openssl

Give up final rollback (give it starts and stops)

2010-03-26 14:29:33: (log.c.75) server started
2010-03-26 14:29:42: (log.c.135) server stopped
2010-03-26 14:29:43: (log.c.75) server started
2010-03-26 14:29:45: (log.c.135) server stopped
2010-03-26 14:29:45: (log.c.75) server started

 

[thewolf]

It looks like we hit the same issue with the latest updates for Red Hat Enterprise Linux 5: the Plesk 9.3 control panel won't start anyone.

Is a Plesk hotfix coming out soon?

Thanks.

 

[105547111]

IgorG,

psa-proftpd needs to be recompiled it's built against the old OpenSSL library directly.

I think a workaround needs to be mentioned all references to tls needs to be removed out of /etc/proftpd.conf as if tls is mentioned plesk fails to start.

As OpenSSL now has 3 CVE flaws updating OpenSSL is a priority.

ARTS package is the same. Also can you get psa-proftpd updated it's also got vulnerabilitys in CVE also.

Thanks!

 

[Ionut]

I too have this problem. Any fixes?

 

[105547111]

I can't get it stable with an updated OpenSSL. Damn this will take parallels a while as binaries need to be recompiled.

Why are they built specific to a exact version, If every package was like this update something like php and rebuild 50 packages?

Hope for a temp fast fix would be putting in symlinks from the old name to the new library.

So wonderful have to run abversion of OpenSSL containing 4 CVE or update and the plesk GUI.

I see if I can towards a fix.

is there anyway knowing what libraries it's looking for?

This case it's simply 0.9.8k-5 going to 0.9.8n-1

 

[thewolf]

The workaround doesn't seem to apply to my Plesk 9.3.0 installation on RHEL5: I'm running the stock psa-proftpd-1.3.1-rhel5.build93091230.06 package and there are no tls references in the /etc/proftpd.conf file. Still, I cannot start the Plesk control panel.

Anyone from Parallels?

 

[C4talyst]

Same problem...I wouldn't expect much in the way of support here since every forum post is moderated. This discussion along could take a month.

 

[105547111]

The issue is openssl - parallels have compiled directly against the version.

All you can do is wait for a fix and prey its fast, soon newer packages will start failing to update due to older libraries.

I suspect every OS is effected, certainly RPM based.

In future don't build stuff hard against library versions!

 

[105547111]

While digging around in the /var/log/sw-cp-server I see these every single time I open phpMyAdmin:

2010-03-28 11:59:26: (mod_fastcgi.c.2582) FastCGI-stderr: PHP Notice: Undefined index: pma_fontsize in /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/Config.class.php on line 555

2010-03-28 11:59:26: (mod_fastcgi.c.2582) FastCGI-stderr: PHP Notice: Undefined index: pma_fontsize in /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/Config.class.php on line 555

2010-03-28 11:59:26: (mod_fastcgi.c.2582) FastCGI-stderr: PHP Notice: Undefined index: pma_fontsize in /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/phpmyadmin.css.php on line 42

2010-03-28 11:59:52: (mod_fastcgi.c.2582) FastCGI-stderr: PHP Notice: Undefined index: pma_fontsize in /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/phpmyadmin.css.php on line 42

2010-03-28 11:59:52: (mod_fastcgi.c.2582) FastCGI-stderr: PHP Notice: Undefined index: pma_fontsize in /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/phpmyadmin.css.php on line 42

 

[sunshine123]

Hello,

Anyone from Parallels?

Still, I cannot start the Plesk control panel too.

 

[Saif Bechan]

Solution to this problem that worked for me

@thewolf I had the same problem as you this evening. I couldn't get into my
plesk pannel after installing various updates such as openssl and proftpd.

My system is CentOS 5.4 tho, but i do have plesk 9.3. My errors where exactly
like yours:

I have the following errors in the /var/log/sw-cp-server/error_log file:
2010-03-26 15:59:20: (log.c.75) server started
2010-03-26 15:59:20: (network.c.336) SSL:
error:00000000:lib(0):func(0):reason(0)

I checked my proftpd.conf file for any tls values but there were none.

I tried the following:

/etc/init.d/xinetd stop
/etc/init.d/psa start

No success there either.

After painstaking hours of searching on the internet I was just planning on
letting my host do a complete reinstall of the system. Then I thought i can
mess up the system now.

The first thing i did was:

# yum downgrade psa-proftpd
> Only Upgrade available on package: psa-proftpd-1.3.2-6.el5.art.i386

So i tried openssl

#yum downgrade openssl
---> Package openssl.i686 0:0.9.8e-12.el5_4.1 set to be updated
---> Package openssl.i686 0:0.9.8e-12.el5_4.6 set to be erased

This downgraded openssl to version 4.1. After that I tried to restart psa and
everything was online again.

I recommend you try to downgrade the openssl version, i bet that will do the
trick. I still have the newest versions of all the packages available,
including proftpd. Only the openssl package was giving me problems.

Regards

 

[Juan JoseS]

#yum downgrade openssl
---> Package openssl.i686 0:0.9.8e-12.el5_4.1 set to be updated
---> Package openssl.i686 0:0.9.8e-12.el5_4.6 set to be erased

This downgraded openssl to version 4.1. After that I tried to restart psa and
everything was online again.

I recommend you try to downgrade the openssl version, i bet that will do the
trick. I still have the newest versions of all the packages available,
including proftpd. Only the openssl package was giving me problems.

Regards

Thanks thanks thanks.

It's also works ok for me.

 

[ideasmultiples]

I had the same problem after update openssl.

yum downgrade no work some times due some plesk required packages....

 

[Saif Bechan]

@ideasmultiples

Maybe try and just uninstall opensll, and then reinstall the version before. I got it to work with version openssl.i686 0:0.9.8e-12.el5_4.1

Maybe the manual install will do the trick for you.

good luck

 

[sunshine123]

#yum downgrade openssl
---> Package openssl.i686 0:0.9.8e-12.el5_4.1 set to be updated
---> Package openssl.i686 0:0.9.8e-12.el5_4.6 set to be erased

This downgraded openssl to version 4.1. After that I tried to restart psa and
everything was online again.

I recommend you try to downgrade the openssl version, i bet that will do the
trick. I still have the newest versions of all the packages available,
including proftpd. Only the openssl package was giving me problems.

Regards

Thank you very much - Now it works ;-))))

 

[BlaineH]

For those of you running RHEL4 the problem is fixed by downgrading to the following packages:

httpd-2.0.52-41.ent.6.i386.rpm
httpd-suexec-2.0.52-41.ent.6.i386.rpm
mod_ssl-2.0.52-41.ent.6.i386.rpm
openssl-0.9.7a-43.17.el4_7.2.i386.rpm
openssl-devel-0.9.7a-43.17.el4_7.2.i386.rpm

I know it's uncomfortable downgrading when there's a known security vulnerability in these packages. But until they can fix the underlying dependency on these packages we really don't have a choice.

 

[Ross Annetts]

steps for fixing manually for CentOS 5 x86_64:

wget ftp://ftp.pbone.net/mirror/ftp.centos.org/5.4/updates/x86_64/RPMS/openssl-0.9.8e-12.el5_4.1.i686.rpm
wget ftp://ftp.pbone.net/mirror/ftp.cent..._64/RPMS/openssl-0.9.8e-12.el5_4.1.x86_64.rpm
rpm -e --nodeps openssl.i386
rpm -e --nodeps openssl.x86_64
rpm -Uvh openssl-0.9.8e-12.el5_4.1.i686.rpm
rpm -Uvh openssl-0.9.8e-12.el5_4.1.x86_64.rpm
service psa stopall
service psa start

also for those using Virtuozzo don't update the cache for your CentOS 5 ez templates until its fixed unless you want to do this for all new CentOS containers.

 

[David Cottle]

For those of you running RHEL4 the problem is fixed by downgrading to the following packages:

httpd-2.0.52-41.ent.6.i386.rpm
httpd-suexec-2.0.52-41.ent.6.i386.rpm
mod_ssl-2.0.52-41.ent.6.i386.rpm
openssl-0.9.7a-43.17.el4_7.2.i386.rpm
openssl-devel-0.9.7a-43.17.el4_7.2.i386.rpm

I know it's uncomfortable downgrading when there's a known security vulnerability in these packages. But until they can fix the underlying dependency on these packages we really don't have a choice.

BlaineH,

Why are you downgrading httpd and mod_ssl these are NOT the cause.

Only openssl

I would upgrade your httpd / mod_ssl if I were you..