YUM update of mod_ssl, openssl, httpd on RHEL 5.4 hosts breaks psa

[Adambplusplus]

Good morning, everybody. This is more of a warning than anything else; just to help out those who are having similar problems as me.

Last night, two of my plesk 9.2 servers did a 'yum update' as they do every week around this time. However, this week, 2 minutes after the yum update, the Plesk Control panel stopped working altogether. Trying to restart psa /etc/init.d/psa restart, or trying to restart sw-cp-server, /etc/init.d/sw-cp-server restart , would report that the plesk control panel wasn't starting. All my hosted web sites worked fine; no problems apart from the control panel.

Plesk isnt' much for logging, and the only logs I could find explaining this were in /var/log/sw-cp-server/error_log, which was this:

2010-03-25 09:58:15: (log.c.75) server started
2010-03-25 09:58:15: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)


That's it, which is a pretty nondescript error.

I went through looking for SSL certificates, since maybe one of them got botched, or maybe it was expired and, plesk 9.2 doesn't like expired certs, and the like.

However, I dug through my /var/log/yum.log, and found that mod_ssl, openssl, and httpd were updated immediately before the problem started.

So, I did this, in /var/log:
[root@server1]# grep openssl rpmpkgs rpmpkgs.1
rpmpkgspenssl-0.9.8e-12.el5_4.6.i686.rpm
rpmpkgs.1penssl-0.9.8e-12.el5_4.1.i686.rpm

[root@server1]# grep mod_ssl rpmpkgs rpmpkgs.1
rpmpkgs:mod_ssl-2.2.3-31.el5_4.4.i386.rpm
rpmpkgs.1:mod_ssl-2.2.3-31.el5_4.2.i386.rpm

[root@server1]# grep httpd rpmpkgs rpmpkgs.1
rpmpkgs:httpd-2.2.3-31.el5_4.4.i386.rpm
rpmpkgs.1:httpd-2.2.3-31.el5_4.2.i386.rpm

Aha, we had a slight change in those packages. Red Hat is very good at providing backwards compatibility, but something inside the sw-cp-server doesn't jive with the newer version of /lib/ssl.so.6 (symlinked to /lib/libssl.so.0.9.8e) and it won't run, period.

I logged into RHN, grabbed the previous versions of the packages, and installed them with:
rpm -Uvh --oldpackage *.rpm
They went in fine, I restarted apache, and restarted psa, and everything is peachy keen now.

I put this in /etc/yum.conf:
exclude=mod_ssl* openssl* httpd*

which will keep those packages from getting updated. This will likely cause problems updating in the future, and might cascade to other applications (for example, if another program needs a newer version of openssl to work properly) but for now, it's working.

Parallels, I'd encourage you to look into this issue, and then fix it. It's a bugger to figure out the first time, but I'll certainly know what to do in the future when this happens.

 

[thewolf]

It appears we hit the same issue with RHEL 5.4 and Plesk 9.3.

Is a Plesk hotfix coming out soon?
Anyone from Parallels?

Thanks.

 

[C4talyst]

Same here, several boxes down...not good.

 

[105547111]

Its not mod_ssl and httpd you can update those. Its openssl. Some stupid package is plesk is hardcoded against the libraries.

This effects everybuild of plesk, so far seems Fedora / Redhat / Centos

Parallels - a fix is needed FAST.

By not upgrading openssh firstly there are 4 CVE exploits on the 0.9.8k alone, plus soon other packages will need the newer libraries.

 

[sunshine123]

Hello,

Anyone from Parallels?

Still, I cannot start the Plesk control panel too.

Thanks

 

[nedry]

If a yum update has already borked your control panel you can get it up and running again, at least until the next yum update or a fix from Parallels.

This worked for me with Plesk 9.3 and CentOS 5.4:
# yum downgrade openssl* mod_ssl* httpd*
# service sw-cp-server restart
# service httpd restart

 

[Farsus]

looks like it only kill 9 serie our 8.6 boxes on centos 5.4 running perfect after Openssl opgrade.
Openssl upgrade on our 9.3 boxes lock us ot from plesk but sites stil was running
To get access back to plesk 9.3's we had to downgrade Openssl
Wich are not Good!
A bug fix has to come fast!!

 

[zeki79]

here the same, openssl breaks plesk on cetos5.4 / plesk 9.3

 

[breun]

If you want to downgrade openssl and the packages that depend on it, check http://www.atomicorp.com/forum/viewtopic.php?p=22723#p22723 for instructions.

 

[andi_t]

Parallels Plesk 9.3.0 seems to have OpenSSL as an RPM package. And this version doesnt break Plesk Panel 9.3.0
So I did just the following to get Plesk Panel working again:

# wget http://autoinstall.plesk.com/PSA_9.3.0/update-rpm-CentOS-5-i386/openssl-0.9.8e-12.el5.i386.rpm
# rpm -U --force openssl-0.9.8e-12.el5.i386.rpm

Is this the same version (as seen from security patch level) as the version from CentOS repositories?

 

[breun]

The previous CentOS release is openssl-0.9.8e-12.el5_4.1, the current CentOS release is openssl-0.9.8e-12.el5_4.6. I downloaded the package hosted by Parallels and that seems to be built on 03 Sep 2009, which is older than the latest two releases in the CentOS repositories. Also yum will regard it as older (0.9.8e-12.el5 < 0.9.8e-12.el5_4.1 < 0.9.8e-12.el5_4.6).

 

[IgorG]

Discussion here - http://forum.parallels.com/showthread.php?p=408385#post408385

 

[mike2010]

Is this why my plesk is broke after doing a Yum Update yesterday ? I had version 9.2.3 Plesk...and CentOs 5 installed before doing the update.

My sites work fine and all...but Plesk is broke. (connection failed)

Here is my Yum log from yesterday -

Apr 01 174436 Updated tzdata-2010e-1.el5.noarch
Apr 01 174440 Updated kernel-headers-2.6.18-164.15.1.el5.i386
Apr 01 174444 Updated openssl-0.9.8e-12.el5_4.6.i686
Apr 01 174444 Updated nspr-4.8.4-1.el5_4.i386
Apr 01 174445 Updated nss-3.12.6-1.el5.centos.i386
Apr 01 174445 Updated php-common-5.2.13-1.el5.art.i386
Apr 01 174446 Updated mysql-libs-5.0.90-1.el5.art.i386
Apr 01 174447 Updated gnutls-1.4.1-3.el5_4.8.i386
Apr 01 174447 Updated cyrus-sasl-lib-2.1.22-5.el5_4.3.i386
Apr 01 174447 Updated 1cups-libs-1.3.7-11.el5_4.6.i386
Apr 01 174448 Updated php-pdo-5.2.13-1.el5.art.i386
Apr 01 174448 Updated openssh-4.3p2-36.el5_4.4.i386
Apr 01 174448 Updated cyrus-sasl-plain-2.1.22-5.el5_4.3.i386
Apr 01 174449 Updated php-cli-5.2.13-1.el5.art.i386
Apr 01 174449 Updated pango-1.14.9-8.el5.centos.i386
Apr 01 174450 Updated openssl097a-0.9.7a-9.el5_4.2.i386
Apr 01 174450 Updated libXi-1.0.1-4.el5_4.i386
Apr 01 174451 Updated openssh-clients-4.3p2-36.el5_4.4.i386
Apr 01 174451 Updated php-mysql-5.2.13-1.el5.art.i386
Apr 01 174451 Updated php-gd-5.2.13-1.el5.art.i386
Apr 01 174451 Updated php-mbstring-5.2.13-1.el5.art.i386
Apr 01 174452 Updated php-xml-5.2.13-1.el5.art.i386
Apr 01 174452 Updated nss-tools-3.12.6-1.el5.centos.i386
Apr 01 174453 Updated cpio-2.6-23.el5_4.1.i386
Apr 01 174454 Updated 2tar-1.15.1-23.0.1.el5_4.2.i386
Apr 01 174501 Updated coreutils-5.97-23.el5_4.2.i386
Apr 01 174503 Updated pam-0.99.6.2-6.el5_4.1.i386
Apr 01 174505 Updated httpd-2.2.3-31.el5.centos.4.i386
Apr 01 174506 Updated 1NetworkManager-0.7.0-9.el5_4.i386
Apr 01 174507 Updated 1NetworkManager-glib-0.7.0-9.el5_4.i386
Apr 01 174507 Updated cyrus-sasl-2.1.22-5.el5_4.3.i386
Apr 01 174508 Updated mysql-5.0.90-1.el5.art.i386
Apr 01 174514 Updated mysql-server-5.0.90-1.el5.art.i386
Apr 01 174514 Updated sudo-1.6.9p17-6.el5_4.i386
Apr 01 174514 Updated openssh-server-4.3p2-36.el5_4.4.i386
Apr 01 174519 Updated 1cups-1.3.7-11.el5_4.6.i386
Apr 01 174534 Installed kernel-2.6.18-164.15.1.el5.i686
Apr 01 174535 Updated php-5.2.13-1.el5.art.i386
Apr 01 174535 Updated php-imap-5.2.13-1.el5.art.i386
Apr 01 174535 Updated 1mod_ssl-2.2.3-31.el5.centos.4.i386


If this is why its broke , Can someone baby step me through it ? I never had to do a downgrade before..

I appreciate it much.

 

[mike2010]

nevermind..I did the quick fix..and it fixed it.