Description of problem: Last two updates (0.9.8m and 0.9.8n) Kills plesk on my webserver. Some change in openssl. [root@server ~]# /etc/init.d/psa restart PSA is down, performing full restart. Starting xinetd service... done Starting named service... done Starting mysqld service... done Starting postgresql service... not installed Starting psa- spamassassin service... done Plesk: Starting Mail Server... already started Starting mail handlers tmpfs storage Starting Plesk... failed Starting drwebd service... failed Downgrade openssl back to 0.9.8k-5 and it works again: [root@server ~]# /etc/init.d/psa restart PSA is down, performing full restart. Starting xinetd service... done Starting named service... done Starting mysqld service... done Starting postgresql service... not installed Starting psa- spamassassin service... done Plesk: Starting Mail Server... already started Starting mail handlers tmpfs storage Starting Plesk... done Starting drwebd service... done Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Can you please look into the /var/log/messages or other log files Plesk produces and try to find out some error messages from it?
Hi Tomas, Yes here is the errors 0 this is when it went down (05:14 local time) I tried even a reboot.. 2010-03-26 05:14:04: (log.c.135) server stopped 2010-03-26 05:14:04: (log.c.75) server started 2010-03-26 05:14:04: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:14:05: (log.c.75) server started 2010-03-26 05:14:05: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:19:07: (log.c.75) server started 2010-03-26 05:19:07: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:19:07: (log.c.75) server started 2010-03-26 05:19:07: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:24:09: (log.c.75) server started 2010-03-26 05:24:09: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:24:09: (log.c.75) server started 2010-03-26 05:24:09: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:29:11: (log.c.75) server started 2010-03-26 05:29:11: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:29:11: (log.c.75) server started 2010-03-26 05:29:11: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:34:14: (log.c.75) server started 2010-03-26 05:34:14: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 05:34:14: (log.c.75) server started 2010-03-26 05:34:14: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 09:56:13: (log.c.75) server started 2010-03-26 09:56:13: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 09:56:13: (log.c.75) server started 2010-03-26 09:56:13: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 09:56:34: (log.c.75) server started 2010-03-26 09:56:34: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 09:56:34: (log.c.75) server started 2010-03-26 09:56:34: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 09:57:41: (log.c.75) server started 2010-03-26 09:57:41: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 09:57:41: (log.c.75) server started 2010-03-26 09:57:41: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:03:05: (log.c.75) server started 2010-03-26 10:03:05: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:03:05: (log.c.75) server started 2010-03-26 10:03:05: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:06:03: (log.c.75) server started 2010-03-26 10:06:03: (network.c.300) can't bind to port: 127.0.0.1 10001 Cannot assign requested address 2010-03-26 10:06:03: (log.c.75) server started 2010-03-26 10:06:03: (network.c.300) can't bind to port: 127.0.0.1 10001 Cannot assign requested address 2010-03-26 10:06:04: (log.c.75) server started 2010-03-26 10:06:04: (network.c.300) can't bind to port: 127.0.0.1 10001 Cannot assign requested address 2010-03-26 10:06:04: (log.c.75) server started 2010-03-26 10:06:04: (network.c.300) can't bind to port: 127.0.0.1 10001 Cannot assign requested address 2010-03-26 10:06:06: (log.c.75) server started 2010-03-26 10:06:06: (network.c.300) can't bind to port: 127.0.0.1 10001 Cannot assign requested address 2010-03-26 10:06:06: (log.c.75) server started 2010-03-26 10:06:06: (network.c.300) can't bind to port: 127.0.0.1 10001 Cannot assign requested address 2010-03-26 10:06:53: (log.c.75) server started 2010-03-26 10:06:53: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:06:54: (log.c.75) server started 2010-03-26 10:06:54: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:07:12: (log.c.75) server started 2010-03-26 10:07:12: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:07:12: (log.c.75) server started 2010-03-26 10:07:12: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:08:15: (log.c.75) server started 2010-03-26 10:08:15: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:08:15: (log.c.75) server started 2010-03-26 10:08:15: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:11:53: (log.c.75) server started 2010-03-26 10:11:53: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:11:53: (log.c.75) server started 2010-03-26 10:11:53: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:13:48: (log.c.75) server started 2010-03-26 10:13:48: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:13:48: (log.c.75) server started 2010-03-26 10:13:48: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:16:55: (log.c.75) server started 2010-03-26 10:16:55: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:16:55: (log.c.75) server started 2010-03-26 10:16:55: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:20:29: (log.c.75) server started 2010-03-26 10:20:29: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:20:29: (log.c.75) server started 2010-03-26 10:20:29: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:21:58: (log.c.75) server started 2010-03-26 10:21:58: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:21:58: (log.c.75) server started 2010-03-26 10:21:58: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:33:18: (log.c.75) server started 2010-03-26 10:33:18: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 10:33:18: (log.c.75) server started 2010-03-26 10:33:18: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:04:52: (log.c.75) server started 2010-03-26 11:04:52: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:04:52: (log.c.75) server started 2010-03-26 11:04:52: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:26:49: (log.c.75) server started 2010-03-26 11:26:49: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:26:49: (log.c.75) server started 2010-03-26 11:26:49: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:32:46: (log.c.75) server started 2010-03-26 11:32:46: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:32:46: (log.c.75) server started 2010-03-26 11:32:46: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:33:19: (log.c.75) server started 2010-03-26 11:33:19: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 11:33:19: (log.c.75) server started 2010-03-26 11:33:19: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:23:16: (log.c.75) server started 2010-03-26 12:23:16: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:23:16: (log.c.75) server started 2010-03-26 12:23:16: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:27:27: (log.c.75) server started 2010-03-26 12:27:27: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:27:28: (log.c.75) server started 2010-03-26 12:27:28: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:33:14: (log.c.75) server started 2010-03-26 12:33:14: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:33:14: (log.c.75) server started 2010-03-26 12:33:14: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:33:38: (log.c.75) server started 2010-03-26 12:33:38: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:33:38: (log.c.75) server started 2010-03-26 12:33:38: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:46:46: (log.c.75) server started 2010-03-26 12:46:46: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:46:46: (log.c.75) server started 2010-03-26 12:46:46: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:51:34: (log.c.75) server started 2010-03-26 12:51:34: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:51:34: (log.c.75) server started 2010-03-26 12:51:34: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:58:04: (log.c.75) server started 2010-03-26 12:58:04: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 12:58:04: (log.c.75) server started 2010-03-26 12:58:04: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) Now I roll back openssl: 2010-03-26 13:08:39: (log.c.75) server started Now update it back again: 2010-03-26 14:13:49: (log.c.135) server stopped 2010-03-26 14:13:49: (log.c.75) server started 2010-03-26 14:13:49: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:13:49: (log.c.75) server started 2010-03-26 14:13:49: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:13:58: (log.c.75) server started 2010-03-26 14:13:58: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:13:58: (log.c.75) server started 2010-03-26 14:13:58: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:14:07: (log.c.75) server started 2010-03-26 14:14:07: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:14:07: (log.c.75) server started 2010-03-26 14:14:07: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:15:14: (log.c.75) server started 2010-03-26 14:15:14: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:15:14: (log.c.75) server started 2010-03-26 14:15:14: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:15:27: (log.c.75) server started 2010-03-26 14:15:27: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:15:27: (log.c.75) server started 2010-03-26 14:15:27: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:16:59: (log.c.75) server started 2010-03-26 14:16:59: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:16:59: (log.c.75) server started 2010-03-26 14:16:59: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) Roll back once again to be certain: 2010-03-26 14:22:13: (log.c.75) server started Update it again: 2010-03-26 14:23:35: (log.c.135) server stopped 2010-03-26 14:23:35: (log.c.75) server started 2010-03-26 14:23:35: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:23:35: (log.c.75) server started 2010-03-26 14:23:35: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:23:39: (log.c.75) server started 2010-03-26 14:23:39: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:23:39: (log.c.75) server started 2010-03-26 14:23:39: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:24:43: (log.c.75) server started 2010-03-26 14:24:43: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:24:43: (log.c.75) server started 2010-03-26 14:24:43: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) Another roll back: 2010-03-26 14:25:55: (log.c.75) server started Another update: 2010-03-26 14:28:00: (log.c.135) server stopped 2010-03-26 14:28:00: (log.c.75) server started 2010-03-26 14:28:00: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:28:00: (log.c.75) server started 2010-03-26 14:28:00: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:28:03: (log.c.75) server started 2010-03-26 14:28:03: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:28:03: (log.c.75) server started 2010-03-26 14:28:03: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:28:21: (log.c.75) server started 2010-03-26 14:28:21: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) 2010-03-26 14:28:21: (log.c.75) server started 2010-03-26 14:28:21: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) Give up final rollback (give it starts and stops) 2010-03-26 14:29:33: (log.c.75) server started 2010-03-26 14:29:42: (log.c.135) server stopped 2010-03-26 14:29:43: (log.c.75) server started 2010-03-26 14:29:45: (log.c.135) server stopped 2010-03-26 14:29:45: (log.c.75) server started
Unfortunately this is not too helpful. The 0 error is no error at all so it means that the plesk does something weird and it thinks there is some kind of openssl error although there is none. I suspect that plesk is checking the exact version of openssl and refusing to start if it is changed however this is not a correct behavior.
Hi Tomas, I just asked parallels if anything in plesk is compiled against a specific version.. http://forum.parallels.com/showthread.php?t=100254 I doubt this as I have had openssl updates before: 0.9.8j to k as well as j updates.
I found this in /messages Mar 26 10:09:47 server proftpd[4175]: mod_tls/2.4.1: compiled using OpenSSL version 'OpenSSL 0.9.8k-fips 25 Mar 2009' headers, but linked to OpenSSL version 'OpenSSL 0.9.8m-fips 25 Feb 2010' library
I tracked it down! You can push openssl to testing please. The fault is art package of psa-proftpd, it must be compiled against a specific version! psa-proftpd.i586 1.3.3-1.fc11.art I rolled back to parallels original psa-proftpd.i586 1.3.1-fc11.build93091230.06 and now with new openssl plesk starts and stops! I filed a bug over on art for this. Thanks!
Yes, this is an example of bad version check although in case of proftpd it just logs the message and continues. The check should allow running against newer patchlevels of openssl without restriction.
Please add karma to the 0.9.8n update request to compensate for the -1.
Done your plus one now :) I disabled TLS on proftpd to get by. Thanks!
I've hit what appears to be the same issue with Plesk 9.3 on Red Hat Enterprise Linux 5 after applying the latest openssl update. I'm using the stock psa-proftpd-1.3.1-rhel5.build93091230.06 package that comes with Plesk and I'm not sure if TLS is enabled for it and if it's actually causing the issue withe the Plesk control panel not starting. How can I check on that? Thanks.
Edit your /etc//proftpd.conf and remove all references to tls. I found commenting it out did not help. Check your /var/log/messages and grep for proftpd make sure then it stops complaining about the OpenSSL library and it will start.
There are no TLS references in the /etc/proftpd.conf file. Also there are no proftpd error messages in the /var/log/messages file. It looks like my issue is not with proftpd, but with the Plesk control panel that won't start. I have the following errors in the /var/log/sw-cp-server/error_log file: 2010-03-26 15:59:20: (log.c.75) server started 2010-03-26 15:59:20: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) Should I just downgrade to the older openssl package or should I try something else? Thanks.
Make sure there is no <IfModule mod_tls.c> run this from shell as root /etc/init.d/xinetd restart now check /messages for any proftpd messages. I got n-1 on my server now (from koji) and plesk runs, but if there is any hint of tls it fails to start psa-proftpd you can also get panel up and work on psa-proftpd try /etc/init.d/xinetd stop /etc/init.d/psa start also what version of psa-proftpd you running? ART built a 1.3.3 that has several CVE fixes.
I know plesk and art compiled psa-proftpd with OpenSSL linked directly to the library. Once psa-proftpd starts without tls it will run. Normally there are references added or call up tls module, http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Ask on plesk forums IgorG he will tell you. I really suggest running updated OpenSSL in fedora it's tracking 4 CVE security flaws :( once psa-proftpd is not loading the tls.c library it will start. It's really a stupid package to link directly to a specific library file.
Looks like OpenSSL is causing problems with plesk. I found my server plesk is off. Seems if you psa stop and start it fails, but not on restart. I suggest stopping all OpenSSL updates as it breaks plesk on fedora and redhat. Can the CVE be backported and maintain the same version?
The workaround doesn't seem to apply to my Plesk 9.3.0 installation on RHEL5: I'm running the stock psa-proftpd-1.3.1-rhel5.build93091230.06 package and there are no tls references in the /etc/proftpd.conf file. Still, I cannot start the Plesk control panel.
@thewolf I had the same problem as you this evening. I couldn't get into my plesk pannel after installing various updates such as openssl and proftpd. My system is CentOS 5.4 tho, but i do have plesk 9.3. My errors where exactly like yours: I have the following errors in the /var/log/sw-cp-server/error_log file: 2010-03-26 15:59:20: (log.c.75) server started 2010-03-26 15:59:20: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0) I checked my proftpd.conf file for any tls values but there were none. I tried the following: /etc/init.d/xinetd stop /etc/init.d/psa start No success there either. After painstaking hours of searching on the internet I was just planning on letting my host do a complete reinstall of the system. Then I thought i can mess up the system now. The first thing i did was: # yum downgrade psa-proftpd > Only Upgrade available on package: psa-proftpd-1.3.2-6.el5.art.i386 So i tried openssl #yum downgrade openssl ---> Package openssl.i686 0:0.9.8e-12.el5_4.1 set to be updated ---> Package openssl.i686 0:0.9.8e-12.el5_4.6 set to be erased This downgraded openssl to version 4.1. After that I tried to restart psa and everything was online again. I recommend you try to downgrade the openssl version, i bet that will do the trick. I still have the newest versions of all the packages available, including proftpd. Only the openssl package was giving me problems. Regards
Note that on RHEL-5 the fix is backported so the problem must be part of the fix for one of the CVEs. Unfortunately even after very careful reexamination of the CVE patches I did not find anything suspicious. This has to be investigated on the Plesk side. If it was opensource software I could try to find the cause there but it is not.
Tomas, Is OpenSSL 1.0.0 being built for F11? It's just been released. Parallels is fixing plesk. Plesk 8 never had this issue, but it's fixed for Centos and Redhat now. Just as parallels are slow supporting new OS, I expect to still be running 11 for a several months when it's EOL before they support F12 (it took more than a year when F8 was EOL to get new OS support jumped right to F11). At least this way will have current OpenSSL build. Thanks!
(In reply to comment #19) > Is OpenSSL 1.0.0 being built for F11? No, that would require rebuild of all other packages using openssl.
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping