The system will automatically upgrade OpenSSL
I've been getting emails of this sort from one of our servers over the last few weeks; only I can not figure out what 'in 20 and 0' is referring to; nor can I see how to upgrade the version of OpenSSL manually so it stops emailing me this stuff... anyone got experience with this?
Thanks,
Matt
-
Here's another example of the email that the server sends: The cPanel & WHM update cannot proceed because the following service needs to be upgraded: Openssl You have 20 and 12 until we attempt to upgrade Openssl. To continue using this version of Openssl, you must change your Update Preferences in WHM to Long Term Support (LTS). By switching to LTS, you will not receive new features and eventually will stop receiving security updates. cPanel & WHM version 11.52 will be the last LTS version to support this outdated version of Openssl.' For more information about Long Term Support, read the following: cPanel & WHM Long-Term Support - Documentation - cPanel Documentation. 0 -
What version of cPanel are you running? You might try using this tool: Home "Software "Update Server Software cPanel depends upon a large number of OS vendor and cPanel-provided software packages. Occasionally, the providers update these packages in order to improve functionality, enhance performance, or to mitigate security risks. Your server typically updates these software packages during cPanel's automatic update process. However, these automatic updates may be disabled, which you can verify through the Update Preferences interface. To execute an update manually, proceed to the following step. 0 -
Home > Software > Update Server Software did nothing other than say everything needed was installed. That server is running "CENTOS 6.4 x86_64 xenpv " viewcab5 0 -
What version of openSSL do you have? This command should tell you. rpm -qa | grep openssl
0 -
Sorry for late reply; looks like I'm not getting email notifications for the forum. Running that command gives: openssl098e-0.9.8e-17.el6.centos.2.i686 openssl-1.0.0-27.el6_4.2.x86_64 openssl098e-0.9.8e-17.el6.centos.2.x86_64 openssl-devel-1.0.0-27.el6_4.2.x86_64 0 -
openssl098e-0.9.8e-17.el6.centos.2.i686
Hello :) Have you installed any custom instances of OpenSSL in the past, or are you using any custom YUM repositories? You have a .i686 RPM installed on your system. Thank you.0 -
None of us here would know how to do that even if we had to :/ It's possible another developer might have done so though, someone we used to deal with was a bit of a cowboy and may have fiddled where he shouldn't. How would I find out if we've got custom YUM repositories? And either way - how would we get this switched out for whatever the standard OpenSSL ought to be, if this isn't it? Thanks, Matt 0 -
You can review your existing YUM repo files in the following directory: /etc/yum.repos.d/
Feel free to post the output from "ls -al /etc/yum.repos.d" here so we can review it. Thank you.0 -
That command gives me the following: -rw-r--r-- 1 root root 1926 Feb 25 2013 CentOS-Base.repo -rw-r--r-- 1 root root 638 Feb 25 2013 CentOS-Debuginfo.repo -rw-r--r-- 1 root root 630 Feb 25 2013 CentOS-Media.repo -rw-r--r-- 1 root root 3664 Feb 25 2013 CentOS-Vault.repo Thanks for your help :) 0 -
Hi, I am sorry if I am intruding, and I will create a separate thread if the mods want me to. I thought that creating another thread for the same issue might not be a great idea so I am posting here. I have also been getting the same emails. Here is the basic info; - ]
- Our server is hosted with Godaddy.
- I am unable to SSH to the server directly (by creating SSH keys on from the WHM). I create the keys, authorize them and then I get "Server refused public-key signature despite accepting key!" when I try to SSH to it.
- I created SSH keys from the cpanel of one of our sites and was able to ssh using the login details of the website (not the server/WHM).
- Server version: CENTOS 6.4 x86_64 standard " webserver WHM 11.52.3 (build 1)
0 -
Hello there. I would like to join Matthew and Scott in their thread as I am experiencing the same problem - WHM is trying to update, but somehow the Openssl seems to be outdated and currently the system is offering to attempt to upgrade Openssl automatically. No manual/custom repos are installed on this server, it's been installed with a licensed WHM which is taking care of everything. My question here is: is it safe to let cPanel & WHM attempt to upgrade Openssl as part of the system update procedure, are there any risks of losing data on the server? Thank you very much in advance! 0 -
Okay, so today I received an email saying "The cPanel & WHM update cannot proceed because the following service needs to be upgraded: Openssl You have 0 day and 0 hour until we attempt to upgrade Openssl. To continue using this version of Openssl, you must change your Update Preferences in WHM to Long Term Support (LTS). By switching to LTS, you will not receive new features and eventually will stop receiving security updates. cPanel & WHM version 11.52 will be the last LTS version to support this outdated version of Openssl.' For more information about Long Term Support, read the following: cPanel & WHM Long-Term Support - Documentation - cPanel Documentation." I went to the WHM server itself and saw the following; Yellow intimation that says "The last attempt to update cPanel & WHM was blocked. Details" Clicking the Details reveal the following; "Reasons for blocked updates. Please correct these issues and rerun updates. fatal: The server cannot upgrade cPanel & WHM. Your system is running an old version of OpenSSL that does not support TLS1.2 which is required to help maintain PCI compliance." How do I update the Openssl manually? 0 -
Scott, just to add that my feeling about the message "You have 0 day and 0 hour until we attempt to upgrade Openssl." is that WHM should automatically update Openssl - no manual action should be required. If this is not right, then there is something wrong with the messaging copy. I personally have switched to TLS (no updates) until we receive a reply from the staff here. 0 -
This is certainly concerning, if you have 0 hours and 0 days it SHOULD be updating it. We did make a call with in the project to not edit your /etc/yum.repos.d/ files. I would greatly appreciate seeing two things from these servers: What does /etc/yum.repos.d/CentOS-Base.repo looks like and what does the output of yum update -y openssl show? 0 -
This is certainly concerning, if you have 0 hours and 0 days it SHOULD be updating it. We did make a call with in the project to not edit your /etc/yum.repos.d/ files. I would greatly appreciate seeing two things from these servers: What does /etc/yum.repos.d/CentOS-Base.repo looks like and what does the output of yum update -y openssl show?
Okay, so I tried to manually update by going to htp://...../cpsess2926015290/scripts2/upcpform- ]
- As soon as I hit the "Click to upgrade" button I got an email saying "Failed to upgrade the service, Openssl, automatically. Review the log for further details:"
- And then another email; "cPanel version change from "11.52.3.1" to "11.54.0.17" failed during updatenow." - Here is the - Removed - text file that was attached to the email.
- And then another email; "cPanel & WHM update failure in upcp script"- Here is the - Removed - text file that was attached to the email.
- ]
- [~]# /etc/yum.repos.d/CentOS-Base.repo -jailshell: /etc/yum.repos.d/CentOS-Base.repo: No such file or directory
- [~]# yum update -y openssl CRITICAL:yum.cli:Config Error: Error accessing file for config file:///etc/yum.conf
- ]
- I am unable to SSH to the server directly (by creating SSH keys on from the WHM). I create the keys, authorize them and then I get "Server refused public-key signature despite accepting key!" when I try to SSH to it.
- I created SSH keys from the cpanel of one of our sites and was able to ssh using the login details of the website (not the server/WHM).
0 -
Guys, today I tried upgrading manually Cpanel (just like Scott above) and it ended with a failure. Then I managed to manually upgrade Openssl in SSH and then re-run the upgrade of Cpanel - this time it was fine, now I am running the latest version. It seems to be something in the automatic update for Openssl which is not working properly... 0 -
Guys, today I tried upgrading manually Cpanel (just like Scott above) and it ended with a failure. Then I managed to manually upgrade Openssl in SSH and then re-run the upgrade of Cpanel - this time it was fine, now I am running the latest version. It seems to be something in the automatic update for Openssl which is not working properly...
Dimiter, can you let me know which command I need to run in SSH to get SSL to update?0 -
Hello :) Thanks to everyone for taking the time to report this issue. 1. The lack of units in the email notification is now addressed with case CPANEL-4112: Fixed case CPANEL-4112: Add time units to email text when a server is blocked over openssl upgrade. This will ensure that "days" and "hours" are properly added to this notification. 2. The error messages when updating suggests an issue with the system package manager (YUM). You should be able to run "yum update" without an error on any system, so that's the first item to check. Then, use the following command to determine if the cPanel update will succeed when automatically installing the openssl package: /scripts/yum_update_openssl
Note that if you address any issues with YUM first, it's likely to proceed without an error messages. Thank you.0 -
Scott, yum update -y openssl
You will need root access to execute this command.0 -
Scott,
yum update -y openssl
You will need root access to execute this command.
Thanks Dimiter and Michael, I was having difficulties logging into Putty using root as login, I kept getting the following message after entering the password "Server refused public-key signature despite accepting key" Turns out I needed to login as a non-root user first (this user was configured during initial setup so I do not know where to add/recreate it). I logged in as the other user and then typed;su -
It was asked to enter a password again, this time I used the root password and I was able to login as root. Updated the Openssl successfully and then WHM via web. Thanks everyone for the help!0 -
/scripts/yum_update_openssl
Note that if you address any issues with YUM first, it's likely to proceed without an error messages.
UPDATED: See post below this one. Even with error messages this appears to have repaired OpenSSL to the point where the update of Cpanel/WHM can succeed. Well at least I know I am not alone with this saga. Had tried to fix this early on but to no avail. The automated update at the end of the countdown as also failed so that is why I am here. I tried the YUM update approach with no luck. There are errors but I am not that technically skilled to know what to do next. That's why I rely on you guys! :D The relevant errors after running the yum_update_openssl:Error: Package: 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64 (@updates) Requires: bind = 32:9.8.2-0.17.rc1.el6_4.6 Removing: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64 (@updates) bind = 32:9.8.2-0.17.rc1.el6_4.6 Updated By: 32:bind-9.8.2-0.30.rc1.el6_6.1.x86_64 (updates) bind = 32:9.8.2-0.30.rc1.el6_6.1 Available: 32:bind-9.8.2-0.30.rc1.el6.x86_64 (base) bind = 32:9.8.2-0.30.rc1.el6 You could try using --skip-broken to work around the problem ** Found 4 pre-existing rpmdb problem(s), 'yum check' output follows: 1:mod_auth_mysql-3.0.0-11.el6_0.1.x86_64 has missing requires of httpd-mmn = ('0 ', '20051115', None) 1:mod_ssl-2.2.15-29.el6.centos.x86_64 has missing requires of httpd 1:mod_ssl-2.2.15-29.el6.centos.x86_64 has missing requires of httpd = ('0', '2.2 .15', '29.el6.centos') 1:mod_ssl-2.2.15-29.el6.centos.x86_64 has missing requires of httpd-mmn = ('0', '20051115', None)
Here are the prior checks:rpm -qa | grep openssl openssl-1.0.1e-30.el6_6.5.x86_64 openssl-static-1.0.1e-30.el6_6.5.x86_64 openssl-devel-1.0.1e-30.el6_6.5.x86_64 cd /etc/yum.repos.d/ root@ip-50-62-141-30 [/etc/yum.repos.d]# ls ./ ../ CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo
0 -
Well it appears to have updated OpenSSL even with the errors as I just went into Cpanel and did a "Upgrade to Latest Version" and that worked. So hopefully all fixed. Thanks! 0 -
Well at least I know I am not alone with this saga. Had tried to fix this early on but to no avail. The automated update at the end of the countdown as also failed so that is why I am here. I tried the YUM update approach with no luck. There are errors but I am not that technically skilled to know what to do next. That's why I rely on you guys! :D The relevant errors after running the yum_update_openssl:
Error: Package: 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64 (@updates) Requires: bind = 32:9.8.2-0.17.rc1.el6_4.6 Removing: 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64 (@updates) bind = 32:9.8.2-0.17.rc1.el6_4.6 Updated By: 32:bind-9.8.2-0.30.rc1.el6_6.1.x86_64 (updates) bind = 32:9.8.2-0.30.rc1.el6_6.1 Available: 32:bind-9.8.2-0.30.rc1.el6.x86_64 (base) bind = 32:9.8.2-0.30.rc1.el6 You could try using --skip-broken to work around the problem ** Found 4 pre-existing rpmdb problem(s), 'yum check' output follows: 1:mod_auth_mysql-3.0.0-11.el6_0.1.x86_64 has missing requires of httpd-mmn = ('0 ', '20051115', None) 1:mod_ssl-2.2.15-29.el6.centos.x86_64 has missing requires of httpd 1:mod_ssl-2.2.15-29.el6.centos.x86_64 has missing requires of httpd = ('0', '2.2 .15', '29.el6.centos') 1:mod_ssl-2.2.15-29.el6.centos.x86_64 has missing requires of httpd-mmn = ('0', '20051115', None)
Here are the prior checks:rpm -qa | grep openssl openssl-1.0.1e-30.el6_6.5.x86_64 openssl-static-1.0.1e-30.el6_6.5.x86_64 openssl-devel-1.0.1e-30.el6_6.5.x86_64 cd /etc/yum.repos.d/ root@ip-50-62-141-30 [/etc/yum.repos.d]# ls ./ ../ CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo
I think you can try using the simple YUM command (yum update -y openssl) to update Openssl, not the script from Cpanel. That's what worked for me.0 -
I tried the YUM update approach with no luck. There are errors but I am not that technically skilled to know what to do next.
The error messages are what's preventing your packages from updating. This can result in problems with additional aspects of cPanel, so it's important to fix whatever is keeping YUM from working as intended. Based on the output you provided, you have installed some packages that are not required. You can remove those package with commands such as:rpm -e --nodeps mod_ssl-2.2.15-29.el6.centos.x86_64 rpm -e --nodeps mod_auth_mysql-3.0.0-11.el6_0.1.x86_64
Also, here's the default "exclude=" entry in the /etc/yum.conf file so you can make sure it matches yours:exclude=courier* dovecot* exim* filesystem httpd* mod_ssl* mydns* mysql* nsd* php* proftpd* pure-ftpd* spamassassin* squirrelmail*
Thank you.0 -
Thanks all, finally got this to work (after a failed attempt to automatically upgrade once the countdown hit zero) by following: yum update openssl and then running the Update in WHM. A yum update shows there are almost 300 packages to be upgraded though - I thought WHM/cPanel was supposed to do that automatically itself? Have I misunderstood that? 0 -
Well I still got an email from Cpanel this morning... Failed to upgrade the service, Openssl, automatically. Review the log for further details:
Of course I have no idea where this log file is. :) I removed the two mods that Michael pointed out in the thread above and retried the yum openssl update command. Either way I get this:$/scripts/yum_update_openssl Setting up Update Process No Packages marked for Update or $yum update -y openssl base | 3.7 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 Setting up Update Process No Packages marked for Update
So is Open SSL updated but Cpanel is still trying to auto-update? Also I ran the Cpanel/WHM update manually yesterday and it ran with no errors detected. Thanks!0 -
And now I am back to Cpanel/WHM not being able to complete an upgrade. Getting this via email: The cPanel & WHM update process failed for the following reason: The `/usr/local/cpanel/scripts/updatenow --upcp --log=/var/cpanel/updatelogs/update.1456997041.log` command failed and exited with the code "1" (signal = 0) Update log preview: [2016-03-03 02:35:05 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.48/centos/6/x86_64/MySQL55-test-5.5.48-1.cp1148.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-Crypt-OpenSSL-Bignum-0.04-2.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.54/centos/6/x86_64/cpanel-jquery-ui-touch-punch-0.2.3-1.cp1154.noarch.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-JSON-WebToken-0.10-1.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-CSS-SpriteMaker-0.15-2.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-Crypt-OpenSSL-Random-0.04-2.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] All files Staged [2016-03-03 02:35:06 -0700] Testing if the newly downloaded RPMS can be installed without conflict [2016-03-03 02:35:06 -0700] Testing RPM transaction [2016-03-03 02:35:07 -0700] error: Failed dependencies: [2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] W Exit Code: 54 [2016-03-03 02:35:07 -0700] ***** FATAL: Test install failed: error: Failed dependencies: [2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] The Administrator will be notified to review this output when this script completes [2016-03-03 02:35:07 -0700] ***** FATAL: Error testing if the RPMs will install: Test install failed: error: Failed dependencies: [2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] see RPM Installation Failures - cPanel Knowledge Base - cPanel Documentation for more information [2016-03-03 02:35:07 -0700] The Administrator will be notified to review this output when this script completes => Log closed Thu Mar 3 02:35:07 2016 [2016-03-03 02:35:07 -0700] 32% complete [2016-03-03 02:35:07 -0700] E Running `/usr/local/cpanel/scripts/updatenow --upcp --log=/var/cpanel/updatelogs/update.1456997041.log` failed, exited with code 1 (signal = 0)
0 -
Also in a separate email: The system detected an error during the cPanel & WHM version change from "11.52.4.0" to "11.54.0.18" which prevented updatenow from completing normally. Please review the attached log for further details. [2016-03-03 02:35:05 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-Mail-SpamAssassin-3.004001-3.cp1146.x86_64.rpm [2016-03-03 02:35:05 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-Test-HexString-0.03-1.cp1146.x86_64.rpm [2016-03-03 02:35:05 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.48/centos/6/x86_64/MySQL55-test-5.5.48-1.cp1148.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-Crypt-OpenSSL-Bignum-0.04-2.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.54/centos/6/x86_64/cpanel-jquery-ui-touch-punch-0.2.3-1.cp1154.noarch.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-JSON-WebToken-0.10-1.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-CSS-SpriteMaker-0.15-2.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] Downloading http://httpupdate.cpanel.net/RPM/11.46/centos/6/x86_64/cpanel-perl-514-Crypt-OpenSSL-Random-0.04-2.cp1146.x86_64.rpm [2016-03-03 02:35:06 -0700] All files Staged [2016-03-03 02:35:06 -0700] Testing if the newly downloaded RPMS can be installed without conflict [2016-03-03 02:35:06 -0700] Testing RPM transaction [2016-03-03 02:35:07 -0700] error: Failed dependencies: [2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] W Exit Code: 54 [2016-03-03 02:35:07 -0700] ***** FATAL: Test install failed: error: Failed dependencies: [2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] The Administrator will be notified to review this output when this script completes [2016-03-03 02:35:07 -0700] ***** FATAL: Error testing if the RPMs will install: Test install failed: error: Failed dependencies: [2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] see RPM Installation Failures - cPanel Knowledge Base - cPanel Documentation for more information [2016-03-03 02:35:07 -0700] The Administrator will be notified to review this output when this script completes => Log closed Thu Mar 3 02:35:07 2016
0 -
[2016-03-03 02:35:07 -0700] libcrypto.so.10(libcrypto.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64 [2016-03-03 02:35:07 -0700] libssl.so.10(libssl.so.10)(64bit) is needed by cpanel-mariadb-native-client-1.0.1-6.cp1154.x86_64
Hello :) Please let us know if you notice any error messages when running the following command:yum update
Thank you.0
Please sign in to leave a comment.
Comments
29 comments