Issue with openssl after EA4 update
Latest easyapache update breaks all our servers without http2 enabled (didn't test those with http2 yet). There is an issue with the newly compiled openssl, phpinfo:
OpenSSL support enabled
OpenSSL Library Version OpenSSL 1.0.2k 26 Jan 2017
OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
Openssl default config /opt/cpanel/ea-openssl/openssl.cnf
(Note the difference in SSL version)
Please cPanel look into it asap, this is really bad!
We have severe ssl issues now on all servers which updated this night/morning!!!
-
Latest update works for me. The only time I've had different library/header versions is when I have manually installed the latest version of OpenSSL, otherwise it should be the same. 0 -
Hi Reado, We never installed any openssl manually and now just had to rollback over 100 servers, all were affected!! 0 -
Ouch! Suggest you log a ticket then - would probably get a response quicker. 0 -
Yes I did, still waiting. It seems to be the combination of prefork and php that breaks it. php-fpm (and probably fastcgi) has no such issues. Cannot believe this update was rolled out without better testing. 0 -
You updated over 100 servers without testing a bit more on just one, first? Ouch indeed. 0 -
Cannot believe this update was rolled out without better testing.
It's your fault for not deploying to a single server first and then testing to make sure all was good before doing your entire farm.0 -
Hello, FYI: ea-libcurl [LIST] - 7.53.1-5 - EA-6624: Fix export for static OpenSSL libraries
- 7.53.1-4 - EA-6618: Added ALPN support This update breaks the checkout with magento payment providers. These modules can no longer connect by SSL with payment providers. Already investigated by your supportteam and created a ticket for this issue. After rolling back this package the checkout works again. We have more and more customers reporting this problem. I hope i will be fixed soon. Best regards.
0 -
That's easy to say, but we choose autoupdate for security reasons on most servers (except some exceptions). If you get hacked it's worse than the risk of an update messing something up. However this is still a big mistake it seems. It seems the set of packages is not consistent. We also use autoupdate on Debian a lot and in all those years never suffered from any (extreme) problems like this. That's why we pick auto update so often. Apparently it seems we cannot trust cPanel enough to do the same. 0 -
Howdy, I'm still looking into this issue, but I'm unable to replicate it... From the errors in one of the tickets I'm looking at, it seems the hosts are still supporting SSLv3, which is super old and should no longer be used. Our OpenSSL implementation specifically disables SSLv3, so the ciphers will likely need updating. 0 -
Howdy, I'm still looking into this issue, but I'm unable to replicate it... From the errors in one of the tickets I'm looking at, it seems the hosts are still supporting SSLv3, which is super old and should no longer be used. Our OpenSSL implementation specifically disables SSLv3, so the ciphers will likely need updating.
Hey Jacob, Did you reply to this thread or this one? New Thread - Issue with openssl after EA4 update I posted quite some info in cPanel ticket: 8774461 (also a screenshot).0 -
Hello, FYI: ea-libcurl [LIST]
- 7.53.1-5 - EA-6624: Fix export for static OpenSSL libraries
- 7.53.1-4 - EA-6618: Added ALPN support This update breaks the checkout with magento payment providers. These modules can no longer connect by SSL with payment providers. Already investigated by your supportteam and created a ticket for this issue. After rolling back this package the checkout works again. We have more and more customers reporting this problem. I hope i will be fixed soon. Best regards.
I suppose you use prefork as well? I think you suffer from the same issues as us. Does you phpinfo also looks like this on the server(s) with the issue: OpenSSL support enabled OpenSSL Library Version OpenSSL 1.0.2k 26 Jan 2017 OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013 Openssl default config /opt/cpanel/ea-openssl/openssl.cnf ?0 -
Howdy, I'm still looking into this issue, but I'm unable to replicate it... From the errors in one of the tickets I'm looking at, it seems the hosts are still supporting SSLv3, which is super old and should no longer be used. Our OpenSSL implementation specifically disables SSLv3, so the ciphers will likely need updating.
Seen this a few times earlier (from unable to send via phpmailer [mandrill in this case], to payment gateway apis failing) and the problem is with the new ea-openssl cannot verify valid SSL certificates as it doesn't have the default certs. I noted it worked via the CLI but not via web server (mod_itk was the handler in this case) and the strace showed it was looking for /opt/cpanel/ea-openssl/cert.pem which doesn't exist. Symlinking the one from the ca-certificates package fixed the problem ( ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/cpanel/ea-openssl/cert.pem ). I assume it's related to the new ea-openssl/libcurl changes (Merge pull request #22 in EA4/libcurl from ~JACOB.PERKINS/libcurl:EA-" " CpanelInc/libcurl@3e3cdd6 " GitHub) but didn't really debug much further than the above.0 -
Hello, We are tracking reports of this issue as part of internal case EA-6671. It's still under investigation, however it appears the issue relates to the configuration file path specified for the cPanel-provided ea-openssl packages (which reference an invalid/non-existent CA path). Additionally, the issue appears to only affect the DSO PHP handler. We'll monitor this case and update this thread with more information as it becomes available. Thank you. 0 -
Just so you know, I'm pretty sure I've got the same problem. First of all, I've got different library/header versions, too, same as Hosted Power. Also, since the last auto-update we can no longer connect to SMTP without the non-secure workaround and have lost all SOAP connections. When I investigated these issues, they all pointed to SSL problems. What's more, I upgraded another client's server yesterday from EA3 to EA4. He lost SOAP connections with Fedex. Downgraded to EA3 and everything worked again. 0 -
I have the same issue (exact same header/library mismatch, all SSL SMTP in PHP broken, openssl_get_cert_locations giving incorrect path to /opt/cpanel/ea-openssl). Please fix this ASAP as it is severely hurting our business. I wasn't aware that updating to the CURRENT branch was a dangerous operation. Fillip 0 -
Any update on this? This is affecting MANY customers and needs to be fixed ASAP. 0 -
Any update on this? This is affecting MANY customers and needs to be fixed ASAP.
Hello, A solution to this issue is going through testing, but there's no specific time frame to offer at this time. I'll update this thread with more information as it becomes available. In the meantime, you can downgrade the ea-libcurl RPM as a temporary workaround:yum downgrade ea-libcurl
Thank you.0 -
You updated over 100 servers without testing a bit more on just one, first? Ouch indeed.
This response from cPanel, no less from a "Product Evangelist" is awful. @Hosted Power I am with you 100%. The whole point of using cPanel is so you don't have to do all the updating and testing again and again, and your point about security is also valid. I get it, mistakes happen, and they can even happen in the CURRENT branch, but a cPanel employee trying to put blame on you for this situation has certainly lowered my opinion of cPanel :-(0 -
This response from cPanel, no less from a "Product Evangelist" is awful.
How so? Having a problem across 100 servers is certainly problematic.0 -
How so? Having a problem across 100 servers is certainly problematic.
You are attributing blame to the customer. cPanel, you updated 100,000s(?) of servers automatically without testing a bit more on just one, first?0 -
I disagree. EasyApache doesn't auto update and moving from EA3 to EA4 is not automatic. Updates FAQ - Documentation - cPanel Documentation 0 -
Sadly, EA4 does automatic updates. We stumpled upon this topic after an hour of debugging a customer's failed file_get_contents() calls. It seems an automatic EA4 update has once again confronted us with mysterious issues. Please, please, please, people at cPanel, THOROUGHLY test the EA4-packages before deploying them (remember the libxml issues from last May?). It is very hard for us to backtrace issues after updates we have 0 control over. We can confirm this only affects servers running PHP in DSO mode, because non-existent include paths are used for SSL-verification. Server was looking for /opt/cpanel/ea-openssl/cert.pem instead of /etc/pki/tls/cert.pem. Running "yum downgrade ea-libcurl && httpd -k restart" resolved the issue. 0 -
Running "yum downgrade ea-libcurl && httpd -k restart" resolved the issue.
It does indeed fix the problem for now. Be sure to disable updates for now too, or otherwise you will have the same problem the next day.0 -
Hello, To update, we are planning to publish a resolution for this case in the next EA4 maintenance release (tentatively scheduled for later today): ea-openssl - 1.0.2k-7 - EA-6671: add symlinks to system default cert We'll update this thread again once the resolution is published. Thanks! 0 -
Hello, The resolution is now published: EasyApache 4 Update - August 17, 2017 Thank you. 0
Please sign in to leave a comment.
Comments
26 comments