The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

In Progress Issue with openssl after EA4 update

Discussion in 'EasyApache' started by Hosted Power, Aug 9, 2017.

  1. Hosted Power

    Hosted Power Member

    Joined:
    Sep 11, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    DataCenter Provider
    Latest easyapache update breaks all our servers without http2 enabled (didn't test those with http2 yet). There is an issue with the newly compiled openssl, phpinfo:

    OpenSSL support enabled
    OpenSSL Library Version OpenSSL 1.0.2k 26 Jan 2017
    OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
    Openssl default config /opt/cpanel/ea-openssl/openssl.cnf

    (Note the difference in SSL version)

    Please cPanel look into it asap, this is really bad!

    We have severe ssl issues now on all servers which updated this night/morning!!!
     
  2. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    184
    Likes Received:
    7
    Trophy Points:
    68
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Latest update works for me. The only time I've had different library/header versions is when I have manually installed the latest version of OpenSSL, otherwise it should be the same.
     
  3. Hosted Power

    Hosted Power Member

    Joined:
    Sep 11, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    DataCenter Provider
    Hi Reado,

    We never installed any openssl manually and now just had to rollback over 100 servers, all were affected!!
     
  4. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    184
    Likes Received:
    7
    Trophy Points:
    68
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    Ouch! Suggest you log a ticket then - would probably get a response quicker.
     
  5. Hosted Power

    Hosted Power Member

    Joined:
    Sep 11, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    DataCenter Provider
    Yes I did, still waiting. It seems to be the combination of prefork and php that breaks it. php-fpm (and probably fastcgi) has no such issues.

    Cannot believe this update was rolled out without better testing.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You updated over 100 servers without testing a bit more on just one, first? Ouch indeed.
     
  7. Reado

    Reado Well-Known Member

    Joined:
    Sep 8, 2009
    Messages:
    184
    Likes Received:
    7
    Trophy Points:
    68
    Location:
    United Kingdom
    cPanel Access Level:
    DataCenter Provider
    It's your fault for not deploying to a single server first and then testing to make sure all was good before doing your entire farm.
     
  8. WietseD

    WietseD Member

    Joined:
    Mar 29, 2017
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    netherlands
    cPanel Access Level:
    Root Administrator
    Hello,

    FYI:
    ea-libcurl
    • 7.53.1-5 - EA-6624: Fix export for static OpenSSL libraries
    • 7.53.1-4 - EA-6618: Added ALPN support
    This update breaks the checkout with magento payment providers. These modules can no longer connect by SSL with payment providers. Already investigated by your supportteam and created a ticket for this issue. After rolling back this package the checkout works again. We have more and more customers reporting this problem. I hope i will be fixed soon.

    Best regards.
     
  9. Hosted Power

    Hosted Power Member

    Joined:
    Sep 11, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    DataCenter Provider
    That's easy to say, but we choose autoupdate for security reasons on most servers (except some exceptions). If you get hacked it's worse than the risk of an update messing something up.

    However this is still a big mistake it seems. It seems the set of packages is not consistent.

    We also use autoupdate on Debian a lot and in all those years never suffered from any (extreme) problems like this. That's why we pick auto update so often. Apparently it seems we cannot trust cPanel enough to do the same.
     
  10. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    599
    Likes Received:
    90
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Howdy,

    I'm still looking into this issue, but I'm unable to replicate it... From the errors in one of the tickets I'm looking at, it seems the hosts are still supporting SSLv3, which is super old and should no longer be used. Our OpenSSL implementation specifically disables SSLv3, so the ciphers will likely need updating.
     
  11. Hosted Power

    Hosted Power Member

    Joined:
    Sep 11, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    DataCenter Provider
    Hey Jacob,

    Did you reply to this thread or this one? New Thread - Issue with openssl after EA4 update

    I posted quite some info in cPanel ticket: 8774461 (also a screenshot).
     
  12. Hosted Power

    Hosted Power Member

    Joined:
    Sep 11, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgium
    cPanel Access Level:
    DataCenter Provider
    I suppose you use prefork as well? I think you suffer from the same issues as us.

    Does you phpinfo also looks like this on the server(s) with the issue:

    OpenSSL support enabled
    OpenSSL Library Version OpenSSL 1.0.2k 26 Jan 2017
    OpenSSL Header Version OpenSSL 1.0.1e-fips 11 Feb 2013
    Openssl default config /opt/cpanel/ea-openssl/openssl.cnf

    ?
     
  13. Scott.Mc

    Scott.Mc Member

    Joined:
    Feb 22, 2006
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    151
    Seen this a few times earlier (from unable to send via phpmailer [mandrill in this case], to payment gateway apis failing) and the problem is with the new ea-openssl cannot verify valid SSL certificates as it doesn't have the default certs. I noted it worked via the CLI but not via web server (mod_itk was the handler in this case) and the strace showed it was looking for /opt/cpanel/ea-openssl/cert.pem which doesn't exist. Symlinking the one from the ca-certificates package fixed the problem ( ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/cpanel/ea-openssl/cert.pem ). I assume it's related to the new ea-openssl/libcurl changes (Merge pull request #22 in EA4/libcurl from ~JACOB.PERKINS/libcurl:EA-… · CpanelInc/libcurl@3e3cdd6 · GitHub) but didn't really debug much further than the above.
     
    cPanelMichael likes this.
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    We are tracking reports of this issue as part of internal case EA-6671. It's still under investigation, however it appears the issue relates to the configuration file path specified for the cPanel-provided ea-openssl packages (which reference an invalid/non-existent CA path). Additionally, the issue appears to only affect the DSO PHP handler. We'll monitor this case and update this thread with more information as it becomes available.

    Thank you.
     
  15. fingerprn

    fingerprn Member

    Joined:
    Feb 19, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    151
    Just so you know, I'm pretty sure I've got the same problem. First of all, I've got different library/header versions, too, same as Hosted Power. Also, since the last auto-update we can no longer connect to SMTP without the non-secure workaround and have lost all SOAP connections. When I investigated these issues, they all pointed to SSL problems.

    What's more, I upgraded another client's server yesterday from EA3 to EA4. He lost SOAP connections with Fedex. Downgraded to EA3 and everything worked again.
     
  16. DragonByte Tech

    Joined:
    Aug 7, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I have the same issue (exact same header/library mismatch, all SSL SMTP in PHP broken, openssl_get_cert_locations giving incorrect path to /opt/cpanel/ea-openssl).

    Please fix this ASAP as it is severely hurting our business. I wasn't aware that updating to the CURRENT branch was a dangerous operation.


    Fillip
     
  17. tmcstom

    tmcstom Member

    Joined:
    Dec 31, 2014
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Any update on this? This is affecting MANY customers and needs to be fixed ASAP.
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    A solution to this issue is going through testing, but there's no specific time frame to offer at this time. I'll update this thread with more information as it becomes available. In the meantime, you can downgrade the ea-libcurl RPM as a temporary workaround:

    Code:
    yum downgrade ea-libcurl
    Thank you.
     
  19. lm137

    lm137 Registered

    Joined:
    Yesterday
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    This response from cPanel, no less from a "Product Evangelist" is awful.

    @Hosted Power I am with you 100%. The whole point of using cPanel is so you don't have to do all the updating and testing again and again, and your point about security is also valid. I get it, mistakes happen, and they can even happen in the CURRENT branch, but a cPanel employee trying to put blame on you for this situation has certainly lowered my opinion of cPanel :-(
     
  20. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,617
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    How so? Having a problem across 100 servers is certainly problematic.
     
Loading...

Share This Page