Signature Roll Back Failed

[keat63]

Any ideas what these are. I found a number of these in my logs ??


[2016-05-08 18:17:01 +0100] die [autorepair] Signature verification failed for URL 'http://httpupdate.cpanel.net/autofixer2/recoverymgmt'. Signature rollback detected. Please see cPanel & WHM Download Security - cPanel Knowledge Base - cPanel Documentation for further information about this error. at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1321.
Cpanel::HttpRequest::_die(Cpanel::HttpRequest=HASH(0x1386168), "Signature verification failed for URL 'http://httpupdate.cpan"...) called at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1332

 

[ciao70]

Same problem

11.56.0.14

 

[cPanelMichael]

Hello,

Signature verification ensures the files you download from cPanel are not compromised or corrupted. It's documented at:

cPanel & WHM Download Security - cPanel Knowledge Base - cPanel Documentation

Could you verify if you have any entries populated in the /etc/cpsources.conf file? If not, do you have any existing RPM processes running? You can check that with a command such as:

ps aux|grep rpm

Thank you.

 

[keat63]

I have whm configured for manual updates. I see a few hours before these errors started that Cpanel tried to do an update with a message saying words along the lines 'update will not perform..same version'

I cannot see a file in etc called cpsources.cnf.

xxxxxx 959 0.0 0.0 103308 836 pts/0 S+ 08:16 0:00 grep rpm

 

[keat63]

/usr/local/cpanel/scripts/updatenow (19024) at Sat May  7 02:00:04 2016
[2016-05-07 02:00:04 +0100]   Detected version '11.54.0.21' from version file.
[2016-05-07 02:00:04 +0100]   Running version '11.54.0.21' of updatenow.
[2016-05-07 02:00:04 +0100]   cPanel & WHM updates are disabled via cron because they are set to “manual” in /etc/cpupdate.conf
[2016-05-07 02:00:04 +0100]   No sync will occur.
=> Log closed Sat May  7 02:00:04 2016

I've now initiated an manual update. I'll keep you posted.

 

[keat63]

Since upgrading to 11.56.0.14, i'm now also seeing a different error.

/usr/local/cpanel/logs/error_log:
==> cpsrvd 11.56.0.14 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up native SSL support ... Done
==> cpsrvd: transferred port bindings
==> cpsrvd: bound to ports
==> cpsrvd 11.56.0.14 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up native SSL support ... Done
==> cpsrvd: transferred port bindings
==> cpsrvd: bound to ports


[B]PLUS[/B]

[2016-05-10 12:15:13 +0100] die [autorepair] Signature verification failed for URL '[URL]http://httpupdate.cpanel.net/autofixer2/recoverymgmt[/URL]'. Signature rollback detected. Please see [URL]https://go.cpanel.net/sigerrors[/URL] for further information about this error. at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1145.
        Cpanel::HttpRequest::_die(Cpanel::HttpRequest=HASH(0x22a4c80), "Signature verification failed for URL '[URL]http://httpupdate.cpan[/URL]"...) called at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1155
        Cpanel::HttpRequest::_sigerror_die(Cpanel::HttpRequest=HASH(0x22a4c80), "Signature verification failed for URL '[URL]http://httpupdate.cpan[/URL]"...) called at /usr/local/cpanel/Cpanel/HttpRequest.pm line 338
        Cpanel::HttpRequest::request(Cpanel::HttpRequest=HASH(0x22a4c80), "host", "httpupdate.cpanel.net", "url", "/autofixer2/recoverymgmt", "protocol", 0, "signed", 1, ...) called at /usr/local/cpanel/scripts/autorepair line 26

 

[cPanelMichael]

I've now initiated an manual update. I'll keep you posted.

This is a bug associated with the "UPDATES=manual" entry in the /etc/cpupdate.conf file. This is equivalent to setting "Daily Updates" to "Manual Updates Only" in "WHM >> Server Configuration >> Update Preferences". The issue was resolved in cPanel version 54.0.22, which is build newer than what you were using:

Fixed case CPANEL-4439: Fixed terminal detection for manual /scripts/upcp runs.

You can workaround the issue by forcing an update of cPanel with the following command:

/scripts/upcp --force

[2016-05-10 12:15:13 +0100] die [autorepair] Signature verification failed for URL 'http://httpupdate.cpanel.net/autofixer2/recoverymgmt'. Signature rollback detected. Please see cPanel & WHM Download Security - cPanel Knowledge Base - cPanel Documentation for further information about this error. at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1145.

This feature is documented at:

cPanel & WHM Download Security - cPanel Knowledge Base - cPanel Documentation

You mentioned that no /etc/cpsources.conf file exists on the system. Are you using any custom entries in /etc/hosts for httpupdate.cpanel.net?

Thank you.

 

[keat63]

I'm not sure where I was looking this morning, as I found cpupdate.conf.

CPANEL=release
RPMUP=never
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=manual


You mention that signature verification thing is a feature.
I've never seen this before Sunday evening when Cpanel tried to do an update.
Since then I've seen a few.

I prefer to run updates manually, however, even after running the update manually, I still see this message?
I'm confused.

 

[cPanelMichael]

You mention that signature verification thing is a feature.
I've never seen this before Sunday evening when Cpanel tried to do an update.
Since then I've seen a few.

I prefer to run updates manually, however, even after running the update manually, I still see this message?
I'm confused.

It's a feature, but it doesn't mean you should be getting that error message. You mentioned that no /etc/cpsources.conf file exists on the system. Are you using any custom entries in /etc/hosts for httpupdate.cpanel.net?

Thank you.

 

[keat63]

I'm not sure where I was looking when i was searching for cpupdate.conf, as I found it.

CPANEL=release
RPMUP=never
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=manual

However, as I mentioned, I have updates set for manual. On sunday evening the system tried to do an update.

/usr/local/cpanel/scripts/updatenow (19024) at Sat May  7 02:00:04 2016
[2016-05-07 02:00:04 +0100]   Detected version '11.54.0.21' from version file.
[2016-05-07 02:00:04 +0100]   Running version '11.54.0.21' of updatenow.
[2016-05-07 02:00:04 +0100]   cPanel & WHM updates are disabled via cron because they are set to “manual” in /etc/cpupdate.conf
[2016-05-07 02:00:04 +0100]   No sync will occur.
=> Log closed Sat May  7 02:00:04 2016

at which point those errors started.

I've since manually upgraded to 56.0.14, but still see these errors.

/usr/local/cpanel/logs/error_log:
[2016-05-11 00:18:33 +0100] die [autorepair] Signature verification failed for URL 'http://httpupdate.cpanel.net/autofixer2/recoverymgmt'. Signature rollback detected. Please see https://go.cpanel.net/sigerrors for further information about this error. at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1145.
        Cpanel::HttpRequest::_die(Cpanel::HttpRequest=HASH(0x24bac80), "Signature verification failed for URL 'http://httpupdate.cpan"...) called at /usr/local/cpanel/Cpanel/HttpRequest.pm line 1155
        Cpanel::HttpRequest::_sigerror_die(Cpanel::HttpRequest=HASH(0x24bac80), "Signature verification failed for URL 'http://httpupdate.cpan"...) called at /usr/local/cpanel/Cpanel/HttpRequest.pm line 338
        Cpanel::HttpRequest::request(Cpanel::HttpRequest=HASH(0x24bac80), "host", "httpupdate.cpanel.net", "url", "/autofixer2/recoverymgmt", "protocol", 0, "signed", 1, ...) called at /usr/local/cpanel/scripts/autorepair line 26

 

[TerranceR]

Hello,

This was due to an issue, I have opened a Case this morning in an attempt to get this resolved, CPANEL-6110. Please update this post if you see this issue again.

 

[keat63]

Thinking about it logically, is this an issue at CPanels server end.
If my server never did an update, then nothing should have changed at my end.
And maybe the error I'm seeing is related to an issue on the CPanel servers. ??

Incidentally, I've not seen it now since yesterday afternoon, although this one below occurs occasionally.

/usr/local/cpanel/logs/error_log:
==> cpsrvd 11.56.0.14 started
==> cpsrvd: loading security policy....Done
==> cpsrvd: Setting up native SSL support ... Done
==> cpsrvd: transferred port bindings
==> cpsrvd: bound to ports

Edit: Just a thought, could these ↑↑↑, be being created when I log in to Cpanel/WHM at all, I think they only started since I applied the free SSL certificate ???

 

[TerranceR]

Hello,

As mentioned previously, I put a Case in to get this fixed (CPANEL-6110), the actual error is caused by a autorepair cronjob (recoverymgmt) that runs every x hours. As of right now, we believe the Signature Issues are resolved but if you see the errors again, feel free to let us know!

 

[ciao70]

Same problem

11.56.0.14

Now it seems ok.

No die [autorepair]

Thanks

 

[ciao70]

It seems to have reintroduced the problem after the upgrade 11.56.0.22

die [autorepair] Signature verification failed for URL 'http://httpupdate.cpanel.net/autofixer2/recoverymgmt'. Signature rollback detected. Please see cPanel & WHM Download Security - cPanel Knowledge Base - cPanel Documentation for further

 

[cPanelMichael]

New It seems to have reintroduced the problem after the upgrade 11.56.0.22

Are you able to reproduce this issue when running the "/scripts/upcp" command? If so, please check the contents of the /etc/cpsources.conf file and post it here. Also, let us know if the following command helps:

/usr/local/cpanel/scripts/updatesigningkey

Thank you.

 

[rpvw]

11.56.0.22

Don't know if it is relevant, but since upgrade to this version, now getting the following in upcp each run

[2016-05-31 21:16:33 +0000]    - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
[2016-05-31 21:16:34 +0000]      [647806] Requesting script ... exit level [die] [pid=647806] (Signature verification failed for URL 'http://httpupdate.cpanel.net/autofixer2/autorepair'. Invalid signature. Please see https://go.cpanel.net/sigerrors for further information about this error.)

 

[rpvw]

Sorry, should have been included in last post

Tried

/usr/local/cpanel/scripts/updatesigningkey

and then ran upcp again - same Signature verification failure

I don't see a /etc/cpsources.conf file at all - could this be an issue ?

 

[cPanelMichael]

I don't see a /etc/cpsources.conf file at all - could this be an issue ?

No, it's only an issue if it exists and is forcing a bad mirror. Please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[rpvw]

Switching off Signature validation on assets downloaded from cPanel & WHM mirrors in Tweak Settings allows upcp to complete without reporting any errors

[2016-06-01 22:02:30 +0000]  - Processing command `/usr/local/cpanel/scripts/autorepair autorepair`
[2016-06-01 22:02:30 +0000]  [967302] Requesting script ... Done
[2016-06-01 22:02:31 +0000]  [967302] Auto Repair is running...Running Auto Repair routines
[2016-06-01 22:02:31 +0000]  [967302] Running autorepair on abrt_argparse
[2016-06-01 22:02:31 +0000]  [967302] Running autorepair on cpsources_mirror
[2016-06-01 22:02:31 +0000]  [967302] Running autorepair on fix_duplicate_cpanel_rpms
[2016-06-01 22:02:31 +0000]  [967302] Running autorepair on fix-exim-permissions
[2016-06-01 22:02:31 +0000]  [967302] Finished running Auto Repair routines
[2016-06-01 22:02:31 +0000]  [967302] ...Auto Repair is done.