The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The system will automatically upgrade OpenSSL

Discussion in 'General Discussion' started by Matthew Wilcox, Feb 5, 2016.

  1. Matthew Wilcox

    Joined:
    Feb 5, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    My Desk
    cPanel Access Level:
    Root Administrator
    I've been getting emails of this sort from one of our servers over the last few weeks; only I can not figure out what 'in 20 and 0' is referring to; nor can I see how to upgrade the version of OpenSSL manually so it stops emailing me this stuff... anyone got experience with this?

    Thanks,
    Matt
     
    dto123 likes this.
  2. Matthew Wilcox

    Joined:
    Feb 5, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    My Desk
    cPanel Access Level:
    Root Administrator
    Here's another example of the email that the server sends:

    The cPanel & WHM update cannot proceed because the following service needs to be upgraded: Openssl

    You have 20 and 12 until we attempt to upgrade Openssl.

    To continue using this version of Openssl, you must change your Update Preferences in WHM to Long Term Support (LTS).
    By switching to LTS, you will not receive new features and eventually will stop receiving security updates.
    cPanel & WHM version 11.52 will be the last LTS version to support this outdated version of Openssl.'
    For more information about Long Term Support, read the following: cPanel & WHM Long-Term Support - Documentation - cPanel Documentation.​
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What version of cPanel are you running?

    You might try using this tool:
    Home »Software »Update Server Software

     
  4. Matthew Wilcox

    Joined:
    Feb 5, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    My Desk
    cPanel Access Level:
    Root Administrator
    Home > Software > Update Server Software did nothing other than say everything needed was installed.

    That server is running "CENTOS 6.4 x86_64 xenpv – viewcab5
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,480
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What version of openSSL do you have? This command should tell you.
    Code:
    rpm -qa | grep openssl
     
  6. Matthew Wilcox

    Joined:
    Feb 5, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    My Desk
    cPanel Access Level:
    Root Administrator
    Sorry for late reply; looks like I'm not getting email notifications for the forum.

    Running that command gives:

    openssl098e-0.9.8e-17.el6.centos.2.i686
    openssl-1.0.0-27.el6_4.2.x86_64
    openssl098e-0.9.8e-17.el6.centos.2.x86_64
    openssl-devel-1.0.0-27.el6_4.2.x86_64​
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you installed any custom instances of OpenSSL in the past, or are you using any custom YUM repositories? You have a .i686 RPM installed on your system.

    Thank you.
     
  8. Matthew Wilcox

    Joined:
    Feb 5, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    My Desk
    cPanel Access Level:
    Root Administrator
    None of us here would know how to do that even if we had to :/ It's possible another developer might have done so though, someone we used to deal with was a bit of a cowboy and may have fiddled where he shouldn't.

    How would I find out if we've got custom YUM repositories? And either way - how would we get this switched out for whatever the standard OpenSSL ought to be, if this isn't it?

    Thanks,
    Matt
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can review your existing YUM repo files in the following directory:

    Code:
    /etc/yum.repos.d/
    Feel free to post the output from "ls -al /etc/yum.repos.d" here so we can review it.

    Thank you.
     
  10. Matthew Wilcox

    Joined:
    Feb 5, 2016
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    My Desk
    cPanel Access Level:
    Root Administrator
    That command gives me the following:

    -rw-r--r-- 1 root root 1926 Feb 25 2013 CentOS-Base.repo
    -rw-r--r-- 1 root root 638 Feb 25 2013 CentOS-Debuginfo.repo
    -rw-r--r-- 1 root root 630 Feb 25 2013 CentOS-Media.repo
    -rw-r--r-- 1 root root 3664 Feb 25 2013 CentOS-Vault.repo
    Thanks for your help :)
     
  11. Scott Baird

    Scott Baird Member

    Joined:
    Feb 18, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spanish Fork, UT
    cPanel Access Level:
    Root Administrator
    Hi,
    I am sorry if I am intruding, and I will create a separate thread if the mods want me to. I thought that creating another thread for the same issue might not be a great idea so I am posting here.

    I have also been getting the same emails. Here is the basic info;
    1. Our server is hosted with Godaddy.
    2. I am unable to SSH to the server directly (by creating SSH keys on from the WHM). I create the keys, authorize them and then I get "Server refused public-key signature despite accepting key!" when I try to SSH to it.
    3. I created SSH keys from the cpanel of one of our sites and was able to ssh using the login details of the website (not the server/WHM).
    4. Server version: CENTOS 6.4 x86_64 standard – webserver WHM 11.52.3 (build 1)
    I ran the commands Michael asked Mathew to run, here is what I get.

    rpm -qa | grep openssl
    openssl-1.0.0-27.el6_4.2.x86_64
    openssl-devel-1.0.0-27.el6_4.2.x86_64​

    /etc/yum.repos.d/
    -jailshell: /etc/yum.repos.d/: No such file or directory​

    /etc/yum.repos.d/
    /bin/ls: cannot access /etc/yum.repos.d: No such file or directory​
     
    #11 Scott Baird, Feb 18, 2016
    Last edited: Feb 18, 2016
  12. Dimiter Dimitrov

    Joined:
    Feb 23, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Hello there. I would like to join Matthew and Scott in their thread as I am experiencing the same problem - WHM is trying to update, but somehow the Openssl seems to be outdated and currently the system is offering to attempt to upgrade Openssl automatically. No manual/custom repos are installed on this server, it's been installed with a licensed WHM which is taking care of everything. My question here is: is it safe to let cPanel & WHM attempt to upgrade Openssl as part of the system update procedure, are there any risks of losing data on the server?

    Thank you very much in advance!
     
  13. Scott Baird

    Scott Baird Member

    Joined:
    Feb 18, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spanish Fork, UT
    cPanel Access Level:
    Root Administrator
    Okay, so today I received an email saying

    "The cPanel & WHM update cannot proceed because the following service needs to be upgraded: Openssl

    You have 0 day and 0 hour until we attempt to upgrade Openssl.

    To continue using this version of Openssl, you must change your Update Preferences in WHM to Long Term Support (LTS).
    By switching to LTS, you will not receive new features and eventually will stop receiving security updates.

    cPanel & WHM version 11.52 will be the last LTS version to support this outdated version of Openssl.'

    For more information about Long Term Support, read the following: cPanel & WHM Long-Term Support - Documentation - cPanel Documentation.
    "

    I went to the WHM server itself and saw the following;

    Yellow intimation that says "The last attempt to update cPanel & WHM was blocked. Details"

    Clicking the Details reveal the following;

    "Reasons for blocked updates.
    Please correct these issues and rerun updates.
    fatal: The server cannot upgrade cPanel & WHM. Your system is running an old version of OpenSSL that does not support TLS1.2 which is required to help maintain PCI compliance.
    "

    How do I update the Openssl manually?
     
  14. Dimiter Dimitrov

    Joined:
    Feb 23, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Scott, just to add that my feeling about the message "You have 0 day and 0 hour until we attempt to upgrade Openssl." is that WHM should automatically update Openssl - no manual action should be required. If this is not right, then there is something wrong with the messaging copy. I personally have switched to TLS (no updates) until we receive a reply from the staff here.
     
  15. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This is certainly concerning, if you have 0 hours and 0 days it SHOULD be updating it.

    We did make a call with in the project to not edit your /etc/yum.repos.d/ files. I would greatly appreciate seeing two things from these servers:

    What does /etc/yum.repos.d/CentOS-Base.repo looks like and what does the output of yum update -y openssl show?
     
  16. Scott Baird

    Scott Baird Member

    Joined:
    Feb 18, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spanish Fork, UT
    cPanel Access Level:
    Root Administrator
    Okay, so I tried to manually update by going to htp://...../cpsess2926015290/scripts2/upcpform

    1. As soon as I hit the "Click to upgrade" button I got an email saying "Failed to upgrade the service, Openssl, automatically. Review the log for further details:"
    2. And then another email; "cPanel version change from “11.52.3.1” to “11.54.0.17” failed during updatenow." - Here is the - Removed - text file that was attached to the email.
    3. And then another email; "cPanel & WHM update failure in upcp script"- Here is the - Removed - text file that was attached to the email.
    On your question, the following is the response I got from Putty;
    1. [~]# /etc/yum.repos.d/CentOS-Base.repo
      -jailshell: /etc/yum.repos.d/CentOS-Base.repo: No such file or directory
    2. [~]# yum update -y openssl
      CRITICAL:yum.cli:Config Error: Error accessing file for config file:///etc/yum.conf
    As I mentioned earlier;
    1. I am unable to SSH to the server directly (by creating SSH keys on from the WHM). I create the keys, authorize them and then I get "Server refused public-key signature despite accepting key!" when I try to SSH to it.
    2. I created SSH keys from the cpanel of one of our sites and was able to ssh using the login details of the website (not the server/WHM).
     
    #16 Scott Baird, Feb 24, 2016
    Last edited by a moderator: Feb 29, 2016
  17. Dimiter Dimitrov

    Joined:
    Feb 23, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Guys, today I tried upgrading manually Cpanel (just like Scott above) and it ended with a failure. Then I managed to manually upgrade Openssl in SSH and then re-run the upgrade of Cpanel - this time it was fine, now I am running the latest version. It seems to be something in the automatic update for Openssl which is not working properly...
     
  18. Scott Baird

    Scott Baird Member

    Joined:
    Feb 18, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Spanish Fork, UT
    cPanel Access Level:
    Root Administrator
    Dimiter, can you let me know which command I need to run in SSH to get SSL to update?
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Thanks to everyone for taking the time to report this issue.

    1. The lack of units in the email notification is now addressed with case CPANEL-4112:

    Fixed case CPANEL-4112: Add time units to email text when a server is blocked over openssl upgrade.

    This will ensure that "days" and "hours" are properly added to this notification.

    2. The error messages when updating suggests an issue with the system package manager (YUM). You should be able to run "yum update" without an error on any system, so that's the first item to check. Then, use the following command to determine if the cPanel update will succeed when automatically installing the openssl package:

    Code:
    /scripts/yum_update_openssl
    Note that if you address any issues with YUM first, it's likely to proceed without an error messages.

    Thank you.
     
  20. Dimiter Dimitrov

    Joined:
    Feb 23, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bulgaria
    cPanel Access Level:
    Root Administrator
    Scott,
    Code:
    yum update -y openssl
    You will need root access to execute this command.
     
Loading...

Share This Page