Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)

If you're using Plesk 9.x on a CentOS system, don't upgrade the openssl package from version 0:0.9.8e-12.el5_4.1 to 0:0.9.8e-12.el5_4.6. It will break your Plesk Controlpanel, causing it to no longer start up. You'll see a message similar to this.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       failed

There won't be an obvious error message in any log file location (/var/log/*, /usr/local/psa/var/log/*, /usr/local/psa/admin/logs/*), but it will most likely be caused by your recent openssl upgrade. Solution is this.

Edit April 2nd: There's now a Knowledge Base article available by Parallels on this issue: "Latest update of openssl breaks Parallels panel". You might want to read that too, same solutions as stated below.

Edit April 2nd²: Parallels has release an official solution, using a Plesk update:

1) Downgrade method

If this works, it's the easiest solution. Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along. If you see any psa* or plesk* packages in the dependency list, MOVE TO METHOD 2!!
[root@srv~]# yum downgrade openssl openssl-devel

2) Using RPM packages

Download the OpenSSL version 0.9.8e-12 5_4.6 for your architecture (these apply to CentOS).

You have to download these first! After completing the next steps, you'll be without openssl -- and downloading through wget or curl won't  work because of missing libraries. Please take note: the following is at your own risk (and if you lose your SSH connection in the meanwhile, you're screwed).

Find your current OpenSSL version, it should read version "el5_4.6″.

[root@srv~]# rpm -qa | grep -i openssl

Remove the package (if you haven't downloaded the openssl package yet, do so first !!). (due to the font of this blog, it's confusing, but the parameter = ' -- - nodeps').

[root@srv ~]# rpm -e --nodeps openssl-0.9.8e-12.el5_4.6

And re-install the correct version (replace the RPM with the one for your achitecture).

[root@srv  ~]# rpm -ivh openssl-0.9.8e-12.el5_4.1.x86_64.rpm
warning: openssl-0.9.8e-12.el5_4.1.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID e8562897
Preparing...                ########################################### [100%]
1:openssl                ########################################### [100%]

Afterwards, you'll be able to start Plesk again.

[root@srv~]# /etc/init.d/psa start
Starting xinetd service...               done
Starting named service...             done
Starting mysqld service...           done
Plesk: Starting Mail Server... already started
Starting mail handlers tmpfs storage
Starting Plesk...                       done
Since there's no update on Plesk yet, this is something to look out for!
Update: An official message from Parallels

For now the only workaround is to downgrade openssl, either with yum or with rpm (if yum is not configured):

# wget -c{openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# rpm -Uvh --oldpackage {openssl-0.9.8e-12.el5_4.1.x86_64.rpm,mod_ssl-2.2.3-31.el5.centos.2.x86_64.rpm,httpd-2.2.3-31.el5.centos.2.x86_64.rpm}

# /etc/init.d/sw-cp-server start

Good luck!

Looking for help?

Tired of fixing all these tech-problems yourself? We've got an excellent team at Nucleus, a top-class Belgian hosting provider, that can help you. Discover our Managed Hosting, where skilled engineers manage your servers and keep them up-to-date, so you can focus on your core business. We use a variety of Configuration Management Systems such as Puppet to make sure every config is reviewed, unit-tested and guaranteed to be working.

Want to get in touch? Find me as @mattiasgeniar on Twitter or via the contact-page on my blog.

Tagged with: , , ,
Posted in Plesk
16 comments on “Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)
  1. Mihai Limbasan says:

    why not simply use

    yum downgrade openssl


    yum downgrade openssl openssl-devel

    instead of manually futzing with the rpms?

  2. Matti says:

    Because due to dependencies, you’ll also remove PSA (the controlpanel) itself as well.

  3. Mihai Limbasan says:

    That shouldn’t happen – have you tested it? On my systems, downgrading openssl and openssl-devel does not try to remove any package dependent on openssl. If you try downgrading just openssl and have openssl-devel installed, then yes, yum will offer to remove every package depending on openssl, but just include the -devel package on the same yum downgrade command line and you should be fine. You might have to include mod_ssl there, and/or other packages which depend *directly* on openssl (look at the depsolving output to figure out which).

    Can you check what your specific Plesk packages depend on?

  4. Matti says:

    I used RPM for 2 main reasons:
    -1) On Virtuozzo systems, yum isn’t enabled by default, but the use of RPM packages are (otherwise, the host needs to ‘vzpkg install -p [CTID] yum’ to install yum within the container)

    -2) I tested it on a new server, a downgrade would have also removed a lot of PSA packages, as well as some others (who I forgot now). On a Virtuozzo system, a downgrade seems to work though (just verified). I’ve updated the original article, does seem worth mentioning – Thx!

  5. Mihai Limbasan says:

    Most welcome. Wasn’t aware of that limitation of Virtuozzo containers, thanks.

  6. Matti says:

    FYI, this is the dependency removal list on some other systems. For this, you’d want to use the RPM method.

    [root@srv ~]# yum downgrade openssl
    Dependencies Resolved

    Package Arch
    openssl i686
    openssl x86_64
    openssl i686
    openssl x86_64
    Removing for dependencies:
    SSHTerm noarch
    mod_ssl x86_64
    psa x86_64
    psa-api-rpc noarch
    psa-atmail noarch
    psa-awstats-configurator noarch
    psa-backup-manager x86_64
    psa-horde noarch
    psa-imp noarch
    psa-ingo noarch
    psa-kronolith noarch
    psa-libpam-plesk x86_64
    psa-migration-manager x86_64
    psa-mimp noarch
    psa-mnemo noarch
    psa-passwd noarch
    psa-spamassassin x86_64
    psa-turba noarch
    psa-updates noarch

    Transaction Summary
    Install 2 Package(s)
    Update 0 Package(s)
    Remove 21 Package(s)

  7. keith D Mitchell says:

    Hey Gang,

    Parallel’s has released a fix for this. It was just released / revised today.

    It is necessary to update Parallels Panel web-engine:

    1. Download the appropriate package using the wget utility. Example for CentOS 5 x86:
    #wget -c

    A list of fixed packages:

    CentOS 5 x86
    CentOS 5 x86_64
    CentOS 4 x86
    CentOS 4 x86_64
    RHEL 4 x86
    RHEL 4 x86_64

    2. Install the downloaded package. Example for CentOS 5 x86:
    #rpm -Uhv sw-cp-server-1.0-6.201004011105.centos5.i386.rpm

  8. perk says:

    Yep, I disabled the control panel by installing subversion that installed the updated OpenSSL. About an hour later, control panel no – worky. Thanks for the “yum downgrade openssl openssl-devel” to fix. Saved me a ton of time.

  9. Matti says:

    In case anyone’s wondering, Parallels now has a KB on this too:

  10. Ali says:


    ‘yum downgrade openssl’ removed my psa by removing all dependencies (110 in total). Is there a way I can fix this, or should I throw in the towel and re-image the server?

  11. Matti says:

    @Ali; afraid you’ll have to reinstall/re-image. As stated in the article:
    1) Downgrade method:
    If this works, it’s the easiest solution. **Just make sure that due to dependencies, nothing of Parallels or Plesk is removed along.**

    If it happens again, you’ll have to switch to the RPM package removal.

  12. morgan says:

    Yet more evidence that you should not use Centos/Plesk ever…

    We have 100′s of servers, it is always the Centos ones that randomly break (bind/apache/plesk) with updates, Debian/Ubuntu are generally fine.

    Although to get a long support life do you really want to be running PHP 5.1.6 in 5 years time (when it is already next useless for web application support)

    Centos is like running Linux half a decade ago….

  13. Matti says:

    @Morgan; I disagree, we run a fair share of CentOS systems as well, and it’s those systems that are the most stable. We experience more troubles with Ubuntu’s/Debian that break services upon upgrade. Besides, this openssl update would’ve also broken every other Linux-distro out there, in combination with Plesk.

    It’s a matter of applying the correct Plesk update, and the problem is fixed (which goes for Apache/Bind/MySQL/… as well!).

  14. sam says:


    saw this post

    yum downgrade openssl removed plesk

  15. Ryan says:

    What to do in the case of Plesk 8.6.x with openssl if we don’t want to upgrade to Plesk 9.x

    • Matti says:

      @Ryan: I can’t say, I haven’t had that problem. For now, I can only think of upgrading to Plesk 9, as I think Plesk 8 is considdered “outdated”, and probably won’t be receiving these updates any more.

2 Pings/Trackbacks for "Don’t Upgrade OpenSSL If You’re Using Plesk (= Broken Controlpanel)"
  1. Social comments and analytics for this post…

    This post was mentioned on Reddit by Moocha: Do **not** remove the openssl package as detailed in the article. It’s certainly a possibility, but it’s a very fragile and error-prone process. Instead, just use yum’s builtin downgrade facility: yum dow…

  2. Bail Bonds Los Angeles…

    [...]these are several web page links to places which I link to seeing as we believe they will be worthwhile checking out[...]…

Leave a Reply

Your email address will not be published. Required fields are marked *



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>