Question
Did the digitalocean agent break new rockylinux 9 installs ?
- Posted on January 2, 2025
- Rocky Linux 9
Asked by Arnold Hendriks
I’m seeing something off on a RockyLinux9 I just built - I can’t ssh into it after building it - it disconnects immeditaely
The log says:
sshd[20776]: OpenSSL version mismatch. Built against 30000070, you have 30200020
Googling that leads me to an article warning about partially upgrading your system: https://forums.rockylinux.org/t/rocky-linux-and-openssl-3-2-2/16622/2
Howewver, I didn’t update anything yet. But it looks like cloudinit did:
# rpm -qa --last|egrep '(ssh|ssl|agent)'
openssl-3.2.2-6.el9_5.x86_64 Thu 02 Jan 2025 08:29:46 AM UTC
openssl-libs-3.2.2-6.el9_5.x86_64 Thu 02 Jan 2025 08:29:03 AM UTC
droplet-agent-1.2.8-1.x86_64 Thu 02 Jan 2025 08:18:31 AM UTC
qemu-guest-agent-7.2.0-14.el9_2.x86_64 Sat 13 May 2023 09:43:03 PM UTC
openssh-server-8.7p1-29.el9_2.x86_64 Sat 13 May 2023 09:43:02 PM UTC
openssh-clients-8.7p1-29.el9_2.x86_64 Sat 13 May 2023 09:42:54 PM UTC
openssh-8.7p1-29.el9_2.x86_64 Sat 13 May 2023 09:42:26 PM UTC
libssh-0.10.4-8.el9.x86_64 Sat 13 May 2023 09:42:25 PM UTC
libssh-config-0.10.4-8.el9.noarch Sat 13 May 2023 09:42:19 PM UTC
Indeed: openssl was updated, ssh wasn’t.
So from what I can tell:
- droplet-agent isn’t rolled into the base image
- cloud-init automatically installs it
- this triggers an update of openssl but not openssh, which leads to the problem described in the rockylinux forum
- sshd is broken shortly after machine creation
The fix is simple enough - a dnf upgrade after logging in… but this breaks automation through ansible as it can’t login.
Does anyone know of a nice workaround ?
And I wonder who’s really at fault anyway/where to report it ?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Hey Arnold! 👋
Thanks for sharing the issue—it’s very helpful! I’ll make sure to forward this to the DigitalOcean team internally so they can look into it.
One thing that you could try here is before the
droplet-agenttriggers theopensslupdate, you can add a custom cloud-init script to run adnf upgraderight after the droplet is created. For example:This should make sure that all related packages, including
openssh, are updated to match the newopensslversion during initialization.Let me know how it goes!
- Bobby
It happens when openssl is upgraded but openssh isn’t. Known issue with RedHat: https://access.redhat.com/solutions/7101587
For example, if you install perl, it forces the upgrade of openssl but does not upgrade openssh.
Quick fix is to upgrade openssh. Hopefully you have console or physical access to the server. If you’re using ssh key authentication, you might be screwed. Digital Ocean support was unable to help. They kept telling me to reset the root password, which you can’t do on Rocky with ssh key auth. Fun times.