Ubuntu 14 - SSH stopped working after updating openssl

October 28, 2018 2.1k views
Apache

I ran the usual update sequence of apt update && apt upgrade && apt-dist upgrade and right after that my script has a routine that makes a git pull and then backs its runtime logs up by pushing to git, and that right from that update stopped working with error:

139890995726016:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory
139890995726016:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
139890995726016:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf
139890995726016:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf
fatal: Could not read from remote repository.

The bigger problem is I now cannot ssh into my server.

What can I do? Please help!

Is the server lost?

This is the SSL relevant apt-upgrade section:

The following packages will be upgraded:
  libapache2-mod-php7.0 libssl-dev libssl-doc libssl1.1 openssl php7.0
  php7.0-cli php7.0-common php7.0-curl php7.0-json php7.0-mysql php7.0-opcache
  php7.0-readline php7.0-xml php7.0-zip php7.1-cli php7.1-common php7.1-json
  php7.1-opcache php7.1-readline php7.1-xml php7.2-cli php7.2-common
  php7.2-json php7.2-opcache php7.2-readline php7.2-xml php7.2-zip tzdata
29 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 14.8 MB of archives.
After this operation, 1,871 kB of additional disk space will be used.
Get:1 http://ppa.launchpad.net/ondrej/apache2/ubuntu/ trusty/main libssl-doc all 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1 [1,736 kB]
Get:2 http://mirrors.digitalocean.com/ubuntu/ trusty-updates/main tzdata all 2018f-0ubuntu0.14.04 [165 kB]
Get:3 http://ppa.launchpad.net/ondrej/apache2/ubuntu/ trusty/main libssl-dev amd64 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1 [1,769 kB]
Get:4 http://ppa.launchpad.net/ondrej/apache2/ubuntu/ trusty/main libssl1.1 amd64 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1 [1,490 kB]
Get:5 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main libapache2-mod-php7.0 amd64 7.0.32-3+ubuntu14.04.1+deb.sury.org+1 [1,195 kB]
Get:6 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main php7.0-cli amd64 7.0.32-3+ubuntu14.04.1+deb.sury.org+1 [1,254 kB]
Get:7 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main php7.0-common amd64 7.0.32-3+ubuntu14.04.1+deb.sury.org+1 [881 kB]
Get:8 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main php7.0-json amd64 7.0.32-3+ubuntu14.04.1+deb.sury.org+1 [17.2 kB]
Get:9 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main php7.0-opcache amd64 7.0.32-3+ubuntu14.04.1+deb.sury.org+1 [77.5 kB]
Get:10 http://ppa.launchpad.net/ondrej/php/ubuntu/ trusty/main php7.0-readline amd64 7.0.32-3+ubuntu14.04.1+deb.sury.org+1 [12.3 kB]
Get:11 http://ppa.launchpad.net/ondrej/apache2/ubuntu/ trusty/main openssl amd64 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1 [820 kB]
6 comments
  • Did you try using the console from the control panel to access your server?
    https://www.digitalocean.com/docs/droplets/how-to/connect-with-console/

  • That does not solve the problem.

  • I mean, I am still logged in with that session it didn’t kick me out. I just don’t understand what happened and how to restore my SSH access. The server needs to be managed, it is used by a business.

  • This is definitely an issue with open ssl 1.1.1 I am getting exactly the same issue on 14.04.1 after a apt dist-upgrade

    Cannot roll back as the old version is no longer available in the packages.

    Can we please get the old version (1.1.0h) be available so we can downgrade?

  • I’ve got error trying to execute:

    $ sudo apt install openssl=1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    E: Version '1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1' for 'openssl' was not found
    
    

    I had to run first:

    $ apt-cache policy openssl
    openssl:
      Installed: 1.0.1f-1ubuntu2.26
      Candidate: 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1
      Version table:
     *** 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1 0
            500 http://ppa.launchpad.net/ondrej/apache2/ubuntu/ trusty/main amd64 Packages
         1.0.1f-1ubuntu2.26 0
            500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
            500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
            100 /var/lib/dpkg/status
         1.0.1f-1ubuntu2 0
            500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
    

    Then I downgrade openssl to 1.0.1f-1ubuntu2.26 running the following command:

    $ sudo apt-get install openssl=1.0.1f-1ubuntu2.26
    

    Finally:

    $ sudo service ssh restart
    

    :)

    we have to wait for the new corrected package…

  • Show 1 more comments
2 Answers

Not solved but cannot edit anymore: it appears the new packages are buggy (updated on the Sury repository 14 hours ago). Downgrading openssl and libssl1.1 to previous versions returned git to fucntion, still no ssh.

$ openssl version
OpenSSL 1.1.1  11 Sep 2018
$ sudo apt install openssl=1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1
$ openssl version
=> OpenSSL 1.1.0h  27 Mar 2018 (Library: OpenSSL 1.1.1  11 Sep 2018)
This fixed git.

edit:

Downgrading everything openssl-related and restarting SSH solves the issue.

In case someone lands here, all the previous versions of packages are logged in /var/log/apt/history.log

libssl1.1:amd64 (1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1, 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1)
libssl-dev:amd64 (1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1, 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1)
libssl-doc:amd64 (1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1, 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1)
openssl:amd64 (1.1.0h-2.0+ubuntu14.04.1+deb.sury.org+1, 1.1.1-1+ubuntu14.04.1+deb.sury.org+0.1)

and then sudo service ssh restart

Correct open ports:

$ netstat -tlpn
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 ::1:25                  :::*                    LISTEN      -
tcp6       0      0 :::443                  :::*                    LISTEN      -
Have another answer? Share your knowledge.