Centos v1.8.8 Upgrade Fail - bcrypt

CyberPanel Project Bug Report
1

Hi,

I just tried to perform an upgrade of CP to v1.8.8 I was on either 1.8.7 or 1.8.6 before. I receive the following errors:

phpunit/phpunit suggests installing phpunit/php-invoker (~1.1)
Package phpunit/phpunit-mock-objects is abandoned, you should avoid using it. No replacement was suggested.
Generating autoload files
Requirement already satisfied (use --upgrade to upgrade): tldextract in /usr/lib/python2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): requests-file>=1.4 in /usr/lib/python2.7/site-packages (from tldextract)
Requirement already satisfied (use --upgrade to upgrade): idna in /usr/lib/python2.7/site-packages (from tldextract)
Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/lib/python2.7/site-packages (from tldextract)
Requirement already satisfied (use --upgrade to upgrade): requests>=2.1.0 in /usr/lib/python2.7/site-packages (from tldextract)
Requirement already satisfied (use --upgrade to upgrade): six in /usr/lib/python2.7/site-packages (from requests-file>=1.4->tldextract)
Requirement already satisfied (use --upgrade to upgrade): chardet<3.1.0,>=3.0.2 in /usr/lib/python2.7/site-packages (from requests>=2.1.0->tldextract)
Requirement already satisfied (use --upgrade to upgrade): urllib3<1.23,>=1.21.1 in /usr/lib/python2.7/site-packages (from requests>=2.1.0->tldextract)
Requirement already satisfied (use --upgrade to upgrade): certifi>=2017.4.17 in /usr/lib/python2.7/site-packages (from requests>=2.1.0->tldextract)
From cffi callback <function _verify_callback at 0x7ff984101aa0>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’

[10-24-18-Thu-Aug-2019] #########################################################################

[10-24-18-Thu-Aug-2019] Install tldextract successful.

[10-24-18-Thu-Aug-2019] #########################################################################

Collecting bcrypt
From cffi callback <function _verify_callback at 0x7f602ceff500>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’
Could not fetch URL https://pypi.python.org/simple/bcrypt/: There was a problem confirming the ssl certificate: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,) - skipping
Could not find a version that satisfies the requirement bcrypt (from versions: )
No matching distribution found for bcrypt
From cffi callback <function _verify_callback at 0x7f602cf24848>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’

Looks like it can’t verify the SSL cert to retrive the package. So upgrade script aborts.

Now I can’t access CP on 8090, I get a 503 error every time. Tried rebooting the server and chmod 777 /tmp + service reboot lscpd. Still nothing.

tail -n 50 /home/cyberpanel/error-logs.txt doesn’t show any errors for this timeframe just updating SSL certs earlier in the day.

Thankfully websites are up and mail is being received ok. Just no CP access.

Please can someone check and advise best course of action to fix CP access & update without failure as I tried the link: Links for bcrypt in a browser and it’s SSL is configured fine.

Kind regards,

Richard

2

What happens if you run pip install bcrypt?

3

Thanks for the reply:

Collecting bcrypt
From cffi callback <function _verify_callback at 0x7f83ad493500>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’
Could not fetch URL https://pypi.python.org/simple/bcrypt/: There was a problem confirming the ssl certificate: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,) - skipping
Could not find a version that satisfies the requirement bcrypt (from versions: )
No matching distribution found for bcrypt
From cffi callback <function _verify_callback at 0x7f83ad4b5848>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’

I could try updating pip, sure it’s a much higher version number now.

pip 8.1.2 from /usr/lib/python2.7/site-packages (python 2.7)

4

Tried some SSL3 tests:

Looks like it’s a problem with SSL3 vs TLS?

[root@ai ~]# curl Links for bcrypt

301 Moved Permanently

301 Moved Permanently

[root@ai ~]# openssl s_client -connect pypi.python.org:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1

Connected with TLS v1.2

[root@ai ~]# openssl s_client -connect pypi.python.org:443 -ssl3
CONNECTED(00000003)
140490371872656:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140490371872656:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1564736189
Timeout : 7200 (sec)
Verify return code: 0 (ok)

[root@ai ~]# openssl s_client -connect www.google.com:443 -ssl3
CONNECTED(00000003)
140094844516240:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:

[root@ai ~]# openssl s_client -connect www.google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1

Connects with TLS v1.2

5
6

Thank you for that, it took a little more messing about, but it certainly gave me the courage to poke away at trying to uninstall pip, pyOpenSSL & cryptography.

Here’s what I’ve done:

yum remove pyOpenSSL
pip uninstall cryptography

---- A message saying I can pip upgrade: before it said v8 was latest even trying to tell it to upgrade! ----

pip install --upgrade pip
pip install cryptography
yum install pyOpenSSL

pip install bcrypt

bcrypt installs now!

Repeat CP upgrade and it works.

I know 100% that I had pip v19 installed, it’s how I knew v8 looked really wrong. I seem to see this happen a couple of times now with upgrades of CP and PIP downgrading which is really strange, but never this issue before with SSL.

Anyways, back up and running :wink:

7

Uggh just got a notification that email sign-in failed on my phone. I am going to assume this is the pw hashing issue others have had. I’ll attempt password updates.

8

Just to follow up, password resets work, but all email accounts require it. Also, inbound email stopped working.

chmod 644 /etc/postfix/dynamicmaps.cf
systemctl restart postfix

Resolves this.

Fingers crossed no more issues.

9

Great @Richard