Can't update&upgrade anymore @ UM 18.04 v2 LTS

mate2go · 28 June 2019 09:10

ok...

find /usr/local -name "openssl" -delete

find: cannot delete ‘/usr/local/share/doc/openssl’: Directory not empty
find: cannot delete ‘/usr/local/include/openssl’: Directory not empty

which openssl

Output:
/usr/bin/openssl

openssl binary placed in folder:
/bin
/usr/bin/

but:

/usr/bin/openssl version

/usr/bin/openssl: /usr/local/lib/libssl.so.1.1: version OPENSSL_1_1_1' not found (required by /usr/bin/openssl) /usr/bin/openssl: /usr/local/lib/libcrypto.so.1.1: version OPENSSL_1_1_1' not found (required by /usr/bin/openssl)

/bin/openssl version

OpenSSL 1.1.0g 2 Nov 2017

Do I have to delete the openssl binary in /bin?

Do I need package?
openssl1.0

I did this:

I deleted openssl binary in /bin
Deleted:

/usr/local/lib/libcrypto.so
/usr/local/lib/libcrypto.so.1.0.0
/usr/local/lib/libcrypto.so.1.1

/usr/local/lib/libssl.so
/usr/local/lib/libssl.so.1.0.0
/usr/local/lib/libssl.so.1.1

then:
apt-get install --reinstall openssl
apt-get install --reinstall libssl1.1

which openssl
Output:
/usr/bin/openssl

/usr/bin/openssl version

Output:
OpenSSL 1.1.1 11 Sep 2018

What about package "openssl1.0 & libssl1.0.0"
Do I need them?

Packages openssl1.0 is not installed and libssl1.0.0 is installed.

mate2go · 28 June 2019 09:20

Installed OpenSSL packages:

libevent-openssl-2.1-6 (2.1.8-stable-4build1)
libgnutls-openssl27 (3.5.18-1ubuntu1.1)
openssl (1.1.1-1ubuntu2.1~18.04.3)
perl-openssl-defaults (3build1)
python-openssl (17.5.0-1ubuntu1)
python3-openssl (17.5.0-1ubuntu1)
libssl-dev (1.1.1-1ubuntu2.1~18.04.3)
libssl-doc (1.1.1-1ubuntu2.1~18.04.3)
libssl1.0.0 (1.0.2n-1ubuntu5.3)
libssl1.1 (1.1.1-1ubuntu2.1~18.04.3)

whereis openssl

Output:
/usr/bin/openssl
/usr/include/openssl
/usr/share/man/man1/openssl.1ssl.gz

mate2go · 28 June 2019 11:35

openssl version -a

Output:

OpenSSL 1.1.1 11 Sep 2018
built on: Fri Jun 14 12:50:28 2019 UTC
platform: debian-amd64
options: bn(64,64) rc4(8x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-OlMTmP/openssl-1.1.1=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

Is that right @ lah7?

mate2go · 28 June 2019 12:28

Yeah Update-Manager is working now. It was a OpenSSL problem.

What's with /etc/update-manager/meta-release?

Can I use?
#'https'#
URI = https://changelogs.ubuntu.com/meta-release
URI_LTS = https://changelogs.ubuntu.com/meta-release-lts

or should it?
URI = http://changelogs.ubuntu.com/meta-release
URI_LTS = http://changelogs.ubuntu.com/meta-release-lts

lah7 · 28 June 2019 17:54

Great stuff - I'm not sure how you've ended up with a ~~custom~~ broken build of OpenSSL but at least it's working again.

I just checked an up-to-date 18.04 instance and the latest version of OpenSSL is indeed 1.1.1 11 Sep 2018.

For /etc/update-manager/meta-release, the default (and recommended) is https - the s meaning secure connections are established to the server, reducing the chance of a man-in-the-middle attack while it is in transit over the internet.

mate2go · 29 June 2019 08:34

I have @ /etc/update-manager/meta-release:

URI = https://changelogs.ubuntu.com/meta-release
URI_LTS = https://changelogs.ubuntu.com/meta-release-lts

sudo apt-get update

Output:
Hit:1 Index of /graphics-drivers/ppa/ubuntu bionic InRelease
Hit:2 Index of /ubuntu bionic InRelease
Get:3 Index of /ubuntu bionic-updates InRelease [88,7 kB]
Get:6 Index of /ubuntu bionic-security InRelease [88,7 kB]
Get:10 Index of /ubuntu bionic-updates/main amd64 Packages [676 kB]
Get:11 Index of /ubuntu bionic-updates/main i386 Packages [554 kB]
Get:12 Index of /ubuntu bionic-updates/universe amd64 Packages [964 kB]
Get:13 Index of /ubuntu bionic-updates/universe i386 Packages [948 kB]
Get:14 Index of /ubuntu bionic-security/main amd64 Packages [443 kB]
Get:15 Index of /ubuntu bionic-security/main i386 Packages [334 kB]

How can I change all http urls to https?

Edit my sources.list and change all urls there to https?

lah7 · 29 June 2019 15:30

Yes, change them in /etc/apt/sources.list and /etc/apt/sources.list.d/, then run sudo apt update again.

mate2go · 30 June 2019 19:02

ok, I'll do that, thanks......

mate2go · 30 June 2019 19:37

@ lah7, which ubuntu package apt server do you have in sources.list with https?

these not working with https:
deb https://de.archive.ubuntu.com/ubuntu/ bionic main restricted
deb https://de.archive.ubuntu.com/ubuntu/ bionic-updates main restricted

deb https://de.archive.ubuntu.com/ubuntu/ bionic universe
deb https://de.archive.ubuntu.com/ubuntu/ bionic-updates universe

deb https://de.archive.ubuntu.com/ubuntu/ bionic-security main restricted
deb https://de.archive.ubuntu.com/ubuntu/ bionic-security universe

so I revert back to http, after that it works again.

lah7 · 30 June 2019 20:16

My bad! I replied while I was on my phone and didn't actually check my sources.list or if the server actually supports HTTPS, which it doesn't.

deb http://gb.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://gb.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://gb.archive.ubuntu.com/ubuntu/ bionic universe
deb http://gb.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://gb.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://gb.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://gb.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse

While HTTPS is generally important to have, it's not necessary for Apt packages as they are signed with a key trusted by the system. So in this case, security is not compromised as the package will be refused if it was tampered with.

Here's a more detailed explanation:

So, these need to stay HTTP. Sorry, I should have double checked.

joeccosta · 20 June 2021 23:20

This solution solved my issue, tks

Larry_C · 7 September 2022 02:13

In Ubuntu 18.04.6 LTS I was frustrated by SEGV crashes,
in do-release-upgrade ( ubuntu-release-upgrader/check-new-release ) every time.
Also I got a consistent SEGV if I tried to run update-manager
I had tried lots of other things, lots of other checking ... to find the problem.
And was not figuring it out. That is, until I walked through this post. ( Which is grand, BTW )
Hooray, my problem was caused by an installation of openssl-1.1.0f under /usr/local/...
for which I had no source build ; but I was able to, manually, clean out those files - and that finally resolved it.
Thanks !!