OpenSSL update failing

[kenjakt]

Hello all,

I have a system running CentOS 6.5 and I am trying to update openssl from version 1.0.1e-16.el6_5.7 to 1.0.1e-30.el6_6.7 through the "yum update openssl" command, but I am unable to do it and get the following error.

Error: Multilib version problems found. This often means that the root
cause is something else and multilib version checking is just
pointing out that there is a problem. Eg.:

1. You have an upgrade for openssl which is missing some
dependency that another package requires. Yum is trying to
solve this by installing an older version of openssl of the
different architecture. If you exclude the bad architecture
yum will tell you what the root cause is (which package
requires what). You can try redoing the upgrade with
--exclude openssl.otherarch ... this should give you an error
message showing the root cause of the problem.

2. You have multiple architectures of openssl installed, but
yum can only see an upgrade for one of those arcitectures.
If you don't want/need both architectures anymore then you
can remove the one with the missing update and everything
will work.

3. You have duplicate versions of openssl installed already.
You can use "yum check" to get yum show these errors.

...you can also use --setopt=protected_multilib=false to remove
this checking, however this is almost never the correct thing to
do as something else is very likely to go wrong (often causing
much more problems).

Protected multilib versions: openssl-1.0.1e-30.el6_5.2.i686 != openssl-1.0.1e-30.el6_6.7.x86_64
You could try using --skip-broken to work around the problem

An rpm qurey tells me that there are no 32 bit versions of openssl installed on the system.
$rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64

Any pointers on how I can resolve this issue would be really helpful

Regards

[TrevorH]

Was that the entire output from yum?

[kenjakt]

It generates a lot of output involving checking for dependencies. Here we go,

# yum update openssl.x86_64
C6.5-updates | 2.9 kB 00:00
Rocks-6.1.1 | 3.6 kB 00:00
dl.atrpms.net_el6-x86_64_atrpms_stable | 3.0 kB 00:00
testing-1.1-devtools-6 | 951 B 00:00
testing-devtools-2-centos-6 | 951 B 00:00
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be updated
--> Processing Dependency: openssl = 1.0.1e-16.el6_5.7 for package: openssl-devel-1.0.1e-16.el6_5.7.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_5.2 will be an update
--> Processing Dependency: openssl = 1.0.1e-30.el6_5.2 for package: openssl-devel-1.0.1e-30.el6_5.2.x86_64
--> Running transaction check
---> Package openssl.i686 0:1.0.1e-30.el6_5.2 will be installed
--> Processing Dependency: libz.so.1 for package: openssl-1.0.1e-30.el6_5.2.i686
--> Processing Dependency: libkrb5.so.3(krb5_3_MIT) for package: openssl-1.0.1e-30.el6_5.2.i686
--> Processing Dependency: libkrb5.so.3 for package: openssl-1.0.1e-30.el6_5.2.i686
--> Processing Dependency: libk5crypto.so.3(k5crypto_3_MIT) for package: openssl-1.0.1e-30.el6_5.2.i686
--> Processing Dependency: libk5crypto.so.3 for package: openssl-1.0.1e-30.el6_5.2.i686
--> Processing Dependency: libgssapi_krb5.so.2 for package: openssl-1.0.1e-30.el6_5.2.i686
--> Processing Dependency: libcom_err.so.2 for package: openssl-1.0.1e-30.el6_5.2.i686
--> Running transaction check
---> Package krb5-libs.i686 0:1.10.3-15.el6_5.1 will be installed
--> Processing Dependency: libselinux.so.1 for package: krb5-libs-1.10.3-15.el6_5.1.i686
--> Processing Dependency: libkeyutils.so.1(KEYUTILS_0.3) for package: krb5-libs-1.10.3-15.el6_5.1.i686
--> Processing Dependency: libkeyutils.so.1 for package: krb5-libs-1.10.3-15.el6_5.1.i686
---> Package libcom_err.x86_64 0:1.41.12-18.el6 will be updated
--> Processing Dependency: libcom_err = 1.41.12-18.el6 for package: e2fsprogs-libs-1.41.12-18.el6.x86_64
--> Processing Dependency: libcom_err = 1.41.12-18.el6 for package: libcom_err-devel-1.41.12-18.el6.x86_64
--> Processing Dependency: libcom_err = 1.41.12-18.el6 for package: libss-1.41.12-18.el6.x86_64
--> Processing Dependency: libcom_err = 1.41.12-18.el6 for package: e2fsprogs-1.41.12-18.el6.x86_64
---> Package libcom_err.i686 0:1.41.12-18.el6_5.1 will be installed
---> Package libcom_err.x86_64 0:1.41.12-18.el6_5.1 will be an update
---> Package zlib.i686 0:1.2.3-29.el6 will be installed
--> Running transaction check
---> Package e2fsprogs.x86_64 0:1.41.12-18.el6 will be updated
---> Package e2fsprogs.x86_64 0:1.41.12-18.el6_5.1 will be an update
---> Package e2fsprogs-libs.x86_64 0:1.41.12-18.el6 will be updated
--> Processing Dependency: e2fsprogs-libs = 1.41.12-18.el6 for package: e2fsprogs-devel-1.41.12-18.el6.x86_64
---> Package e2fsprogs-libs.x86_64 0:1.41.12-18.el6_5.1 will be an update
---> Package keyutils-libs.i686 0:1.4-4.el6 will be installed
---> Package libcom_err-devel.x86_64 0:1.41.12-18.el6 will be updated
---> Package libcom_err-devel.x86_64 0:1.41.12-18.el6_5.1 will be an update
---> Package libselinux.i686 0:2.0.94-5.3.el6_4.1 will be installed
---> Package libss.x86_64 0:1.41.12-18.el6 will be updated
---> Package libss.x86_64 0:1.41.12-18.el6_5.1 will be an update
--> Running transaction check
---> Package e2fsprogs-devel.x86_64 0:1.41.12-18.el6 will be updated
---> Package e2fsprogs-devel.x86_64 0:1.41.12-18.el6_5.1 will be an update
--> Finished Dependency Resolution
Error: Multilib version problems found. This often means that the root
cause is something else and multilib version checking is just
pointing out that there is a problem. Eg.:

1. You have an upgrade for openssl which is missing some
dependency that another package requires. Yum is trying to
solve this by installing an older version of openssl of the
different architecture. If you exclude the bad architecture
yum will tell you what the root cause is (which package
requires what). You can try redoing the upgrade with
--exclude openssl.otherarch ... this should give you an error
message showing the root cause of the problem.

2. You have multiple architectures of openssl installed, but
yum can only see an upgrade for one of those arcitectures.
If you don't want/need both architectures anymore then you
can remove the one with the missing update and everything
will work.

3. You have duplicate versions of openssl installed already.
You can use "yum check" to get yum show these errors.

...you can also use --setopt=protected_multilib=false to remove
this checking, however this is almost never the correct thing to
do as something else is very likely to go wrong (often causing
much more problems).

Protected multilib versions: openssl-1.0.1e-30.el6_5.2.i686 != openssl-1.0.1e-30.el6_6.7.x86_64
You could try using --skip-broken to work around the problem
** Found 24 pre-existing rpmdb problem(s), 'yum check' output follows:
intel-compilerpro-common-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-compilerpro-devel-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-compilerpro-vars-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-compilerproc-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-compilerproc-common-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-compilerproc-devel-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-compilerprof-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-compilerprof-common-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-compilerprof-devel-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-idb-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-idb-common-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-idbcdt-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-ipp-117-7.1-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-ipp-common-117-7.1-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-ipp-devel-117-7.1-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-mkl-117-11.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-mkl-common-117-11.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-mkl-devel-117-11.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-openmp-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-openmp-devel-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-sourcechecker-common-117-13.0-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-sourcechecker-devel-117-13.0-1.x86_64 has missing requires of /usr/lib/libstdc++.so.6
intel-tbb-117-4.1-1.noarch has missing requires of /usr/lib/libstdc++.so.6
intel-tbb-devel-117-4.1-1.noarch has missing requires of /usr/lib/libstdc++.so.6

Please let me know if you need any other information.

Regards

[avij]

Looks like you don't have the CentOS 6.6 updates repository enabled, which contains the CentOS-released openssl update.

You should probably ask this from the Rocks guys instead, as you seem to be using their software.

[kenjakt]

That's odd because I ran the update on the entire cluster and the compute nodes updated without any problem. (I can ssh to them and "yum list openssl" shows me that the installed version is the updated one) The update failed only on the frontend, so now I have different versions running on frontend and the compute nodes. How can that be if all the nodes use the same repositories?

Regards

[chemal]

This seems to be an example of why cherry-picking updates doesn't work and why it's not supported. Type "yum update" instead.

[avij]

How can that be if all the nodes use the same repositories?

Are they? Does yum repolist show identical information for all the nodes? In particular, does the output include "updates --- CentOS-6 - Updates --- 882" in the output? If not, you are not using CentOS repositories.

Besides that, I also encourage updating with yum update to update all the available packages.

[kenjakt]

I tried the "exclude openssl.otherarch" suggestion proposed by yum and seems like its the openssl-devel package that's the root of the problem. The following is the outpur that I get from runnning
#yum upgrade openssl.x66_64 --exclude openssl.i686

Setting up Upgrade Process
Resolving Dependencies
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be updated
--> Processing Dependency: openssl = 1.0.1e-16.el6_5.7 for package: openssl-devel-1.0.1e-16.el6_5.7.x86_64
---> Package openssl.x86_64 0:1.0.1e-30.el6_6.7 will be an update
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-30.el6_5.2 will be an update
--> Processing Dependency: openssl = 1.0.1e-30.el6_5.2 for package: openssl-devel-1.0.1e-30.el6_5.2.x86_64
--> Finished Dependency Resolution
Error: Package: openssl-devel-1.0.1e-30.el6_5.2.x86_64 (C6.5-updates)
Requires: openssl = 1.0.1e-30.el6_5.2
Removing: openssl-1.0.1e-16.el6_5.7.x86_64 (@anaconda-base-201404140147.x86_64/6.1.0)
openssl = 1.0.1e-16.el6_5.7
Updated By: openssl-1.0.1e-30.el6_6.7.x86_64 (Rocks-6.1.1)
openssl = 1.0.1e-30.el6_6.7
Available: openssl-1.0.1e-16.el6_5.x86_64 (C6.5-updates)
openssl = 1.0.1e-16.el6_5
Available: openssl-1.0.1e-16.el6_5.1.x86_64 (C6.5-updates)
openssl = 1.0.1e-16.el6_5.1
Available: openssl-1.0.1e-16.el6_5.4.x86_64 (C6.5-updates)
openssl = 1.0.1e-16.el6_5.4
Available: openssl-1.0.1e-16.el6_5.4.0.1.centos.x86_64 (C6.5-updates)
openssl = 1.0.1e-16.el6_5.4.0.1.centos
Available: openssl-1.0.1e-16.el6_5.14.x86_64 (C6.5-updates)
openssl = 1.0.1e-16.el6_5.14
Available: openssl-1.0.1e-16.el6_5.15.x86_64 (C6.5-updates)
openssl = 1.0.1e-16.el6_5.15
Available: openssl-1.0.1e-30.el6_5.2.x86_64 (C6.5-updates)
openssl = 1.0.1e-30.el6_5.2
You could try using --skip-broken to work around the problem

Any ideas on what can be done to fix this?

Regards

[chemal]

You are trying to mix openssl-1.0.1e-30.el6_6.7.x86_64 (Rocks-6.1.1) with openssl-devel-1.0.1e-30.el6_5.2.x86_64 (C6.5-updates). That's not possible and yum won't do it. You should ask the Rocks people how this is supposed to work. Support for C6.5 has ended with the release of C6.6 in Oct 2014. Everything more recent is either supplied by Rocks or their repos are broken. Try "yum update" or at least "yum update openssl\*".

[kenjakt]

Thank you all for your inputs. I was able to finally resolve this issue by enabling the CentOS 6.6 repository and let yum do its job. The reason it wasn't working previously was because the Rocks repository does not have the updates to openssl-devel package and that was preventing openssl from updating either. Anyways, I had no problem whatsoever once yum had access to the latest CentOS repository and the update was successful.

Regards