Project

General

Profile

Actions

Bug #14058

closed

Update vendor=on triggers installation failure

Added by Jan-Peter Koopmann 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Category:
arpwatch
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
23.01
Affected Architecture:
All

Description

the custom_php_install command fails during pkg upgrade/install if the "Update Vendor" config option is on.

[1/1] Reinstalling pfSense-pkg-arpwatch-0.2.1...
[1/1] Extracting pfSense-pkg-arpwatch-0.2.1: 100%
Removing arpwatch components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
48828573794304:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Executing custom_php_resync_config_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
20113771081728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Menu items... done.
Services... done.
Writing configuration... done.

Error is related to arpwatch.inc.

if ($update_vendors) {
        arpwatch_update_vendors($enable_zeropad);
    }

and then

function arpwatch_update_vendors($args) {
    exec('/usr/bin/fetch -qo - '.ARPWATCH_ETHERCODES_URL.'|'
        .ARPWATCH_LOCAL_DIR.'/massagevendor '.$args.' >'
        .ARPWATCH_LOCAL_DIR.'/ethercodes.dat');
}

The manual fetch of the URL (http://standards-oui.ieee.org/oui/oui.csv) works. It is a redirect to https. But the fetch from within the pkg command does not seem to be able to access /usr/local/etc/ssl/cert.pem and hence cannot establish the TLS connection.

Actions #1

Updated by Christian McDonald 3 months ago

  • Assignee set to Christian McDonald
Actions #2

Updated by Christian McDonald 3 months ago

  • Status changed from New to Feedback

I am not able to reproduce this on 23.05 snapshots. I'm not sure it is worth the effort in fixing if it already works in 23.05

Actions #3

Updated by Jan-Peter Koopmann 3 months ago

Are you sure you selected „update vendor list“ in the arpwatch settings before trying to reproduce it?

Actions #4

Updated by Christian McDonald 3 months ago

Yep very sure.

I even ran it through truss and watched the fetch calls be made and return successfully.

I waa able to reproduce on 23.01, but not on 23.05

Actions #5

Updated by Jan-Peter Koopmann 3 months ago

Thanks Chris. Let’s wait and see then.

Actions #6

Updated by Christian McDonald about 2 months ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF