Project

General

Profile

Actions
Copy link

Bug #14058

closed

Update vendor=on triggers installation failure

Added by Jan-Peter Koopmann about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Christian McDonald
Category:
arpwatch
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
23.01
Affected Architecture:
All

Description

the custom_php_install command fails during pkg upgrade/install if the "Update Vendor" config option is on.

[1/1] Reinstalling pfSense-pkg-arpwatch-0.2.1...
[1/1] Extracting pfSense-pkg-arpwatch-0.2.1: 100%
Removing arpwatch components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
48828573794304:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Executing custom_php_resync_config_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
20113771081728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Menu items... done.
Services... done.
Writing configuration... done.

Error is related to arpwatch.inc.

if ($update_vendors) {
        arpwatch_update_vendors($enable_zeropad);
    }

and then

function arpwatch_update_vendors($args) {
    exec('/usr/bin/fetch -qo - '.ARPWATCH_ETHERCODES_URL.'|'
        .ARPWATCH_LOCAL_DIR.'/massagevendor '.$args.' >'
        .ARPWATCH_LOCAL_DIR.'/ethercodes.dat');
}

The manual fetch of the URL (http://standards-oui.ieee.org/oui/oui.csv) works. It is a redirect to https. But the fetch from within the pkg command does not seem to be able to access /usr/local/etc/ssl/cert.pem and hence cannot establish the TLS connection.

Actions
Copy link
 #1

Updated by Christian McDonald about 2 years ago

  • Assignee set to Christian McDonald
Actions
Copy link
 #2

Updated by Christian McDonald about 2 years ago

  • Status changed from New to Feedback

I am not able to reproduce this on 23.05 snapshots. I'm not sure it is worth the effort in fixing if it already works in 23.05

Actions
Copy link
 #3

Updated by Jan-Peter Koopmann about 2 years ago

Are you sure you selected „update vendor list“ in the arpwatch settings before trying to reproduce it?

Actions
Copy link
 #4

Updated by Christian McDonald about 2 years ago

Yep very sure.

I even ran it through truss and watched the fetch calls be made and return successfully.

I waa able to reproduce on 23.01, but not on 23.05

Actions
Copy link
 #5

Updated by Jan-Peter Koopmann about 2 years ago

Thanks Chris. Let’s wait and see then.

Actions
Copy link
 #6

Updated by Christian McDonald about 2 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #7

Updated by JohnPoz _ over 1 year ago

I just ran into this with arpwatch on 23.09.1

>>> Upgrading pfSense-pkg-arpwatch... 
Updating pfSense-core repository catalogue...
Fetching meta.conf: 
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf: 
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be REINSTALLED:
    pfSense-pkg-arpwatch-0.2.1 [pfSense]

Number of packages to be reinstalled: 1

9 KiB to be downloaded.
[1/1] Fetching pfSense-pkg-arpwatch-0.2.1.pkg: . done
Checking integrity... done (0 conflicting)
[1/1] Reinstalling pfSense-pkg-arpwatch-0.2.1...
[1/1] Extracting pfSense-pkg-arpwatch-0.2.1: ......... done
Removing arpwatch components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
0020E1E614400000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/sources/FreeBSD-src-plus-RELENG_23_09_1/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Executing custom_php_resync_config_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
00206134C41A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/sources/FreeBSD-src-plus-RELENG_23_09_1/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Menu items... done.
Services... done.
Writing configuration... done.
>>> Cleaning up cache... done.
Success

If I uncheck to update vendor no error. Then change it to update and run another reinstall, I get the error

Actions
Copy link

Also available in: Atom PDF