Bug #14058
closedUpdate vendor=on triggers installation failure
0%
Description
the custom_php_install command fails during pkg upgrade/install if the "Update Vendor" config option is on.
[1/1] Reinstalling pfSense-pkg-arpwatch-0.2.1...
[1/1] Extracting pfSense-pkg-arpwatch-0.2.1: 100%
Removing arpwatch components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
48828573794304:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Executing custom_php_resync_config_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
20113771081728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Menu items... done.
Services... done.
Writing configuration... done.
Error is related to arpwatch.inc.
if ($update_vendors) {
arpwatch_update_vendors($enable_zeropad);
}
and then
function arpwatch_update_vendors($args) {
exec('/usr/bin/fetch -qo - '.ARPWATCH_ETHERCODES_URL.'|'
.ARPWATCH_LOCAL_DIR.'/massagevendor '.$args.' >'
.ARPWATCH_LOCAL_DIR.'/ethercodes.dat');
}
The manual fetch of the URL (http://standards-oui.ieee.org/oui/oui.csv) works. It is a redirect to https. But the fetch from within the pkg command does not seem to be able to access /usr/local/etc/ssl/cert.pem and hence cannot establish the TLS connection.
Updated by Christian McDonald 3 months ago
- Status changed from New to Feedback
I am not able to reproduce this on 23.05 snapshots. I'm not sure it is worth the effort in fixing if it already works in 23.05
Updated by Jan-Peter Koopmann 3 months ago
Are you sure you selected „update vendor list“ in the arpwatch settings before trying to reproduce it?
Updated by Christian McDonald 3 months ago
Yep very sure.
I even ran it through truss and watched the fetch calls be made and return successfully.
I waa able to reproduce on 23.01, but not on 23.05
Updated by Jan-Peter Koopmann 3 months ago
Thanks Chris. Let’s wait and see then.
Updated by Christian McDonald about 2 months ago
- Status changed from Feedback to Resolved