Bug #14058
closed
Update vendor=on triggers installation failure
Added by Jan-Peter Koopmann about 1 year ago.
Updated 4 months ago.
Affected Plus Version:
23.01
Affected Architecture:
All
Description
the custom_php_install command fails during pkg upgrade/install if the "Update Vendor" config option is on.
[1/1] Reinstalling pfSense-pkg-arpwatch-0.2.1...
[1/1] Extracting pfSense-pkg-arpwatch-0.2.1: 100%
Removing arpwatch components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
48828573794304:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Executing custom_php_resync_config_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
20113771081728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Menu items... done.
Services... done.
Writing configuration... done.
Error is related to arpwatch.inc.
if ($update_vendors) {
arpwatch_update_vendors($enable_zeropad);
}
and then
function arpwatch_update_vendors($args) {
exec('/usr/bin/fetch -qo - '.ARPWATCH_ETHERCODES_URL.'|'
.ARPWATCH_LOCAL_DIR.'/massagevendor '.$args.' >'
.ARPWATCH_LOCAL_DIR.'/ethercodes.dat');
}
The manual fetch of the URL (http://standards-oui.ieee.org/oui/oui.csv) works. It is a redirect to https. But the fetch from within the pkg command does not seem to be able to access /usr/local/etc/ssl/cert.pem and hence cannot establish the TLS connection.
- Assignee set to Christian McDonald
- Status changed from New to Feedback
I am not able to reproduce this on 23.05 snapshots. I'm not sure it is worth the effort in fixing if it already works in 23.05
Are you sure you selected „update vendor list“ in the arpwatch settings before trying to reproduce it?
Yep very sure.
I even ran it through truss and watched the fetch calls be made and return successfully.
I waa able to reproduce on 23.01, but not on 23.05
Thanks Chris. Let’s wait and see then.
- Status changed from Feedback to Resolved
I just ran into this with arpwatch on 23.09.1
>>> Upgrading pfSense-pkg-arpwatch...
Updating pfSense-core repository catalogue...
Fetching meta.conf:
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
Fetching meta.conf:
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be REINSTALLED:
pfSense-pkg-arpwatch-0.2.1 [pfSense]
Number of packages to be reinstalled: 1
9 KiB to be downloaded.
[1/1] Fetching pfSense-pkg-arpwatch-0.2.1.pkg: . done
Checking integrity... done (0 conflicting)
[1/1] Reinstalling pfSense-pkg-arpwatch-0.2.1...
[1/1] Extracting pfSense-pkg-arpwatch-0.2.1: ......... done
Removing arpwatch components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
0020E1E614400000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/sources/FreeBSD-src-plus-RELENG_23_09_1/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Executing custom_php_resync_config_command()...Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
00206134C41A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_09_1-main/sources/FreeBSD-src-plus-RELENG_23_09_1/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: http://standards-oui.ieee.org/oui/oui.csv: Authentication error
done.
Menu items... done.
Services... done.
Writing configuration... done.
>>> Cleaning up cache... done.
Success
If I uncheck to update vendor no error. Then change it to update and run another reinstall, I get the error
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by