Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Validation failure while installing php5 #590

Open
Alan-Daniels opened this issue Mar 4, 2023 · 8 comments · May be fixed by #603
Open

SSL Validation failure while installing php5 #590

Alan-Daniels opened this issue Mar 4, 2023 · 8 comments · May be fixed by #603

Comments

@Alan-Daniels
Copy link

Issue Description

Please check the General Issues section in the wiki before you submit the issue.
If you didn't find your issue mentioned, please give a thorough description of the issue you're seeing.
Also, please be sure to include any troubleshooting steps that you've already attempted.

I've tried the vagrant automatic build for ubuntu 3 times and had the same failure while installing php5.
The url it complains about seems fine when loading in my browser (https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt) so not sure what's wrong there.

In my third attempt, I also installed the winrm & winrm-fs plugins as per the General Issues but that didn't seem to help.

Thanks for any help!

Host System

  • OS: Manjaro Linux x86_64
  • Packer Version: 1.8.5
  • Vagrant Version: 2.3.4
  • VirtualBox Version: n/a
  • libvirt Version: 9.0.0

Command Output

https://pastebin.com/YjwcbN67
@devworkerkim
Copy link

Same issue. I've isolated the php_545 output I got and pasted below.

Host System

  • OS: Fedora Linux 37
  • Packer Version: 1.8.6
  • Vagrant Version: 2.3.4
  • VirtualBox Version: n/a
  • libvirt Version: 8.6.0

Command Output

qemu: Recipe: metasploitable::php_545
    qemu:   * execute[install prereqs] action run
    qemu:     - execute apt-get install -y gcc make build-essential     libxml2-dev libcurl4-openssl-dev libpcre3-dev libbz2-dev libjpeg-dev     libpng12-dev libfreetype6-dev libt1-dev libmcrypt-dev libmhash-dev     freetds-dev libmysqlclient-dev unixodbc-dev     libxslt1-dev apache2-dev
    qemu:   * execute[fix freetype bug] action run
    qemu:     - execute mkdir -pv /usr/include/freetype2/freetype && ln -sf /usr/include/freetype2/freetype.h /usr/include/freetype2/freetype/freetype.h
    qemu:   * remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz] action create_if_missing
    qemu:     - create new file /tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz
    qemu:     - update content in file /tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz from none to 46be2d
    qemu:     (file sizes exceed 10000000 bytes, diff output suppressed)
    qemu:     - change mode from '' to '0644'
    qemu:   * remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/libxml29_compat.patch] action create_if_missing[2023-03-19T17:07:31+00:00] ERROR: SSL Validation failure connecting to host: mail.gnome.org - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    qemu: [2023-03-19T17:07:31+00:00] ERROR: SSL Validation failure connecting to host: mail.gnome.org - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    qemu:
    qemu:
    qemu:     ================================================================================
    qemu:     Error executing action `create_if_missing` on resource 'remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/libxml29_compat.patch]'
    qemu:     ================================================================================
    qemu:
    qemu:     OpenSSL::SSL::SSLError
    qemu:     ----------------------
    qemu:     SSL Error connecting to https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    qemu:
    qemu:     Resource Declaration:
    qemu:     ---------------------
    qemu:     # In /tmp/packer-chef-solo/local-mode-cache/cache/cookbooks/metasploitable/recipes/php_545.rb
    qemu:
    qemu:      32: remote_file "#{Chef::Config[:file_cache_path]}/libxml29_compat.patch" do
    qemu:      33:   source "https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt"
    qemu:      34:   mode '0644'
    qemu:      35:   action :create_if_missing
    qemu:      36:   not_if 'apache2ctl -M | grep -q php5'
    qemu:      37: end
    qemu:      38:
    qemu:
    qemu:     Compiled Resource:
    qemu:     ------------------
    qemu:     # Declared in /tmp/packer-chef-solo/local-mode-cache/cache/cookbooks/metasploitable/recipes/php_545.rb:32:in `from_file'
    qemu:
    qemu:     remote_file("/tmp/packer-chef-solo/local-mode-cache/cache/libxml29_compat.patch") do
    qemu:       provider Chef::Provider::RemoteFile
    qemu:       action [:create_if_missing]
    qemu:       default_guard_interpreter :default
    qemu:       source ["https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt"]
    qemu:       use_etag true
    qemu:       use_last_modified true
    qemu:       declared_type :remote_file
    qemu:       cookbook_name "metasploitable"
    qemu:       recipe_name "php_545"
    qemu:       mode "0644"
    qemu:       remote_domain nil
    qemu:       remote_user nil
    qemu:       path "/tmp/packer-chef-solo/local-mode-cache/cache/libxml29_compat.patch"
    qemu:       owner nil
    qemu:       group nil
    qemu:       checksum nil
    qemu:       verifications []
    qemu:       not_if "apache2ctl -M | grep -q php5"
    qemu:     end
    qemu:
    qemu:     System Info:
    qemu:     ------------
    qemu:     chef_version=13.8.5
    qemu:     platform=ubuntu
    qemu:     platform_version=14.04
    qemu:     ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
    qemu:     program_name=chef-solo worker: ppid=1058;start=17:05:34;
    qemu:     executable=/opt/chef/bin/chef-solo
    qemu:
    qemu: Recipe: iptables::default
    qemu:   * execute[rebuild-iptables] action run
    qemu:     - execute /usr/sbin/rebuild-iptables
    qemu:
    qemu: Running handlers:
    qemu: [2023-03-19T17:07:31+00:00] ERROR: Running exception handlers
    qemu: [2023-03-19T17:07:31+00:00] ERROR: Running exception handlers
    qemu: Running handlers complete
    qemu: [2023-03-19T17:07:31+00:00] ERROR: Exception handlers complete
    qemu: [2023-03-19T17:07:31+00:00] ERROR: Exception handlers complete
    qemu: Chef Client failed. 89 resources updated in 01 minutes 56 seconds
    qemu: [2023-03-19T17:07:31+00:00] FATAL: Stacktrace dumped to /tmp/packer-chef-solo/local-mode-cache/cache/chef-stacktrace.out
    qemu: [2023-03-19T17:07:31+00:00] FATAL: Stacktrace dumped to /tmp/packer-chef-solo/local-mode-cache/cache/chef-stacktrace.out
    qemu: [2023-03-19T17:07:31+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
    qemu: [2023-03-19T17:07:31+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
    qemu: [2023-03-19T17:07:31+00:00] ERROR: remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/libxml29_compat.patch] (metasploitable::php_545 line 32) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    qemu: [2023-03-19T17:07:31+00:00] ERROR: remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/libxml29_compat.patch] (metasploitable::php_545 line 32) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    qemu: [2023-03-19T17:07:31+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
    qemu: [2023-03-19T17:07:31+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
==> qemu: Provisioning step had errors: Running the cleanup provisioner, if present...
==> qemu: Deleting output directory...
Build 'qemu' errored after 6 minutes 33 seconds: Error executing Chef: Non-zero exit status: 1

==> Wait completed after 6 minutes 33 seconds

==> Some builds didn't complete successfully and had errors:
--> qemu: Error executing Chef: Non-zero exit status: 1

==> Builds finished but no artifacts were created.

@teststudent311
Copy link

teststudent311 commented Apr 14, 2023
edited
Loading

Same issue. Try to modify php_545.rb.
Go to metasploitable3/chef/cookbooks/metasploitable/recipes directory and find php_545.rb.
Find:

remote_file "#{Chef::Config[:file_cache_path]}/libxml29_compat.patch" do
  source "https://mail.gnome.org/archives/xml/2012-August/txtbgxGXAvz4N.txt"
  mode '0644'
  action :create_if_missing
  not_if 'apache2ctl -M | grep -q php5'
end

Change link to this https://gist.githubusercontent.com/tassoevan/74a65692bd1ddccec5fb/raw/14d4bd547b022ed80737688d0e7f48bac3c1c951/libxml29_compat.patch.

Just like that:

remote_file "#{Chef::Config[:file_cache_path]}/libxml29_compat.patch" do
  source "https://gist.githubusercontent.com/tassoevan/74a65692bd1ddccec5fb/raw/14d4bd547b022ed80737688d0e7f48bac3c1c951/libxml29_compat.patch"
  mode '0644'
  action :create_if_missing
  not_if 'apache2ctl -M | grep -q php5'
end

In my case it works.

@stasguma
Copy link

Host System

  • OS: Windows 10
  • Packer Version: 1.6.1
  • Vagrant Version: 1.9.1
  • VirtualBox Version: 7.0.8 r156879
virtualbox-iso:   * remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz] action create_if_missing[2023-06-19T14:57:43+00:00] ERROR: SSL Validation failure connecting to host: museum.php.net - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: SSL Validation failure connecting to host: museum.php.net - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    virtualbox-iso:
    virtualbox-iso:
    virtualbox-iso:     ================================================================================
    virtualbox-iso:     Error executing action 'create_if_missing' on resource 'remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz]'
    virtualbox-iso:     ================================================================================
    virtualbox-iso:
    virtualbox-iso:     OpenSSL::SSL::SSLError
    virtualbox-iso:     ----------------------
    virtualbox-iso:     SSL Error connecting to http://museum.php.net/php5//php-5.4.5.tar.gz - SSL Error connecting to https://museum.php.net/php5/php-5.4.5.tar.gz - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    virtualbox-iso:
    virtualbox-iso:     Resource Declaration:
    virtualbox-iso:     ---------------------
    virtualbox-iso:     # In /tmp/packer-chef-solo/local-mode-cache/cache/cookbooks/metasploitable/recipes/php_545.rb
    virtualbox-iso:
    virtualbox-iso:      25: remote_file "#{Chef::Config[:file_cache_path]}/#{php_tar}" do
    virtualbox-iso:      26:   source "#{node[:php545][:download_url]}/#{php_tar}"
    virtualbox-iso:      27:   mode '0644'
    virtualbox-iso:      28:   action :create_if_missing
    virtualbox-iso:      29:   not_if 'apache2ctl -M | grep -q php5'
    virtualbox-iso:      30: end
    virtualbox-iso:      31:
    virtualbox-iso:
    virtualbox-iso:     Compiled Resource:
    virtualbox-iso:     ------------------
    virtualbox-iso:     # Declared in /tmp/packer-chef-solo/local-mode-cache/cache/cookbooks/metasploitable/recipes/php_545.rb:25:in 'from_file'
    virtualbox-iso:
    virtualbox-iso:     remote_file("/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz") do
    virtualbox-iso:       provider Chef::Provider::RemoteFile
    virtualbox-iso:       action [:create_if_missing]
    virtualbox-iso:       default_guard_interpreter :default
    virtualbox-iso:       source ["http://museum.php.net/php5//php-5.4.5.tar.gz"]
    virtualbox-iso:       use_etag true
    virtualbox-iso:       use_last_modified true
    virtualbox-iso:       declared_type :remote_file
    virtualbox-iso:       cookbook_name "metasploitable"
    virtualbox-iso:       recipe_name "php_545"
    virtualbox-iso:       mode "0644"
    virtualbox-iso:       remote_domain nil
    virtualbox-iso:       remote_user nil
    virtualbox-iso:       path "/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz"
    virtualbox-iso:       owner nil
    virtualbox-iso:       group nil
    virtualbox-iso:       checksum nil
    virtualbox-iso:       verifications []
    virtualbox-iso:       not_if "apache2ctl -M | grep -q php5"
    virtualbox-iso:     end
    virtualbox-iso:
    virtualbox-iso:     System Info:
    virtualbox-iso:     ------------
    virtualbox-iso:     chef_version=13.8.5
    virtualbox-iso:     platform=ubuntu
    virtualbox-iso:     platform_version=14.04
    virtualbox-iso:     ruby=ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux]
    virtualbox-iso:     program_name=chef-solo worker: ppid=1092;start=14:55:06;
    virtualbox-iso:     executable=/opt/chef/bin/chef-solo
    virtualbox-iso:
    virtualbox-iso: Recipe: iptables::default
    virtualbox-iso:   * execute[rebuild-iptables] action run
    virtualbox-iso:     - execute /usr/sbin/rebuild-iptables
    virtualbox-iso:
    virtualbox-iso: Running handlers:
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: Running exception handlers
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: Running exception handlers
    virtualbox-iso: Running handlers complete
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: Exception handlers complete
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: Exception handlers complete
    virtualbox-iso: Chef Client failed. 88 resources updated in 02 minutes 36 seconds
    virtualbox-iso: [2023-06-19T14:57:43+00:00] FATAL: Stacktrace dumped to /tmp/packer-chef-solo/local-mode-cache/cache/chef-stacktrace.out
    virtualbox-iso: [2023-06-19T14:57:43+00:00] FATAL: Stacktrace dumped to /tmp/packer-chef-solo/local-mode-cache/cache/chef-stacktrace.out
    virtualbox-iso: [2023-06-19T14:57:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
    virtualbox-iso: [2023-06-19T14:57:43+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz] (metasploitable::php_545 line 25) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to http://museum.php.net/php5//php-5.4.5.tar.gz - SSL Error connecting to https://museum.php.net/php5/php-5.4.5.tar.gz - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    virtualbox-iso: [2023-06-19T14:57:43+00:00] ERROR: remote_file[/tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz] (metasploitable::php_545 line 25) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to http://museum.php.net/php5//php-5.4.5.tar.gz - SSL Error connecting to https://museum.php.net/php5/php-5.4.5.tar.gz - SSL_connect returned=1 errno=0 state=error: certificate verify failed
    virtualbox-iso: [2023-06-19T14:57:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
    virtualbox-iso: [2023-06-19T14:57:43+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
==> virtualbox-iso: Provisioning step had errors: Running the cleanup provisioner, if present...
==> virtualbox-iso: Cleaning up floppy disk...
==> virtualbox-iso: Deregistering and deleting VM...
==> virtualbox-iso: Deleting output directory...
Build 'virtualbox-iso' errored: Error executing Chef: Non-zero exit status: 1

==> Some builds didn't complete successfully and had errors:
--> virtualbox-iso: Error executing Chef: Non-zero exit status: 1

==> Builds finished but no artifacts were created.

in my case it cusses on another php file. I tried to change the source in #590 (comment) to https://prototype.php.net/distributions/php-5.4.5.tar.gz (it's from the official php website).
It didn't work for me. Still have this problem.

@Unlawful6754
Copy link

Unlawful6754 commented Jun 21, 2023
edited
Loading

getting the same error as @stasguma trying to build on Ubuntu 22.04. updating Manjaro box and will try building on that and see what happens

edit: tried on manjaro and getting the same there. have tried running it while connected to VPN and not and can download through browser on both

@stasguma
Copy link

I found a workaround. You need to change the source on line 25 chef\cookbooks\metasploitable\recipes\php_545.rb to https://github.com/php/php-src/archive/refs/tags/#{php_tar}. After that use this #590 (comment) answer.

The final result should look like:

remote_file "#{Chef::Config[:file_cache_path]}/#{php_tar}" do
  source "https://github.com/php/php-src/archive/refs/tags/#{php_tar}"
  mode '0644'
  action :create_if_missing
  not_if 'apache2ctl -M | grep -q php5'
end

remote_file "#{Chef::Config[:file_cache_path]}/libxml29_compat.patch" do
  source "https://gist.githubusercontent.com/tassoevan/74a65692bd1ddccec5fb/raw/14d4bd547b022ed80737688d0e7f48bac3c1c951/libxml29_compat.patch"
  mode '0644'
  action :create_if_missing
  not_if 'apache2ctl -M | grep -q php5'
end

@stasguma
Copy link

but now I have another error.

    virtualbox-iso:   * execute[patch php] action nothing (skipped due to action :nothing)
    virtualbox-iso:   * execute[extract php] action run
    virtualbox-iso:     - execute tar -xvzf /tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5.tar.gz -C /tmp/packer-chef-solo/local-mode-cache/cache
    virtualbox-iso:   * execute[patch php] action run
    virtualbox-iso:
    virtualbox-iso:     ================================================================================
    virtualbox-iso:     Error executing action `run` on resource 'execute[patch php]'
    virtualbox-iso:     ================================================================================
    virtualbox-iso:
    virtualbox-iso:     Mixlib::ShellOut::ShellCommandFailed
    virtualbox-iso:     ------------------------------------
    virtualbox-iso:     Expected process to exit with [0], but received '1'
    virtualbox-iso:     ---- Begin output of patch -p0 -b < ../libxml29_compat.patch ----
    virtualbox-iso:     STDOUT:
    virtualbox-iso:     STDERR: /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:185:in `chdir': No such file or directory @ dir_chdir - /tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5 (Errno::ENOENT)
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:185:in `set_cwd'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:337:in `block in fork_subprocess'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:318:in `fork'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:318:in `fork_subprocess'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout/unix.rb:95:in `run_command'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/mixlib-shellout-2.3.2/lib/mixlib/shellout.rb:263:in `run_command'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/mixin/shell_out.rb:171:in `shell_out_command'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/mixin/shell_out.rb:125:in `shell_out_with_systems_locale'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/mixin/shell_out.rb:129:in `shell_out_with_systems_locale!'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/provider/execute.rb:58:in `block in action_run'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/mixin/why_run.rb:52:in `add_action'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/provider.rb:202:in `converge_by'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/provider/execute.rb:56:in `action_run'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/provider.rb:171:in `run_action'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource.rb:591:in `run_action'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:70:in `run_action'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:78:in `block in run_action'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:76:in `each'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:76:in `run_action'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:98:in `block (2 levels) in converge'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:98:in `each'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:98:in `block in converge'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource_collection/resource_list.rb:94:in `block in execute_each_resource'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource_collection/stepable_iterator.rb:114:in `call_iterator_block'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource_collection/stepable_iterator.rb:103:in `iterate'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/resource_collection/resource_list.rb:92:in `execute_each_resource'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/runner.rb:97:in `converge'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/client.rb:718:in `block in converge'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/client.rb:713:in `catch'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/client.rb:713:in `converge'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/client.rb:752:in `converge_and_save'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/client.rb:286:in `run'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application.rb:292:in `block in fork_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application.rb:280:in `fork'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application.rb:280:in `fork_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application.rb:245:in `block in run_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/local_mode.rb:44:in `with_server_connectivity'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application.rb:233:in `run_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application/client.rb:469:in `sleep_then_run_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application/client.rb:458:in `block in interval_run_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application/client.rb:457:in `loop'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application/client.rb:457:in `interval_run_chef_client'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application/client.rb:441:in `run_application'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application.rb:59:in `run'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/lib/chef/application/solo.rb:225:in `run'
    virtualbox-iso:             from /opt/chef/embedded/lib/ruby/gems/2.4.0/gems/chef-13.8.5/bin/chef-solo:25:in `<top (required)>'
    virtualbox-iso:             from /usr/bin/chef-solo:59:in `load'
    virtualbox-iso:             from /usr/bin/chef-solo:59:in `<main>'
    virtualbox-iso:     ---- End output of patch -p0 -b < ../libxml29_compat.patch ----
    virtualbox-iso:     Ran patch -p0 -b < ../libxml29_compat.patch returned 1

@deargle
Copy link
Contributor

deargle commented Jul 13, 2023

TLDR; The SSL issue for museum.php.net is due to this distro being on openssl 1.0.1 and due to the DST Root CA X3 certificate expiring on 2021-09-30. To bypass the error, we can modify the chef provisioner to no longer reference that expired CA.

I looked into this a bit. @stasguma your most recent error is /tmp/packer-chef-solo/local-mode-cache/cache/php-5.4.5 (Errno::ENOENT) because the tarball from github extracts to something more verbose like php-src-php-5.4.5 or something -- but fixing that path leads to an error about a missing ./configure script because something to do with the tarballs from github src not including a ./configure file and instead requiring it to be manually force-built with I-can't-remember-it-was-late-at-night other-script-in-that-bundle-first at which point I table-flipped and went back to figuring out the original SSL error.

The original SSL error for me was complaining about an expired certificate:

==> default: [2023-07-12T22:49:06+00:00] FATAL: OpenSSL::SSL::SSLError: remote_file[/var/chef/cache/php-5.4.5.tar.gz] (midterm-vuln::php_545 line 27) had an error: OpenSSL::SSL::SSLError: SSL Error connecting to http://museum.php.net/php5//php-5.4.5.tar.gz - SSL Error connecting to https://museum.php.net/php5/php-5.4.5.tar.gz - SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)

(some of my paths and possibly my error messages are different because I build directly using vagrant provision instead of packer)

This is happening because this ubuntu image is using openssl 1.0.1f, which has the same issue as described here for openssl 1.0.2, quoted below:

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

And that's the issue with museum.php.net, as shown below. An expired cert on DST Root CA X3. (Script below run from a partly-provisioned box):

vagrant@vagrant:~$ openssl s_client -CApath /etc/ssl/certs/ -connect museum.php.net:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
 0 s:/CN=*.php.net
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

So following the guidance in that openssl site, and reading from man update-ca-certificates, I removed the DST Root CA X3 from the distro's trusted cert store as follows:

  • modify /etc/ca-certificates.conf to add a ! before mozilla/DST_Root_CA_X3.crt
  • run update-ca-certificates: 
    vagrant@vagrant:~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
  • retest with openssl, verify no more error: 
    vagrant@vagrant:~$ openssl s_client -CApath /etc/ssl/certs/ -connect museum.php.net:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.php.net
verify return:1
---

But then the chef provisioner includes its own bundled ca certificates, so I needed to tell it to instead use the distro's list of certs, which I'm currently doing by modifying the chef_solo binary with an environment variable, which was hinted at in a chef github issue:

chef.binary_env = "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"

(chef fixed their bundled certs in a later chef version (that cert removed from its own bundled list), but we're stuck on 15.1.36 with this distro.)

Provisioning works without an SSL error for the php545 recipe this way, without modifying that recipe. I don't have issues fetching that patch file 🤷

I'll play with this a bit more and maybe think of a more elegant way to remove that cert from the trusted store, probably by modifying an early chef script.

@deargle
Copy link
Contributor

deargle commented Jul 13, 2023

I think this will work:

diff --git a/chef/cookbooks/metasploitable/recipes/system_config.rb b/chef/cookbooks/metasploitable/recipes/system_config.rb
new file mode 100644
index 0000000..c672ca4
--- /dev/null
+++ b/chef/cookbooks/metasploitable/recipes/system_config.rb
@@ -0,0 +1,11 @@
+# See https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ and https://github.com/chef/chef/issues/12126
+
+bash 'disable expired DST Root CA X3 certificate' do
+    code <<-EOS 
+        sed -i 's:^mozilla/DST_Root_CA_X3.crt:!mozilla/DST_Root_CA_X3.crt:' /etc/ca-certificates.conf
+        update-ca-certificates
+    EOS
+    not_if "grep -q '^!mozilla/DST_Root_CA_X3.crt' /etc/ca-certificates.conf"
+end
+
+ENV['SSL_CERT_FILE'] = '/etc/ssl/certs/ca-certificates.crt'
\ No newline at end of file
diff --git a/chef/dev/ub1404/Vagrantfile b/chef/dev/ub1404/Vagrantfile
index ed1859d..02be423 100644
--- a/chef/dev/ub1404/Vagrantfile
+++ b/chef/dev/ub1404/Vagrantfile
@@ -24,6 +24,7 @@ Vagrant.configure("2") do |config|
 
     chef.add_recipe "apt::default"
     chef.add_recipe "iptables::default"
+    chef.add_recipe "metasploitable:system_config"
     chef.add_recipe "metasploitable::users"
     chef.add_recipe "metasploitable::mysql"
     chef.add_recipe "metasploitable::apache_continuum"
diff --git a/packer/templates/ubuntu_1404.json b/packer/templates/ubuntu_1404.json
index b6c995b..f99a091 100644
--- a/packer/templates/ubuntu_1404.json
+++ b/packer/templates/ubuntu_1404.json
@@ -158,6 +158,8 @@
       ],
       "run_list": [
         "apt::default",
+        "iptables::default",
+        "metasploitable::system_config",
         "metasploitable::users",
         "metasploitable::mysql",
         "metasploitable::apache_continuum",

deargle pushed a commit to deargle/metasploitable3 that referenced this issue Jul 13, 2023
@deargle-carve
remove expired DST root CA
659599f 
see https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/:

> The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

(The Ubuntu VM is on OpenSSL 1.0.1f)

closes rapid7#590
@deargle deargle linked a pull request Jul 13, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

remove expired DST root CA deargle/metasploitable3
6 participants
@deargle @stasguma @Alan-Daniels @devworkerkim @teststudent311 @Unlawful6754