ntopng 0.8.13_1 throws errors on syslog unable to fetch maxmind database

ha11oga11o · Dec 27, 2023, 5:32 PM

Hello,

recently i want to try ntopng on my pfSense box. Installation was ok, webpage is shown fine with data, but i got errors when im trying to update GeoLite2 db it throws error on syslog. I have old key which is binded with pfBlockerNG which works fine. I can see its accessing on maxmind webpage. But it cant download with ntopng. Does anyone has any idea what is problem with this logs?

Dec 27 18:18:53 	php-fpm 	85264 	/pkg_edit.php: The command '/usr/bin/fetch -o /usr/local/share/ntopng/GeoLite2-ASN.tar.gz -T 5 "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=Ke4wzV_qaqVxxxxxxxuh9qjJPhRj6xiXs_mmk&suffix=tar.gz"' returned exit code '1', the output was 'Certificate verification failed for /O=pfBlockerNG DNSBL Self-Signed Certificate/CN=pfSense-pfBNG-DNSBL-658acb746984c 002001CB3C170000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/statem/statem_clnt.c:1890: fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=Ke4wzV_qaqVdSHYCSrxxxxxx6xiXs_mmk&suffix=tar.gz: Authentication error'
Dec 27 18:18:53 	php-fpm 	85264 	/pkg_edit.php: The command '/usr/bin/fetch -o /usr/local/share/ntopng/GeoLite2-City.tar.gz -T 5 "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=Ke4wzV_qaqVdSHYxxxxxxxqjJPhRj6xiXs_mmk&suffix=tar.gz"' returned exit code '1', the output was 'Certificate verification failed for /O=pfBlockerNG DNSBL Self-Signed Certificate/CN=pfSense-pfBNG-DNSBL-658acb746984c 0020011C9C0D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/statem/statem_clnt.c:1890: fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=Ke4wzV_qaqVdSHxxxxxxxh9qjJPhRj6xiXs_mmk&suffix=tar.gz: Authentication error'

When i try to download it with browser it works. But it seems it cant do it within plugin. I tried both keys.

Thank you in advance.

ha11oga11o · May 6, 2024, 3:13 PM

Hello and sorry for bumping this one out. Im trying to fix this problem for quite some time and i really need help. Can someone please tell me what are those errors actually mean?

2.7.2-RELEASE (amd64)
built on Fri Dec 8 21:55:00 CET 2023
FreeBSD 14.0-CURRENT
ntopng 0.8.13_10

Thank you in advance!

May 6 13:32:26 	kernel 		pppoe0: promiscuous mode enabled
May 6 13:32:25 	php-fpm 	8033 	/pkg_edit.php: The command '/usr/local/etc/rc.d/ntopng.sh stop' returned exit code '1', the output was 'No matching processes were found No matching processes were found'
May 6 13:32:22 	kernel 		pppoe0: promiscuous mode disabled
May 6 13:32:19 	check_reload_status 	504 	Syncing firewall
May 6 13:32:19 	php-fpm 	8033 	/pkg_edit.php: Configuration Change:
May 6 13:32:19 	php-fpm 	8033 	/pkg_edit.php: The command '/usr/bin/fetch -o /usr/local/share/ntopng/GeoLite2-ASN.tar.gz -T 5 "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=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&suffix=tar.gz"' returned exit code '1', the output was 'Certificate verification failed for /O=pfBlockerNG DNSBL Self-Signed Certificate/CN=pfSense-pfBNG-DNSBL-661af1ff58825 002001AA12430000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/statem/statem_clnt.c:1890: fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=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&suffix=tar.gz: Authentication error'
May 6 13:32:19 	php-fpm 	8033 	/pkg_edit.php: The command '/usr/bin/fetch -o /usr/local/share/ntopng/GeoLite2-City.tar.gz -T 5 "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=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&suffix=tar.gz"' returned exit code '1', the output was 'Certificate verification failed for /O=pfBlockerNG DNSBL Self-Signed Certificate/CN=pfSense-pfBNG-DNSBL-661af1ff58825 0020216E20560000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/statem/statem_clnt.c:1890: fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=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&suffix=tar.gz: Authentication error'

dennypage · May 6, 2024, 3:13 PM

@ha11oga11o MaxMind has changed the login requirements. You should have received an email notice from MaxMind regarding this several months ago.

MaxMind now requires a Login ID as well as the License Key. There are several posts discussing this in the forum. GeoIP will not work until a new version of pfSense-pkg-ntopng is installed because the old version does not provide the Login ID.

The new package is available in 24.03, but I don't know if it's available in the community edition yet. Check your System / Package Manager.

ha11oga11o · May 7, 2024, 5:58 AM

@dennypage

Many thnx for clarification, i manage to make it kinda working by copying two packages on shared directory by ftp and it seems its working,... at least it created database, throw usual error, shows map and word "Marker" but not actual icon on map.
I did change for pfblockerng adding ID and that works, but i did not seen it here.

So yeah, ntopng is outdated on CE and needs time for update. Im running last available ntopng 0.8.13_10, but it seems its not tweaked for this "feature".

Thank you, have nice day!

dennypage · May 7, 2024, 1:17 PM

@jimp, Would it be possible to kick out the new ntopng package for community edition?

jimp · May 7, 2024, 1:17 PM

@dennypage said in ntopng 0.8.13_1 throws errors on syslog unable to fetch maxmind database:

@jimp, Would it be possible to kick out the new ntopng package for community edition?

It doesn't pick back cleanly to the 2.7.2 branch, so it will either need a new PR or some other manual work to account for the differences between the branches.

ha11oga11o · Oct 28, 2024, 8:42 AM

@jimp

Hello,
sorry for resurrecting this topic, but it seems its still on the spot since ntopng and pfSense are totally same versions.
Do you know will ntopng package be updated to accommodate this feture, if you dont know where can i ask about it?
I doubt that any dev will leave this kind of package in limbo like this, and this long. It just dont have sense to me.

Many thnx in advance.

ntopng 0.8.13_10

2.7.2-RELEASE (amd64)
built on Wed Dec 6 21:10:00 CET 2023
FreeBSD 14.0-CURRENT

dennypage · Oct 28, 2024, 1:16 PM

@ha11oga11o said in ntopng 0.8.13_1 throws errors on syslog unable to fetch maxmind database:

Do you know will ntopng package be updated to accommodate this feture, if you dont know where can i ask about it?
I doubt that any dev will leave this kind of package in limbo like this, and this long. It just dont have sense to me.

ntopng 0.8.13_10 is not the current version.

The current version of the ntopng package, 5.6.0 issued in April of this year, supports the current Maxmind requirements.

Github commit: Update ntopng package

ha11oga11o · Oct 28, 2024, 5:27 PM

@dennypage

I am sorry,

but i cannot see that version at all on available packages screen.

login-to-view

What am i missing here?

Im so sorry for accusing devs.

dennypage · Oct 28, 2024, 7:03 PM

@ha11oga11o FWIW, I don't work for Netgate, and I don't generally monitor the community version releases. As such, I'm not very knowledgeable on 2.7.2, but some quick googling shows that 2.7.2 was released in December of 2023, which was prior to the release of the updated ntopng package. I assume that the ntopng update will be included in the next community version, which appears to be 2.8.0, but perhaps someone more knowledgeable than I can comment on that.