# zabbix34-server fails to install after 12.0-RELEASE upgrade



## dougs (Dec 13, 2018)

After performing the following:
`# freebsd-update -r 12.0-RELEASE upgrade
# freebsd-update install
# reboot
# freebsd-update install
# portmaster -af`

I ran into an issue with reinstalling zabbix34-server due to the openssl situation.

`<...snip...>
checking for DTLSv1_method in -lssl... yes
checking for SSL_library_init in -lssl... no
configure: error: The DTLS based transports require the libssl library from OpenSSL to be available
===>  Script "configure" failed unexpectedly.
Please report the problem to zi@FreeBSD.org [maintainer] and attach the
"/usr/ports/net-mgmt/net-snmp/work/net-snmp-5.7.3/config.log" including the
output of the failure of your make command. Also, it might be a good idea to
provide an overview of all packages installed on your system (e.g. a
/usr/local/sbin/pkg-static info -g -Ea).
*** Error code 1

Stop.
make[3]: stopped in /usr/ports/net-mgmt/net-snmp
*** Error code 1

Stop.
make[2]: stopped in /usr/ports/net-mgmt/net-snmp
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/net-mgmt/zabbix34-server
*** Error code 1

Stop.
make: stopped in /usr/ports/net-mgmt/zabbix34-server
[11:19]root:/usr/ports/net-mgmt/zabbix34-server #`

Does libssl exist on my system?

`[11:19]root:/usr/ports/net-mgmt/zabbix34-server # locate libssl
/usr/lib/libssl.a
/usr/lib/libssl.so
/usr/lib/libssl.so.8
/usr/lib/libssl_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so
/usr/lib32/libssl.so.8
/usr/lib32/libssl_p.a
/usr/ports/net/ntp/files/patch-include_libssl__compat.h
/usr/ports/net/ntp/files/patch-libntp_libssl__compat.c
/usr/ports/www/aria2/files/patch-src-libssl_compat.h
[11:33]root:/usr/ports/net-mgmt/zabbix34-server #`

Still at pre-12.0-RELEASE version.

content of /etc/make.conf:

`OPTIONS_SET=PKGNG
OPTIONS_UNSET= X11 GUI CUPS DOCS EXAMPLES NLS

#MAKE_JOBS_UNSAFE=yes

# uncomment to enable building ports that contain security vulnerabilities
# such as graphics/tiff
# be sure to comment out after each rebuild!
DISABLE_VULNERABILITIES=yes

DEFAULT_VERSIONS+= ssl=base pgsql=9.6 php=7.2`

Do I need to continue with rebuilding all ports not requiring openssl and then perform one more iteration of freebsd-update before attempting to rebuild ports requiring openssl?

~Doug


----------



## dougs (Dec 13, 2018)

I forgot to update locate.updatedb.

`[11:58]root:/usr/ports/net-mgmt/zabbix34-server # ll /usr/lib/libssl*
-r--r--r--  1 root  wheel  4395354 Dec 12 17:17 /usr/lib/libssl.a
lrwxr-xr-x  1 root  wheel       13 Dec 12 17:17 /usr/lib/libssl.so@ -> libssl.so.111
-r--r--r--  1 root  wheel   604936 Dec 12 17:16 /usr/lib/libssl.so.111
-rw-r--r--  1 root  wheel   470352 Jul 14 10:13 /usr/lib/libssl.so.8
-r--r--r--  1 root  wheel  4502998 Dec 12 17:17 /usr/lib/libssl_p.a
[11:58]root:/usr/ports/net-mgmt/zabbix34-server #`

Is it possible that I may have executed 'freebsd-update install' once too many times? It's my understanding that the libraries wouldn't have been updated until the third time 'freebsd-update install' is run, yes?

~Doug


----------



## ShelLuser (Dec 13, 2018)

Worst case scenario is to try and use security/openssl instead of the base. It's something I'm actually already doing because it's a lot easier to re-install OpenSSL from the ports and then rebuild the depending ports than having to re-install / update the base system and then re-install those ports.


----------



## dougs (Dec 14, 2018)

So I installed _security/openssl_ and modified _/etc/make.conf_ as follows:

`OPTIONS_SET=PKGNG
OPTIONS_UNSET= X11 GUI CUPS DOCS EXAMPLES NLS

#MAKE_JOBS_UNSAFE=yes

# uncomment to enable building ports that contain security vulnerabilities
# such as graphics/tiff
# be sure to comment out after each rebuild!
DISABLE_VULNERABILITIES=yes

DEFAULT_VERSIONS+= ssl=openssl pgsql=9.6 php=7.2`

and reran portmaster -af. _net-mgmt/net-snmp_ still refuses to install.

`<...snip...>
checking for EVP_md5 in -lcrypto... yes
checking for AES_cfb128_encrypt in -lcrypto... yes
checking for EVP_MD_CTX_create in -lcrypto... no
checking for DTLSv1_method in -lssl... yes
checking for SSL_library_init in -lssl... no
configure: error: The DTLS based transports require the libssl library from OpenSSL to be available
===>  Script "configure" failed unexpectedly.
Please report the problem to zi@FreeBSD.org [maintainer] and attach the
"/usr/ports/net-mgmt/net-snmp/work/net-snmp-5.7.3/config.log" including the
output of the failure of your make command. Also, it might be a good idea to
provide an overview of all packages installed on your system (e.g. a
/usr/local/sbin/pkg-static info -g -Ea).
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/net-mgmt/net-snmp
*** Error code 1

Stop.
make: stopped in /usr/ports/net-mgmt/net-snmp

===>>> make build failed for net-mgmt/net-snmp
===>>> Aborting update

===>>> Update for net-mgmt/net-snmp failed
===>>> Aborting update

===>>> Update for net-mgmt/php72-snmp failed
===>>> Aborting update

===>>> There are messages from installed ports to display,
       but first take a moment to review the error messages
       above.  Then press Enter when ready to proceed.`

What the #)*#@- is going on???

Shall I file a bug report with Bugzilla?

~Doug


----------



## ShelLuser (Dec 14, 2018)

Did you by any chance ever mix ports and packages? So combined the use of portmaster (or `# make install`) with `# pkg install <stuff>`? Because that could definitely have its effects and cause some weird behavior.

Next: the PKGNG option is pretty useless, you can just as well remove it because pkg is a standard on FreeBSD now. I'm also not too keen about leaving DISABLE_VULNERABILITIES enabled all the time because this way possibly bad updates could easily sneak in (though I don't believe that the setting caused all this).

This seems to be a problem with the system rather than those individual ports though I have no idea what could be causing it at this time. From which version did you upgrade? Also: was it an official FreeBSD release and not some kind of derivative (just ruling out (possibly) obvious causes)?

Other possible causes... what's in your /etc/libmap.conf? Is there anything weird in /usr/local/etc/libmap.d?


----------



## Eric A. Borisch (Dec 14, 2018)

Note that zabbix4 is available. Using something like synth to manage your builds is worth doing, too.


----------



## SirDice (Dec 14, 2018)

Zabbix 3.4 builds and works fine on my 12-STABLE machines. I only noticed a small problem with memory data collection. Zabbix uses a sysctl that doesn't exist any more on 12 and will fail to fetch memory statistics. If you add COMPAT_FREEBSD11 to the kernel it works again (no need for misc/compat11x). Most people won't notice as GENERIC has it included by default. But you may run into this with a custom kernel.


----------



## dougs (Dec 14, 2018)

ShelLuser said:


> Did you by any chance ever mix ports and packages? So combined the use of portmaster (or `# make install`) with `# pkg install <stuff>`? Because that could definitely have its effects and cause some weird behavior.
> 
> Next: the PKGNG option is pretty useless, you can just as well remove it because pkg is a standard on FreeBSD now. I'm also not too keen about leaving DISABLE_VULNERABILITIES enabled all the time because this way possibly bad updates could easily sneak in (though I don't believe that the setting caused all this).
> 
> ...


No, I don't mix packages with ports. It's all ports here.

Yes, I agree, time to remove PKGNG from the make.conf file. Normally I don't uncomment DISABLE_VULNERABILITIES but because of the patch issue and the need to rebuild all ports after the upgrade from 11.2-RELEASE-p5 to 12.0-RELEASE, I needed to do so.

There isn't any /usr/local/etc/libmap.conf and the content of /etc/libmap.conf is as follows:
`# $FreeBSD: releng/12.0/libexec/rtld-elf/libmap.conf 338741 2018-09-18 00:25:00Z brd $
includedir /usr/local/etc/libmap.d` 

This was a fairly standard upgrade going from a stock 11.2-RELEASE version to 12.0-RELEASE. Images were from the FreeBSD repos. I'm considering doing a reinstall using the 12.0-RELEASE image and see if that resolves my issue. Two of my other servers were upgraded without any hiccups. Of course this server is the only one thus far with ports needing openssl of some kind. I'm going to lay back on updating the rest of my servers until January.

It goes without saying that there are numerous issues filed at Bugzilla involving ports using openssl. I do think that I should file a report in due time!

Additional comments/feedback welcomed.

~Doug


----------

