Running OPNsense as a VM on Virtualbox 6.1
Post upgrade I'm unable to check for package updates.
Quote***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct 6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
So do you have the FreeBSD repository enabled?
Cheers,
Franco
This is the state of the system having upgraded 21.7.7 to 21.7.8 to 22.1 via the GUI.
No user side changes were made.
I had this problem too before updating. Still got it. Must be something wrong with my configuration file.
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Feb 1 21:10:47 UTC 2022
Fetching changelog information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Health audit output would be nice. Also can you try to go to Firmware: Packages tab and grab the version number from "pkg" from the list?
Cheers,
Franco
pkg = 1.16.3_1
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Wed Feb 2 13:05:06 UTC 2022
>>> Check installed kernel version
Version 22.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 65 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.74 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dhcpleases-0.2 has no upstream equivalent
Checking packages: .
dnsmasq-2.86_2,1 has no upstream equivalent
Checking packages: .
dpinger-3.0 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.2P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.2P1_1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.63 has no upstream equivalent
Checking packages: .
monit-5.29.0_1 has no upstream equivalent
Checking packages: .
mpd5-5.9_6 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_4 has no upstream equivalent
Checking packages: .
openssh-portable-8.8.p1_1,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1m_1,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.5 has no upstream equivalent
Checking packages: .
opnsense-22.1 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-21.7.8 has no upstream equivalent
Checking packages: .
opnsense-update-22.1 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.7_9 has no upstream equivalent
Checking packages: .
php74-ctype-7.4.27 has no upstream equivalent
Checking packages: .
php74-curl-7.4.27 has no upstream equivalent
Checking packages: .
php74-dom-7.4.27 has no upstream equivalent
Checking packages: .
php74-filter-7.4.27 has no upstream equivalent
Checking packages: .
php74-gettext-7.4.27 has no upstream equivalent
Checking packages: .
php74-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php74-json-7.4.27 has no upstream equivalent
Checking packages: .
php74-ldap-7.4.27 has no upstream equivalent
Checking packages: .
php74-openssl-7.4.27 has no upstream equivalent
Checking packages: .
php74-pdo-7.4.27 has no upstream equivalent
Checking packages: .
php74-pecl-radius-1.4.0b1_1 has no upstream equivalent
Checking packages: .
php74-phalcon4-4.1.3 has no upstream equivalent
Checking packages: .
php74-phpseclib-2.0.35 has no upstream equivalent
Checking packages: .
php74-session-7.4.27 has no upstream equivalent
Checking packages: .
php74-simplexml-7.4.27 has no upstream equivalent
Checking packages: .
php74-sockets-7.4.27 has no upstream equivalent
Checking packages: .
php74-sqlite3-7.4.27 has no upstream equivalent
Checking packages: .
php74-xml-7.4.27 has no upstream equivalent
Checking packages: .
php74-zlib-7.4.27 has no upstream equivalent
Checking packages: .
pkg-1.16.3_1 has no upstream equivalent
Checking packages: .
py38-Jinja2-3.0.1 has no upstream equivalent
Checking packages: .
py38-dnspython2-2.2.0 has no upstream equivalent
Checking packages: .
py38-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py38-requests-2.25.1 has no upstream equivalent
Checking packages: .
py38-sqlite3-3.8.12_7 has no upstream equivalent
Checking packages: .
py38-ujson-5.0.0 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.7.2_4 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-4.15 has no upstream equivalent
Checking packages: .
strongswan-5.9.4 has no upstream equivalent
Checking packages: .
sudo-1.9.8p2 has no upstream equivalent
Checking packages: .
suricata-6.0.4_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.35.1 has no upstream equivalent
Checking packages: .
unbound-1.14.0 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***
Yours looks ok, though /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense looks like a local web proxy you're hitting. Configuration error?
(compare with /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign which is the correct root certificate)
Cheers,
Franco
(https://i.ibb.co/Yb8vdQr/Untitled.png) (https://ibb.co/6Nb6twd)
I have this in my certificates.
Yep so a firewall rule or port forward likely causes your local traffic to hit the GUI for whatever reason.
Cheers,
Franco
I tried removing port forwarding. Same.
I deleted the certificate that was in my config file. I created a new self-cert certificates
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host www.mirrorservice.org
From my web broser, I can download without problems.
https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz
but from the console I get
root@OPNsense:~ # curl https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz
curl: (60) SSL: certificate subject name 'LE Cert' does not match target host name 'pkg.opnsense.org'
You're still pointing the box through a proxy either internally or externally. At least from the certificate shift it looks like it's an internal one. You can use "curl -k https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz" to see it download correctly, but that doesn't change the fact you really need to fix your setup.
Cheers,
Franco
Is the implication here that this is failing because the VM does not have a real external IP?
I've just created a new VM and installed 22.1 from the iso and I see the same error from the CLI and the GUI.
Restoring the previous configuration still results in this error.
Quote from: MoonbeamFrame on February 03, 2022, 05:08:30 PM
Is the implication here that this is failing because the VM does not have a real external IP?
Perhaps you could try downloading changelog.txz as above. When I do it from OpnSense console, it fails. From my desktop (which is connected via OpnSense) it works. The implication is there is an internal proxy, but I have not been able to find it.
@MoonbeamFrame
QuoteCurrently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct 6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
so what time is on your OPN now?
pkg.opnsense.org root cert is only valid until 2029 ;)
Good catch, that year 2189 was also in the original post so both things reported here are local issues.
Cheers,
Franco
@franco yep, but I don't have enough imagination to suggest the configuration of the rules for @LogicEthos results )
@LogicEthos
can you share the
curl -v https://pkg.opnsense.orgresult and
Quotepfctl -vss | grep :443
result right after curl? thanks
I have just forced unbound to issue the IPV4 address, instead of the IPV6 address for pkg.opnsense.org
It now works! ¯\_(ツ)_/¯
This is what I looks like with IPV6 enabled.
root@OPNsense:~ # curl -v https://pkg.opnsense.org
* Trying 2001:1af8:4f00:a005:5:::443...
* Connected to pkg.opnsense.org (2001:1af8:4f00:a005:5::) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /usr/local/etc/ssl/cert.pem
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=GB; ST=Hampshire; L=Southampton; O=LogicEthos; emailAddress=stuart@something.com; CN=LE-Cert
* start date: Feb 4 14:48:04 2022 GMT
* expire date: Mar 8 14:48:04 2023 GMT
* SSL: certificate subject name 'LE-Cert' does not match target host name 'pkg.opnsense.org'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: certificate subject name 'LE-Cert' does not match target host name 'pkg.opnsense.org'
More details here: https://curl.se/docs/sslcerts.html
QuoteIt now works! ¯\_(ツ)_/¯
still not clear why the request with ipv6 is hitting the local port. perhaps the output of pfctl right after curl would help to understand.
Quote from: Fright on February 05, 2022, 06:20:20 AM
still not clear why the request with ipv6 is hitting the local port. perhaps the output of pfctl right after curl would help to understand.
It generates a lot of data. This seems to be the relevant bit.
all tcp 2a02:my:ip:xxx::1[50482] -> 2001:1af8:4f00:a005:5::[443] FIN_WAIT_2:FIN_WAIT_2
hm. no translation is visible.
the last idea is to try to trace requests to dst_port 443 in the firewall live log (with the default rules logging enabled in SYSTEM: SETTINGS: LOGGING)
(https://i.ibb.co/q72Qs76/Untitled.png) (https://ibb.co/6rqCPrQ)
upload img (https://imgbb.com/)
hm dont know what to say (is GUI listening on :443?). not translation is visible but there is no incoming hits on GUI either :o
Quote from: MoonbeamFrame on January 30, 2022, 12:52:06 PM
Running OPNsense as a VM on Virtualbox 6.1
Post upgrade I'm unable to check for package updates.
Quote***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct 6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify
I have the same problem.
For quite a long time everything worked fine and was updated. However, at some point in time I got the same error.
I read the topic, but did not understand whether the problem was solved and how or not.
Quote
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.3 (amd64/OpenSSL) at Mon Jun 27 10:33:54 +11 2022
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign