Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: shepner on November 15, 2022, 03:47:22 PM

Title: Expired cert problem
Post by: shepner on November 15, 2022, 03:47:22 PM
The cert that, I assume, was generated when I installed my firewall had expired which is apparently preventing me from updating the system:

Code Select

Fetching changelog information, please wait... Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:


So I generated a new cert which is generating these errors instead:

Code Select

Fetching changelog information, please wait... SSL certificate subject doesn't match host pkg.opnsense.org
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host mirror.wdc1.us.leaseweb.net


Is there a walkthrough of exactly what is needed to resolve this?  Im not having any luck finding an answer

TIA!
Title: Re: Expired cert problem
Post by: cookiemonster on November 15, 2022, 04:38:24 PM
I don't think the installation uses auth by default, so it looks like you're made some change on your firewall that is trying to use authentication. So the clue is there, it doesn't use it by default.
To verify it, from another machine just "wget https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz" and you'll see something like:
Code Select
:/tmp$ wget https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz
--2022-11-15 15:36:44--  https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz
Resolving pkg.opnsense.org (pkg.opnsense.org)... 89.149.211.205, 2001:1af8:4f00:a005:5::
Connecting to pkg.opnsense.org (pkg.opnsense.org)|89.149.211.205|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 261728 (256K)
Saving to: 'changelog.txz'

changelog.txz                 100%[=================================================>] 255.59K  --.-KB/s    in 0.07s

2022-11-15 15:36:45 (3.79 MB/s) - 'changelog.txz' saved [261728/261728]
Title: Re: Expired cert problem
Post by: shepner on November 15, 2022, 05:48:06 PM
Thats whats confusing me.  Plus I dont even know how one would use a local server cert for authenticating to a remote TLS server anyways.  I have no idea what setting(s) could even cause this behavior.

I *did* try messing with the mirrors and, after a handful of attempts, found one which permitted me to fetch the list of updates.  Which I kinda find more confusing because now Im not sure which end the problem is actually at...
Text only | Text with Images