Selected Option 12 from SSH menu
Fetching change log information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
56577144918016:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
I've seen some references to replacing the certificate but am not comfortable doing this without some sort of confirmation.
Thanks in advance.
Ryan
Hi Ryan,
Can you post the full check for update from the GUI?
It's either that the date of the machine is wrong or there is a faulty chain inside the system: trust: authorities section. The option "Store intermediate" should be unchecked under System: Settings: General in order to rule out this issue.
Cheers,
Franco
Franco,
Thanks for the response.
I neglected to mention that the GUI is BLANK except for the menu. I've attached a PNG of the screen.
Below I've included the textual data that follows the initial authentication failure. This may be superfluous since I'm failing auth, I presume the remaining actions would also fail.
QuoteFetching change log information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
33505417900032:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
This will automatically fetch all available updates and apply them.
Proceed with this action? [y/N]: y
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI...done.
Generating RRD graphs...done.
I've rebooted the machine several times - newbie default action. :-/
Thanks,
Ryan
# opnsense-bootstrap -i
Approach: disk files damaged somehow so let's reinstall everything (keeping the current config in place). The "-i" is for insecure since the verification cannot proceed. Can audit for health later on.
And fingers crossed? :)
Cheers,
Franco
Oh, in another German forum thread it was said this can happen when the disk is full... can you double check? Possibly /var/log exploding.
Cheers,
Franco
Hi Franco,
When I executed
opnsense-bootstrap -i
the system returned a disk full error.
I poked around the system until i found the culprit - the DHCP logs filled up the disk. Not sure I understand why but it bears some looking into. Anyways, I removed the DHCP logs and then ran the bootstrap command again and the system rebuilt. After the reboot, all is back to normal!
Thanks for your help.
Ryan
Hi Ryan,
Happy to hear. I think I heard before that DHCP logs could fill up if you have stray devices which are constantly asking for a lease. It should be easy to identify the device from the logs causing the repeated messages.
Cheers,
Franco
Quote from: franco on October 17, 2023, 07:49:15 AM
Hi Ryan,
Happy to hear. I think I heard before that DHCP logs could fill up if you have stray devices which are constantly asking for a lease. It should be easy to identify the device from the logs causing the repeated messages.
Cheers,
Franco
Didn't the logs rotate previously? What was the reasoning behind removing that?
They did not rotate. They were using circular buffer logging which used a fixed amount of memory in a single file, but it had other downsides (like e.g. not being supported in FreeBSD and garbage-collecting older log messages very quickly and not being able to handle large log sizes at the same time).
Cheers,
Franco
Quote from: franco on October 17, 2023, 03:04:04 PM
They did not rotate. They were using circular buffer logging which used a fixed amount of memory in a single file, but it had other downsides (like e.g. not being supported in FreeBSD and garbage-collecting oder log messages very quickly and not being able to handle large log sizes at the same time).
Cheers,
Franco
Ah, that was what I was thinking of.