Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: toe on February 15, 2024, 03:11:49 PM

Title: [Fixed] Certificate issue for pkg.opnsense.org
Post by: toe on February 15, 2024, 03:11:49 PM
The newly issued certificate has some trust issues. Firefox accepts it fine, but pkg, curl and openssl on opnsense 23.7 don't like the new cert.

Code Select
$ sudo pkg update
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!


Code Select
$ curl https://pkg.opnsense.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

When I started seeing the issues, the current certificate was only a couple of minutes old (by now, it's at about 30 minutes).
Code Select
$ echo Q | openssl s_client -connect pkg.opnsense.org:443 2>/dev/null | openssl x509 -subject -issuer -startdate -enddate -ext subjectAltName -noout
subject=CN = pkg.opnsense.org
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020
notBefore=Feb 15 13:35:28 2024 GMT
notAfter=Mar 18 13:35:27 2025 GMT
X509v3 Subject Alternative Name:
    DNS:pkg.opnsense.org
Title: Re: Certificate issue for pkg.opnsense.org
Post by: toe on February 15, 2024, 03:40:59 PM
Looks like it is fixed now. pkg update and curl succeed again.
Title: Re: [Fixed] Certificate issue for pkg.opnsense.org
Post by: bmt on February 18, 2024, 08:30:50 AM
Hi, could you elaborate on what you did to fix this? I'm trying to establish if it's the same problem preventing me from updating as I get this error when trying:

"***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.12 at Sat Jan 21 04:03:41 SAST 2012
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
998479523840:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error"
Title: Re: [Fixed] Certificate issue for pkg.opnsense.org
Post by: newsense on February 18, 2024, 06:15:40 PM
And the time is correct on that FW ?
Title: Re: [Fixed] Certificate issue for pkg.opnsense.org
Post by: toe on February 21, 2024, 12:56:57 AM
Quote from: bmt on February 18, 2024, 08:30:50 AM
Hi, could you elaborate on what you did to fix this? (...)
Nothing. After some time (less than an hour, I think) it worked again.

Quote from: newsense on February 18, 2024, 06:15:40 PM
And the time is correct on that FW ?
Haven't double-checked on the FW itself, but I ran the same commands (with the same result) on my laptop (where I confirmed time settings) and got the same errors with curl.
Text only | Text with Images