Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: nongenericusername on April 16, 2025, 08:29:48 AM

Title: [SOLVED] Can't update from BE 24.10_7: Could not load CRL file
Post by: nongenericusername on April 16, 2025, 08:29:48 AM
I updated from version 24.4.3_1 to 24.10_7 with no issues. But f I try to update further i get the error message:

Could not authenticate the selected mirror.
(https://i.imgur.com/mv886xk.png)

and the following error:

Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10_7 at Wed Apr 16 08:10:15 CEST 2025
Fetching subscription information, please wait... Could not load CRL file /tmp/libfetch_crl.25041608
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/subscription: Authentication error
Fetching changelog information, please wait... Could not load CRL file /tmp/libfetch_crl.25041608
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: Authentication error
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
New version of pkg detected; it needs to be installed first.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
    pkg: 1.19.2_2 -> 1.19.2_5

Number of packages to be upgraded: 1

4 MiB to be downloaded.
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
Could not load CRL file /tmp/libfetch_crl.25041608
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/All/pkg-1.19.2_5.pkg: Authentication error
***DONE***
The CRL file contains:

Code Select
# [i] fetch certificate for https://opnsense-update.deciso.com
# [i] fetch CRL from http://cdp.rapidssl.com/RapidSSLTLSECCCAG1.crl
# [i] fetch CRL from http://crl3.digicert.com/DigiCertGlobalRootG3.crl

I tried the following things to no avail:

1.
System->Trust->Settings-> check Auto fetch CRL's

2.
rm /tmp/libfetch_crl.*

both resulted in the same error after trying to update from GUI again.

I'm not relly sure what to do next and would need some help.

Thanks.
Title: Re: Can't update from BE 24.10_7: Could not load CRL file
Post by: newsense on April 16, 2025, 10:32:00 AM
Authentication error - most likely license expired OR time is off by more than 5 minutes on the device
Title: Re: Can't update from BE 24.10_7: Could not load CRL file
Post by: nongenericusername on April 16, 2025, 10:48:06 AM
Quote from: newsense on April 16, 2025, 10:32:00 AMAuthentication error - most likely license expired OR time is off by more than 5 minutes on the device

Hey newsense,

thanks for the reply.

Sadly that should not be the issue.
The device time is pretty spot on and the subscription key works if I try to access https://opnsense-update.deciso.com/$license_key/
Also the dashboard says that the device is licensed until later this year.

I want to add that i have this issue on two devices. Both updated via GUI from 24.4.3_1 to 24.10_7 into this issue.
Title: Re: Can't update from BE 24.10_7: Could not load CRL file
Post by: franco on April 16, 2025, 11:07:18 AM
It appears your firewall fails/is prohibited to fetch

http://cdp.rapidssl.com/RapidSSLTLSECCCAG1.crl
http://crl3.digicert.com/DigiCertGlobalRootG3.crl

which is required for CRL checking to proceed.

Worst case fetch their PEM content and paste it into the files.

Since it could reach the update server toget the cert to know where the CRLs are I think this is a policy issue.


Cheers,
Franco
Title: [SOLVED] Can't update from BE 24.10_7: Could not load CRL file
Post by: nongenericusername on April 22, 2025, 09:41:24 AM
Hello franco,

it was indeed a policy issue.
There was a policy of two upstream firewalls, which only allowed access to https://opnsense-update.deciso.com.

This worked until update 24.10_7, which required the mentioned access to rapidssl & digicert.

Title: Re: [SOLVED] Can't update from BE 24.10_7: Could not load CRL file
Post by: franco on April 22, 2025, 11:39:47 AM
Certification process is difficult sometimes.  The requirement to allow CRL checking for the update server SSL certificate seems like higher value than opening the firewall for "random CRL fetches". In most cases, however, these servers are in the what is commonly considered a trusted part of the world, although in practice I think both sides have ups and downs.

For now, the CRL checking is mandatory on the business end and the development version to ensure it keeps working.


Cheers,
Franco
Text only | Text with Images