Text only | Text with Images

OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: cdn on September 17, 2025, 02:17:43 PM

Title: Certificate failure
Post by: cdn on September 17, 2025, 02:17:43 PM
Since using latest business version of opnsense, we cannot update zenarmor:


Code Select
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Code Select
echo | openssl s_client -connect updates.zenarmor.net:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = zenarmor.net
verify return:1
---
Certificate chain
 0 s:CN = zenarmor.net
   i:C = US, O = Google Trust Services, CN = WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Aug 10 23:04:34 2025 GMT; NotAfter: Nov  9 00:04:29 2025 GMT
 1 s:C = US, O = Google Trust Services, CN = WE1
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDpzCCA06gAwIBAgIRAM7MeBZKS0C6E1y3P1w7IVgwCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI1MDgxMDIzMDQzNFoXDTI1MTEwOTAwMDQyOVowFzEVMBMG
A1UEAxMMemVuYXJtb3IubmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUQp
32kVzkNFnPuZlCO1LKGqHgElMsQN2eyunq+HNKQifWt1lIbzxdOgT2DIYSC7cfXg
/6sJ8ymG2iHidML64aOCAlUwggJRMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAK
BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXor9dxRcwnplbGKD7
nJ6BWJ2gdzAfBgNVHSMEGDAWgBSQd5I1Z8T/qMyp5nvZgHl7zJP5ODBeBggrBgEF
BQcBAQRSMFAwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vLnBraS5nb29nL3Mvd2UxL3pz
dzAlBggrBgEFBQcwAoYZaHR0cDovL2kucGtpLmdvb2cvd2UxLmNydDAnBgNVHREE
IDAeggx6ZW5hcm1vci5uZXSCDiouemVuYXJtb3IubmV0MBMGA1UdIAQMMAowCAYG
Z4EMAQIBMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dlMS8y
RHFmUzI0a2NkSS5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwAaBP9J0FQd
QK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZiWcXTQAAAEAwBIMEYCIQD2vY/C
0gy8T9UfDv98fPAYCNNYoU/Krwx1Tfc1Uqp0FgIhAO6NggTlj/J00qmxkagg2mBZ
colOtERewKQIGTRRwVRSAHUAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WG
JjoAAAGYlnF0owAABAMARjBEAiBiVyasybNzcO6CxnJN2SNPbYpkHDttkTtqaMfi
d9QYBAIgaTlFBY+o/x3YupcGBnGPHetyj4Uu82fAOplbcWUHz3AwCgYIKoZIzj0E
AwIDRwAwRAIgJhtyGLmhvN9NTrjXkSHMIYQJ7HSWcjw4O2P4Nw5fmnoCIBHatruL
jr4ViDG0QcyfOZW0QWR//OzHw7LkmHGcOuWT
-----END CERTIFICATE-----
subject=CN = zenarmor.net
issuer=C = US, O = Google Trust Services, CN = WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2827 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

host updates.zenarmor.net
updates.zenarmor.net has address 104.26.13.173
updates.zenarmor.net has address 104.26.12.173
updates.zenarmor.net has address 172.67.74.209
updates.zenarmor.net has IPv6 address 2606:4700:20::681a:dad
updates.zenarmor.net has IPv6 address 2606:4700:20::ac43:4ad1
updates.zenarmor.net has IPv6 address 2606:4700:20::681a:cad

cat /etc/resolv.conf
domain DOMAIN
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 8.8.8.8
Title: Re: Certificate failure
Post by: sy on September 17, 2025, 02:35:19 PM
Hi,

Did you check the system date and time?
Title: Re: Certificate failure
Post by: cdn on September 17, 2025, 04:01:19 PM
sure. Time and date is okay.
Title: Re: Certificate failure
Post by: dirtyfreebooter on September 18, 2025, 07:02:22 PM
i posted over here: https://forum.opnsense.org/index.php?topic=48962.0 but yea i am encountering the same issue
Title: Re: Certificate failure
Post by: cdn on September 19, 2025, 11:54:55 AM
noone an idea?
Title: Re: Certificate failure
Post by: Ometri on September 19, 2025, 12:39:23 PM
Can confirm this is also happening on the Business Mirror.
Title: Re: Certificate failure
Post by: sammycda on September 19, 2025, 06:15:27 PM
Same issue here. I tried both Danish and US repositories.
Title: Re: Certificate failure
Post by: dirtyfreebooter on September 19, 2025, 06:43:01 PM
Quote from: sammycda on September 19, 2025, 06:15:27 PMSame issue here. I tried both Danish and US repositories.

i dont think the opnsense mirrors do not have anything to do with the problem, the problem appears to be with the zenarmor repo
Code Select
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Title: Re: Certificate failure
Post by: charles.adams on September 20, 2025, 03:03:47 AM
Also having this error on 24.5.3 and trying all the commercial repos.
Title: Re: Certificate failure
Post by: sy on September 21, 2025, 06:20:11 AM
Hi all,

The issue has been identified and will be resolved on the repository server side. Thank you for your patience and understanding.
Title: Re: Certificate failure
Post by: Smove99 on September 21, 2025, 01:26:11 PM
Hi at all!

Sorry, but I'm still having this problem with Business 25.4.3.
Does the fix need more time on the repository servers?

Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.3 (amd64) at Sun Sep 21 13:19:38 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 908 packages processed.
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Title: Re: Certificate failure
Post by: dirtyfreebooter on September 22, 2025, 04:50:18 PM
this is still happening, i only replying because you said it fixed server side.
Title: Re: Certificate failure
Post by: chrismccracken on September 22, 2025, 09:36:52 PM
Its pretty unacceptable to pay this much money for a product and the access to maintain it is down for over 4 days (and still counting).
Title: Re: Certificate failure
Post by: dirtyfreebooter on September 23, 2025, 12:59:56 AM
this also makes all the plugins and packages "orphaned", preventing you for adding or removing any other packages, even ones not related to zenarmor.. if we aren't going to get a fix, can we at least get updates? like why its not getting fixed or taking longer than expected, so we aren't left in the dark?


(https://i.imgur.com/Ot6voIC.png)
Title: Re: Certificate failure
Post by: sy on September 23, 2025, 03:18:48 PM
Hi all,

We are actively working on a solution. In the meantime, you can apply the following workaround to resolve the issue:

1. Log into the CLI as root.
2. Edit the files located at `/usr/local/etc/pkg/repos/SunnyValley.conf` and `/usr/local/etc/pkg/repos/SunnyValley.conf.sample`.
3. Replace "25.1" with "25.4" in both files.

After making this change, the URL should appear as follows: 

url: "https://updates.zenarmor.net/opnsense/${ABI}/25.4/latest",

Title: Re: Certificate failure
Post by: dirtyfreebooter on September 23, 2025, 03:51:52 PM
thx. that fixed it for me.
Title: Re: Certificate failure
Post by: sy on September 23, 2025, 05:29:47 PM
Hi again,

The problem has been resolved. No changes are required on your part, and the update or installation should proceed smoothly.
Text only | Text with Images