Text only | Text with Images

OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: cdn on September 17, 2025, 02:17:43 PM

Title: Certificate failure
Post by: cdn on September 17, 2025, 02:17:43 PM
Since using latest business version of opnsense, we cannot update zenarmor:


Code Select
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Code Select
echo | openssl s_client -connect updates.zenarmor.net:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = zenarmor.net
verify return:1
---
Certificate chain
 0 s:CN = zenarmor.net
   i:C = US, O = Google Trust Services, CN = WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Aug 10 23:04:34 2025 GMT; NotAfter: Nov  9 00:04:29 2025 GMT
 1 s:C = US, O = Google Trust Services, CN = WE1
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDpzCCA06gAwIBAgIRAM7MeBZKS0C6E1y3P1w7IVgwCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI1MDgxMDIzMDQzNFoXDTI1MTEwOTAwMDQyOVowFzEVMBMG
A1UEAxMMemVuYXJtb3IubmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUQp
32kVzkNFnPuZlCO1LKGqHgElMsQN2eyunq+HNKQifWt1lIbzxdOgT2DIYSC7cfXg
/6sJ8ymG2iHidML64aOCAlUwggJRMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAK
BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXor9dxRcwnplbGKD7
nJ6BWJ2gdzAfBgNVHSMEGDAWgBSQd5I1Z8T/qMyp5nvZgHl7zJP5ODBeBggrBgEF
BQcBAQRSMFAwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vLnBraS5nb29nL3Mvd2UxL3pz
dzAlBggrBgEFBQcwAoYZaHR0cDovL2kucGtpLmdvb2cvd2UxLmNydDAnBgNVHREE
IDAeggx6ZW5hcm1vci5uZXSCDiouemVuYXJtb3IubmV0MBMGA1UdIAQMMAowCAYG
Z4EMAQIBMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dlMS8y
RHFmUzI0a2NkSS5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwAaBP9J0FQd
QK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZiWcXTQAAAEAwBIMEYCIQD2vY/C
0gy8T9UfDv98fPAYCNNYoU/Krwx1Tfc1Uqp0FgIhAO6NggTlj/J00qmxkagg2mBZ
colOtERewKQIGTRRwVRSAHUAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WG
JjoAAAGYlnF0owAABAMARjBEAiBiVyasybNzcO6CxnJN2SNPbYpkHDttkTtqaMfi
d9QYBAIgaTlFBY+o/x3YupcGBnGPHetyj4Uu82fAOplbcWUHz3AwCgYIKoZIzj0E
AwIDRwAwRAIgJhtyGLmhvN9NTrjXkSHMIYQJ7HSWcjw4O2P4Nw5fmnoCIBHatruL
jr4ViDG0QcyfOZW0QWR//OzHw7LkmHGcOuWT
-----END CERTIFICATE-----
subject=CN = zenarmor.net
issuer=C = US, O = Google Trust Services, CN = WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2827 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

host updates.zenarmor.net
updates.zenarmor.net has address 104.26.13.173
updates.zenarmor.net has address 104.26.12.173
updates.zenarmor.net has address 172.67.74.209
updates.zenarmor.net has IPv6 address 2606:4700:20::681a:dad
updates.zenarmor.net has IPv6 address 2606:4700:20::ac43:4ad1
updates.zenarmor.net has IPv6 address 2606:4700:20::681a:cad

cat /etc/resolv.conf
domain DOMAIN
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 8.8.8.8
Title: Re: Certificate failure
Post by: sy on September 17, 2025, 02:35:19 PM
Hi,

Did you check the system date and time?
Title: Re: Certificate failure
Post by: cdn on September 17, 2025, 04:01:19 PM
sure. Time and date is okay.
Text only | Text with Images