Text only | Text with Images

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: robert.haugen@gmail.com on September 18, 2025, 11:09:57 AM

Title: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: robert.haugen@gmail.com on September 18, 2025, 11:09:57 AM
Hi,

Yesterday, Telemetry status  Failed to load widget appeared. Using ETPRO Telemetry edition.

Using curl from OPNsense:
OPNsense:~ # curl -v https://opnsense.emergingthreats.net/api/v1/telemetry
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
*   Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: OPNefx on September 18, 2025, 12:26:49 PM
Hello, same problem here, but How to fix it I don't understand. Some "how to" explanation available?
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: meyergru on September 18, 2025, 01:12:02 PM
That is because curl does not trust the certificate for opnsense.emergingthreats.net, which is issued by Sectigo.

You can verify this via:

Code Select
# curl -v https://opnsense.emergingthreats.net
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
*   Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

IDK why it is not trusted, though, because the top-level issuer "Sectigo Public Server Authentication Root R46" CA seems to be present.
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: robert.haugen@gmail.com on September 18, 2025, 02:27:23 PM
Quote from: meyergru on Today at 01:12:02 PMThat is because curl does not trust the certificate for opnsense.emergingthreats.net, which is issued by Sectigo.

You can verify this via:

Code Select
# curl -v https://opnsense.emergingthreats.net
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
*   Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

IDK why it is not trusted, though, because the top-level issuer "Sectigo Public Server Authentication Root R46" CA seems to be present.


Is the code that´s handling the telemetry and signature trusting Sectigo?
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: robert.haugen@gmail.com on September 18, 2025, 05:13:54 PM
An insecure fix:

Modify /usr/local/opnsense/scripts/suricata/lib/downloader.py
Code Select
if str(url).split(':')[0].lower() in ('http', 'https'):
            frm_url = url.replace('//', '/').replace(':/', '://')
            # stream to temp file
            if frm_url not in self._download_cache:
                req_opts = {
                    'url': frm_url,
                    'stream': True,
                    'verify': False 
                }


Modify

/usr/local/opnsense/scripts/etpro_telemetry


send_heartbeat.py
send_telemetry.py
sensor_info.py

Code Select
parser.add_argument('-i', '--insecure', help='Insecure, skip certificate validation',
                    action="store_true", default=True)
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: meyergru on September 18, 2025, 05:19:03 PM
Or wait until they fix their certificate, see: https://github.com/opnsense/plugins/issues/4943#issuecomment-3307339653
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: Patrick M. Hausen on September 18, 2025, 05:26:01 PM
Wouldn't finding the Sectigo intermediate - surely they publish it somewhere in the docs for their cert customers like everyone does - and importing it into OPNsense help?
Title: Re: Telemetry status Failed to load widget - ETPRO Telemetry edition
Post by: viragomann on September 18, 2025, 05:46:21 PM
Seems, it's already on the server. I'm able to download it.
Text only | Text with Images