OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: sewi on November 16, 2020, 03:44:16 pm

Title: Updating firmware fails due to certificate error
Post by: sewi on November 16, 2020, 03:44:16 pm

Hey there -

When trying to update my opnSense installation (OPNsense 20.7-amd64), I get certificate errors:

Code: [Select]

# pkg update
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host opn.sense.nz
SSL certificate subject doesn't match host opn.sense.nz
SSL certificate subject doesn't match host opn.sense.nz
pkg: https://opn.sense.nz/FreeBSD:12:amd64/20.7/latest/meta.txz: Authentication error

Here's a curl to that URI:

Code: [Select]

# curl https://opn.sense.nz/FreeBSD:12:amd64/20.7/latest/packagesite.txz
curl: (60) SSL: no alternative certificate subject name matches target host name 'opn.sense.nz'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

When opening https://opn.sense.nz I get a certificate issued to cloud.computerfritze.net (see attached file), running a NextCloud installation, so the certificate rejection is legit.

Code: [Select]

# host opn.sense.nz
opn.sense.nz has address 85.214.164.108
opn.sense.nz has address 85.214.164.111
opn.sense.nz has address 85.214.164.113
opn.sense.nz has address 85.214.164.110
opn.sense.nz has address 85.214.163.76
opn.sense.nz has address 85.215.87.199
opn.sense.nz has IPv6 address 2a01:238:42d8:f300:8b23:ec47:1e30:aa9c
opn.sense.nz has IPv6 address 2a01:238:43e2:2d00:315c:85b7:ed77:1ae5
opn.sense.nz has IPv6 address 2a01:238:4363:4a00:ea69:e1e:6281:95fe
opn.sense.nz has IPv6 address 2a01:238:427b:8e00:81ca:d012:b06e:f0fd
opn.sense.nz has IPv6 address 2a01:238:4302:1d00:22d2:99da:2007:6f99
opn.sense.nz has IPv6 address 2a01:238:4215:c00:fca0:f2ae:3d66:3e7f
# host cloud.computerfritze.net
cloud.computerfritze.net has address 85.214.164.108
cloud.computerfritze.net mail is handled by 5 smtpin.rzone.de.

I can replicate that in the company network, as well as the home network, both using the Austrian A1 provider.
Nameservers are 8.8.8.8 and 8.8.4.4.

Any ideas?
Any ideas?

Title: Re: Updating firmware fails due to certificate error
Post by: chemlud on November 16, 2020, 03:58:25 pm

Hello to OPNsense!

Which update server have you configured? I don't see any

https :///opn.sense.nz

or

https :///curl.haxx.se

here.

These servers don't look like legitimate update servers...

Title: Re: Updating firmware fails due to certificate error
Post by: sewi on November 16, 2020, 04:01:48 pm

Hi,

opn.sense.nz was what was configured by default (curl.haxx.se appears to be the official website of curl).
If I set it to anything else (currently using ServerBase AG in Zurich), updating works.

In the attachment is what my firmware page suggests (note the opn.sense.nz entry). Frankfurt is the closest location, so I picked that mirror. I haven't changed anything else about the updates, as far as I can remember.

I installed opnSense from the "OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2" file, downloaded on Aug 21, 2020 8:38 CEST (SHA1: 98 56 39 c4 5c e4 1e 8d 5a f0 2b 9b 25 63 39 b5 6e d9 f4 7a).