OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: LogicEthos on September 30, 2021, 04:09:36 pm
-
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 14:07:04 UTC 2021
Fetching changelog information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4281915764736:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
625717841920:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
I tried different mirrors.
-
Looks like a proxy intercepting your TLS.
Cheers,
Franco
-
Looks like it, yet from the LAN side there is no problem. I tried using curl from shell, and it fails with "self signed certificate".
-
Do you have transparent web proxy configured? Maybe you are slurping local firewall traffic onto proxy with port forward rule?
Cheers,
Franco
-
No.
I don't remember there being a reboot, after the last update. Maybe that's it. I'll try that when things are quiet.
Thanks.
-
I got this just checking from the console and I don't have any proxy involved.
I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?
-
You need to delete both the expired root CA and the old intermediate ISRG Root X1 with SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
Cheers,
Franco
-
Same issue here. Those certs don't exist on my system.
-
I got this just checking from the console and I don't have any proxy involved.
I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?
Same problem here.
-
Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror
-
I'm also not able to update to get the latest fix for ACME:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:29:13 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
7292707495936:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
-
You can get around this by selecting a HTTP mirror instead of a HTTPS one, provided it has already synced the updates of course. I used WJComms and it worked.
-
Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror
https://mirror.dns-root.de has no LE cert. The issue seems to be with LE certs. That would also explain the failure of the DNS over TLS servers I saw this afternoon (unicast.censurfridns.dk, anycast.censurfridns.dk).
If I use dns-root.de I get the following:
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:58:32 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
862769819648:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 767 packages processed.
-
Doesn't seem to matter what mirror I choose, it's the same every time :'(
-
Doesn't seem to matter what mirror I choose, it's the same every time :'(
Do you use other repositories? The one from @minugmail has also this issue. And if one repository having issues, then the update is not possible via WebGUI.
-
Do you use other repositories? The one from @minugmail has also this issue. And if one repository having issues, then the update is not possible via WebGUI.
Yes that must be it because I use their "os-unboundcustom-maxit" plug-in, and I notice all the plug-ins show as "(orphaned)" as well.
-
Probably has something to do with those certs that expired yesterday. Sure it will be fixed soon.
-
Just to share my solution:
- remove any 3th party repros from /usr/local/etc/pkg/repos/
- change either to a http mirror or to dns-root.de
- update
I will wait for a fix for the LE certs, then I will add the 3th party repros again.
-
I'm getting this issue too, and had to flip to an HTTP mirror to upgrade. I don't have any custom repos installed.
-
Just to share my solution:
- remove any 3th party repros from /usr/local/etc/pkg/repos/
- change either to a http mirror or to dns-root.de
- update
I will wait for a fix for the LE certs, then I will add the 3th party repros again.
I just tried your solution and that resolved the issue. Thank you!
-
I believe this is the issue:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
I used the cloudflare CDN mirror which seemed to allow updates to work. A large portion of the internet, for TLS anyway, is broken right now until people update their root CAs. Blocklists are also broken due to the same reason I believe. DNS over TLS is also affected.
I was able to delete the LetsEncrypt CA, then regenerate the LE cert. It created a new cert under the new R3 CA properly. This fixed my UI/HAProxy issues, but you'll need to update all your settings that referenced the old cert. For instance under the opnsense settings for the web UI. However, some endpoints, like the update repo mirrors, seem to still be using expired root CAs in their cert chain. Nothing we can do until everyone updates their TLS certs.
-
I am now able to use the default mirror. No certificate issues appear anymore.