"
in /usr/local/etc/pkg/repos/SunnyValley.conf i changed 25.7 to 25.10 and it seemed to get pass the pkg update and allow the 2nd half of the 25.10 to continue
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Zenarmor (Sensei) / 25.10 ssl certs again?
October 15, 2025, 06:18:53 PMCode Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.10 (amd64) at Wed Oct 15 09:56:42 MDT 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
pkg: Repository SunnyValley has a wrong packagesite, need to re-create database
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0840A562211A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.7/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
#3
Zenarmor (Sensei) / Zenarmor blocking Telegram as Malware/Virus
October 03, 2025, 03:33:35 PM
blocking ip 149.154.175.55. its blocking all telegram.
#4
Zenarmor (Sensei) / Re: Provide firm date on multicore/thread support
September 30, 2025, 04:10:32 PM
yea i guess i was hoping to be able to use N-series intel boxes, like N100/N150 or N-305/N-350 with Zenarmor + Wireguard at 1-2 Gbps. Wireguard is very good at going across cores, but Zenarmor will peg 1 cpu so you can't have both, Zenarmor + Wireguard, even though there is CPU leftover.
the whole businesses trying to use the home subscription is absolute bullsh*t. meanwhile, you get tons of free testing from home users. The whole SASE stuff, i don't care about any of that as a home user. i want to use low powered device without sacrificing my internet connection.
i picked up a UniFi Fiber gateway and $99/year Cybersecure subscription. This has come a long way in 1 year with regard to content filtering. Its still in pre-release software, but its very close to Zenarmor in terms of content filtering, etc. Using suricata, content filter, is all multi-threaded, no limits, so this is getting interesting at least.
i prefer OPNsense as a router. zenarmor is nice, even with its upgrade warts. As a home user, i just want some decent content filtering, be able to use my full fiber home connection, and do it on the lowest possible power device. zenarmor makes this easy in some ways and extremely difficult in others.
the whole businesses trying to use the home subscription is absolute bullsh*t. meanwhile, you get tons of free testing from home users. The whole SASE stuff, i don't care about any of that as a home user. i want to use low powered device without sacrificing my internet connection.
i picked up a UniFi Fiber gateway and $99/year Cybersecure subscription. This has come a long way in 1 year with regard to content filtering. Its still in pre-release software, but its very close to Zenarmor in terms of content filtering, etc. Using suricata, content filter, is all multi-threaded, no limits, so this is getting interesting at least.
i prefer OPNsense as a router. zenarmor is nice, even with its upgrade warts. As a home user, i just want some decent content filtering, be able to use my full fiber home connection, and do it on the lowest possible power device. zenarmor makes this easy in some ways and extremely difficult in others.
#5
25.7, 25.10 Series / unbound blocklist supporting nx_domain
September 28, 2025, 04:32:26 AM
is it possible for unbound to support blocklist in this format or similar?
most blocking i want to return 0.0.0.0 but for a handful of domains, i want to return NXDOMAIN. right now i do this by putting a custom file in
but that not ideal as it doesn't get backed up or restored with normal config.xml tools. i would like to provide unbound with an custom URL for a blocklist that also specifies the response type, like NXDOMAIN instead of the global setting.
Code Select
server:
local-zone: "doh.dns.apple.com." always_nxdomain
local-zone: "mask.apple-dns.net." always_nxdomain
local-zone: "mask.icloud.com." always_nxdomain
local-zone: "mask-h2.icloud.com." always_nxdomain
local-zone: "mask-api.icloud.com." always_nxdomain
local-zone: "use-application-dns.net." always_nxdomainmost blocking i want to return 0.0.0.0 but for a handful of domains, i want to return NXDOMAIN. right now i do this by putting a custom file in
Code Select
/usr/local/etc/unbound.opnsense.d/but that not ideal as it doesn't get backed up or restored with normal config.xml tools. i would like to provide unbound with an custom URL for a blocklist that also specifies the response type, like NXDOMAIN instead of the global setting.
#6
Zenarmor (Sensei) / Re: Certificate failure
September 23, 2025, 03:51:52 PM
thx. that fixed it for me.
#7
Zenarmor (Sensei) / Re: Certificate failure
September 23, 2025, 12:59:56 AM
this also makes all the plugins and packages "orphaned", preventing you for adding or removing any other packages, even ones not related to zenarmor.. if we aren't going to get a fix, can we at least get updates? like why its not getting fixed or taking longer than expected, so we aren't left in the dark?
#8
Zenarmor (Sensei) / Re: Certificate failure
September 22, 2025, 04:50:18 PM
this is still happening, i only replying because you said it fixed server side.
#9
Zenarmor (Sensei) / Re: Certificate failure
September 19, 2025, 06:43:01 PMQuote from: sammycda on September 19, 2025, 06:15:27 PMSame issue here. I tried both Danish and US repositories.
i dont think the opnsense mirrors do not have anything to do with the problem, the problem appears to be with the zenarmor repo
Code Select
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
#10
25.1, 25.4 Series / Re: 25.4.3: updates -> Could not authenticate the selected mirror.
September 19, 2025, 12:18:40 AM
thread on the zenarmor forum: https://forum.opnsense.org/index.php?topic=48947.0
#11
Zenarmor (Sensei) / Re: Certificate failure
September 18, 2025, 07:02:22 PM
i posted over here: https://forum.opnsense.org/index.php?topic=48962.0 but yea i am encountering the same issue
#12
25.1, 25.4 Series / 25.4.3: updates -> Could not authenticate the selected mirror.
September 18, 2025, 04:17:54 PM
trying to check for updates.. i now get this. using the default business mirror.
EDIT: i guess this in problem with ZenArmor...
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.3 (amd64) at Thu Sep 18 08:14:58 MDT 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 908 packages processed.
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020A1476E370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***EDIT: i guess this in problem with ZenArmor...
#13
25.7, 25.10 Series / Re: Services: ACME Client: Certificates fails to automatically update certificate
September 02, 2025, 06:05:00 PM
been using opnsense for years now, i never had ACME cron renewal work. if use the force option in the UI it renews. i keep meaning to look into it, but because the force works, i just move on until next time .. hah.
#14
Zenarmor (Sensei) / Re: Cannot allocate memory
May 27, 2025, 08:35:53 PM
if you set
i am using ixl driver on X710-DA2 with native netmap driver.
Code Select
dev.netmap.buf_num > 1000000 does that even work? i tried that and got a message like Code Select
081.363854 [1363] netmap_config_obj_allocator requested objtotal 2000000 out of range [4, 1000000] which seem to set the actual buf_num to the default, not even 1000000...i am using ixl driver on X710-DA2 with native netmap driver.
#15
Zenarmor (Sensei) / Re: Provide firm date on multicore/thread support
April 16, 2025, 03:39:24 PMQuote from: Cljackhammer on April 16, 2025, 12:59:25 PMApparently, you need a business license or higher for multi core support. This is laughable. In this day and age, charging for multi core support, seriously? Modern CPU's have had multiple cores for years. What software company charges for multi core support? NONE, except for Zenarmor you need to revisit your strategy. Multi core support is nothing novel or innovative. All modern software applications support it.
what. the whole reason i want multi-core support is so i can downgrade my home hardware to lower TDP cpu... ugh
