Messages

To anyone having the same problem I had with geolocation services using the wrong location for /48 and /64 blocks.

We had a problem where whichever HBO geolocation service decided to use, our /48 assigned by HE is located in Ukraine. IPv4 would work fine, but the Samsung 7 Series television had no option to turn IPv6 on or off - it always set up a random non-EUI-64 global prefix address and would use that. I can't set a rule by assigned DHCPv6 or autogenerated EUI-64 address. The IPv6 address it uses changes with every reboot of the TV.  I am forced to use the MAC address.

I can picture this software demon engineer in its den: "Never mind the standards, to hell with the DHCPv6 address, never mind the well-accepted EUI-64 address, we'll just go and use an IPv6 address that'll be assigned randomly at boot time. That will make life easier for no one." As it smiles evilly to itself.

The solution was to force a fallback to IPv4 by blocking IPv6 for just the television. We created a MAC address Alias and added a rule to the LAN interface for inbound packets blocking only IPv6.

Be gone, foul demon.

Magic - HBO streaming was forced back to IPv4, and streaming is now working again.

[Routing: OSPF]

I went through the same issue; You need to configure a route redistribution filter into OSPF from the local route table. OSPF does not allow Link State Advertisements (LSAs) to be filtered - it's not built into the protocol. That's why trying a prefix filter on an OSPF interface does not work. Rather you configure route redistribution by specifying a Redistribution Map Under Routing: OSPF. With this filter you can control which routes OSPF will receive and then pass on as LSAs.

So the details: this requires a Route Map that points to a Prefix List. WARNING: The interface is confusing at best, and simple errors like:

• Using a space in the Route Map, or Prefix List name
• Selecting two or more Prefix Lists for a Route Map

result in silent or obtuse errors. If you need to stop a route from being redistributed into OSPF, but accept others, you must set up multiple Prefix List entries using the same name with different Sequence Numbers

I can confirm that this solution prevented routes from 10.69.x.x from being propagated into my connected routers.

The generated config looks like this:

Code Select Expand


router ospf
ospf router-id x.x.x.x
redistribute connected route-map No-Management-Routes
redistribute static route-map No-Management-Routes
passive-interface xn2
passive-interface xn3
passive-interface xn4
network x.x.0.0/24 area x.0.0.0
!
ip prefix-list Accept-Connected seq 10 deny 10.69.0.0/16 le 32
ip prefix-list Accept-Connected seq 11 permit 10.0.0.0/8 le 32
!
route-map No-Management-Routes permit 10
match ip address prefix-list Accept-Connected
!


Hope this helps!

@chemlud and Everyone,

Found my, self-inflicted, issue!  :D

Had my own copy of acme.sh installed as /root/.acme.sh. As I was the developer for the acme.sh DNS01 MailinaBox DNSAPI, I used this copy during development of both the DNSAPI and the OPNsense glue code and content. Looks like that old configuration was being used instead of the OPNsense configured acme.sh.

Oh well, no good deed goes unpunished. Simply deleted this old directory at /root/.acme.sh and everything was right with the world.

For everyone else having issues after updating the Authority Certs to include a Fullchain Cert, then only to find the problem is resurrected after a reboot:

Check for and kill any stray copies of acme.sh you find and verify the Let's Encrypt config through OPNsense Web GUI.

@chemlud

Thanks for your suggestion but it didn't help.

Recreated the LE Fullchain R3 Intermediate X1 Authority Cert as outlined earlier, and deleted the LE R3 Cert. Recreated the Web GUI Cert to reprime ACME.SH. Was then able to update the firmware to the LibreSSL Flavour.

Rebooted and tried another firmware update and:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/LibreSSL) at Fri Oct  1 14:07:17 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4034015752192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: transfer timed out
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

it made absolutely no difference. Again suspect something is deeply wrong with the repository configuration. Starting to dig into that. Setting back to OpenSSL as changing to LibreSSL made no difference.

By the way, found that repriming ACME.SH was not needed as I was able to check config status without repriming the authority certificates.

After reverting back to the OpenSSL Flavour and then resetting one of the ACME.SH certs to reprime the Authority Certificates and rebooting, the issue still comes back. Why on earth the repository seems to fall back on a long-dead cert that relies on the dead X3 Intermediate Authority is beyond my understanding at the moment. Very, very, very perplexed.

@chemlud

Switched to LibreSSL, rebooted and:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/OpenSSL) at Fri Oct  1 13:53:06 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2368641363968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Made absolutely no difference. Suspect that something is deeply broken in the repository config. Although it seems I need to update the firmware first but cannot as I cannot connect to the repository.

I've ordered a Chicken and an Egg from Amazon, I'll let you know...

Sadly this still doesn't fix the problem - after reboot it comes back from the grave:

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/OpenSSL) at Fri Oct  1 13:27:05 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4522656063488:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

No use in trying to hack the /conf/config.xml as outlined by @mfedv at the top of this thread. After fully patching the CA reference all point to the correct LE R3 Cert. Something is deeply broken in the repository config.

That was the trick but on Safari all that was required was to clear history for the last hour.

Perhaps this could be added to the notes *before* or rather at the top of the upgrade text stream?

Sure that was seen during integration and test before this rolled out.