Messages

[Sectigo Public Server Authentication CA OV R36.pem]

Add Sectigo Public Server Authentication CA OV R36 to

Save this as a file with a txt editor: Sectigo Public Server Authentication CA OV R36.pem

Code Select Expand

-----BEGIN CERTIFICATE-----
MIIGTDCCBDSgAwIBAgIQLBo8dulD3d3/GRsxiQrtcTANBgkqhkiG9w0BAQwFADBf
MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD
Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw
HhcNMjEwMzIyMDAwMDAwWhcNMzYwMzIxMjM1OTU5WjBgMQswCQYDVQQGEwJHQjEY
MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFB1Ymxp
YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gQ0EgT1YgUjM2MIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEApkMtJ3R06jo0fceI0M52B7K+TyMeGcv2BQ5AVc3j
lYt76TvHIu/nNe22W/RJXX9rWUD/2GE6GF5x0V4bsY7K3IeJ8E7+KzG/TGboySfD
u+F52jqQBbY62ofhYjMeiAbLI02+FqwHeM8uIrUtcX8b2RCxF358TB0NHVccAXZc
FYgZndZCeXxjuca7pJJ20LLUnXtgXcjAE1vY4WvbReW0W6mkeZyNGdmpTcFs5Y+s
yy6LtE5Zocji9J9NlNnReox2RWVyEXpA1ChZ4gqN+ZpVSIQ0HBorVFbBKyhdZyEX
gZgNSNtBRwxqwIzJePJhYd4ZUhO1vk+/uP3nwDk0p95q/j7naXNCSvESnrHPypaB
WRK066nKfPRPi9m9kIOhMdYfS8giFRTcdgL24Ycilj7ecAK9Trh0VbjwouJ4WH+x
bt47u68ZFCD/ac55I0DNHkCpaPruj6e9Rmr7K46wZDAYXuEAqB7tGG/jd6JAA+H2
O44CV98NRsU213f1kScIZntNAgMBAAGjggGBMIIBfTAfBgNVHSMEGDAWgBRWc1hk
lfmSGrASKgRieaFAFYghSTAdBgNVHQ4EFgQU42Z0u3BojSxdTg6mSo+bNyKcgpIw
DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgIw
VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdv
UHVibGljU2VydmVyQXV0aGVudGljYXRpb25Sb290UjQ2LmNybDCBhAYIKwYBBQUH
AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
Z29QdWJsaWNTZXJ2ZXJBdXRoZW50aWNhdGlvblJvb3RSNDYucDdjMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEA
BZXWDHWC3cubb/e1I1kzi8lPFiK/ZUoH09ufmVOrc5ObYH/XKkWUexSPqRkwKFKr
7r8OuG+p7VNB8rifX6uopqKAgsvZtZsq7iAFw04To6vNcxeBt1Eush3cQ4b8nbQR
MQLChgEAqwhuXp9P48T4QEBSksYav7+aFjNySsLYlPzNqVM3RNwvBdvp6vgDtGwc
xlKQZVuuNVIaoYyls8swhxDeSHKpRdxRauTLZ+pl+wGvy0pnrLEJGSz9mOEmfbod
e/XopR2NGqaHJ6bIjyxPu6UtyQGI26En7UAEozACrHz06Nx2jTAY9E6NeB6XuobE
wLK025ZRmvglcURG1BrV24tGHHTgxCe8M3oGlpUSMTKQ2dkgljZVYt+gKdFtWELZ
MuRdi+X3XsrR8LFz+aLUiDRfQqhmw3RxjIyVKvvu9UPYY1nsvxYmFnUSeM+2q1z/
iPUry+xDY9MC6+IhleKT094VKdFVp7LXH42+wvU+17lRolQ2mK2N/nBLVBwaIhib
QXw4VYKwB86Bc6eS6iqsc94KEgD/U4VsjmgfhK+Xp4NM+VYzTTa3QeV3p8xOM0cw
q1p8oZFA+OBcz3FYWpDIe5j0NWKlw9hXsTyPY/HeZUV59akskSOSRSmDfe8wJDPX
58uB9/7lud0G3x0pxQAcffP0ayKavNwDTw4UfJ34cEw=
-----END CERTIFICATE-----


copy the file to /usr/share/certs/trusted/   (WinSCP...)
Symlink the file /etc/ssl/certs

Reboot

It Works !


This is a temporary fix until they get the cert for opnsense.emergingthreats.net fixed !

An insecure fix:

Modify /usr/local/opnsense/scripts/suricata/lib/downloader.py

Code Select Expand

if str(url).split(':')[0].lower() in ('http', 'https'):
            frm_url = url.replace('//', '/').replace(':/', '://')
            # stream to temp file
            if frm_url not in self._download_cache:
                req_opts = {
                    'url': frm_url,
                    'stream': True,
                    'verify': False 
                }


Modify

/usr/local/opnsense/scripts/etpro_telemetry


send_heartbeat.py
send_telemetry.py
sensor_info.py

Code Select Expand

parser.add_argument('-i', '--insecure', help='Insecure, skip certificate validation',
                    action="store_true", default=True)

That is because curl does not trust the certificate for opnsense.emergingthreats.net, which is issued by Sectigo.

You can verify this via:

Code Select Expand

# curl -v https://opnsense.emergingthreats.net
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
*   Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

IDK why it is not trusted, though, because the top-level issuer "Sectigo Public Server Authentication Root R46" CA seems to be present.

Is the code that´s handling the telemetry and signature trusting Sectigo?

Hi,

Yesterday, Telemetry status  Failed to load widget appeared. Using ETPRO Telemetry edition.

Using curl from OPNsense:
OPNsense:~ # curl -v https://opnsense.emergingthreats.net/api/v1/telemetry
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
*   Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

It is significant.

[Prevent release]

Thanks you so much @meyergru

I works. My ISP Altibox is just banning me for a week when  Prevent release wan not ticked on.

Ended up with this config.

Spinned up an OPNsense test instance. Same issue there.

Hi.

Hawing two OPNsense installations. The CPU´s peek every 10 seconds. It was on 25.1 and the same on 25.7.

Thanks:-)

I am still having problems with getting IPv6 address from my ISP Altibox.

Could there be some trotling of Solicit messages ?

Have used IAID = 2 before. The DUID is

DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0xc5c7f8
    Client Identifier
        Option: Client Identifier (1)
        Length: 10
        DUID: 00030001b8d5XXXXXXXX
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: b8:d5:XX:XX:XX:XX
        Link-layer address (Ethernet): ZyxelCommuni_XX:XX:XX (b8:d5:XX:XX:XX:XX)
    Identity Association for Non-temporary Address
        Option: Identity Association for Non-temporary Address (3)
        Length: 12
        IAID: 00000002
        T1: 0
        T2: 0
    Rapid Commit
        Option: Rapid Commit (14)
        Length: 0
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Elapsed time: 3330ms
    Option Request
        Option: Option Request (6)
        Length: 4
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000002
        T1: 0
        T2: 0
        IA Prefix

[Prefix delegation size]

You can set that under Interfaces: WAN -> "DHCPv6 client configuration" -> "Advanced" tab -> "Prefix Delegation" -> "id-assoc pd ID"

Thanks.

When I switch to Advanced,
I can't find where to set:

Prefix delegation size
and
Send prefix hint

Hi,

Anyone know how to change IAID on WAN interface ?

Looks like Opensense use IAID=0 on WAN by default.

Mikrotik gives
lo interface IAID=1
First Interface IAID=2
Second Interface IAID=3

Thanks Maurice :-) :) :)

Hello.

According to my knowledge, the DUID-LL value is generated on the basis of the MAC address. Today, when I clicked "Insert a new LL DUID", a new "DHCP Unique Identifier" is generated. The MAC address is not changed. Should´t this value be the same every time?