OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of toe »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - toe

Pages: [1]
1
General Discussion / Re: [Fixed] Certificate issue for pkg.opnsense.org
« on: February 21, 2024, 12:56:57 am »
Quote from: bmt on February 18, 2024, 08:30:50 am
Hi, could you elaborate on what you did to fix this? (...)
Nothing. After some time (less than an hour, I think) it worked again.

Quote from: newsense on February 18, 2024, 06:15:40 pm
And the time is correct on that FW ?
Haven't double-checked on the FW itself, but I ran the same commands (with the same result) on my laptop (where I confirmed time settings) and got the same errors with curl.

2
General Discussion / Single Interface, multiple WAN gateways
« on: February 15, 2024, 06:33:00 pm »
In my home setup, I have three Internet connections, but I'm tight on interfaces on my opnsense hardware, so I want to cover all three with one interface (re0, 192.168.178.3). Currently, I only use IPv4, but intend to change that at some point in the future. But future IPv6 should be irrelevant to this topic.

My Internet connections and gateways are:
  • Cable (1Gbit/s down, 50Mbit/s up): GW vodafone_kabel, 192.168.178.179
  • DSL (100Mbit/s down, 40Mbit/s up): GW ewe_dsl, 192.168.178.22
  • LTE (whatever cheap SIM card I currently got my hands on): GW teltonika, 192.168.178.14

Intuitively, I would add static routes through all 3 gateways and try to control traffic flow with metrics. But that's probably too simplistic. And didn't work either. The static routes get ignored, unless I do some workarounds like 0.0.0.0/1, 128.0.0.0/1 instead of actual default routes.

If I manually add routes on the CLI with route add default ..., it complains about the routes already existing, even though the routing table doesn't show them with netstat -4rn.

I could also turn re0 into a trunk, add dedicated VLANs for each of my three Internet uplinks and start treating them as individual interfaces on the opnsense side. But that seems to be overly complicated.

I've probably created a setup that is unintended from opnsense (or FreeBSD?) side, but from a pure networking perspective it makes sense to me to have a single Internet-facing... interface on the opnsense, then have three different WAN devices each with its own IP in the same network.

Any ideas where to continue troubleshooting?

3
General Discussion / Re: Certificate issue for pkg.opnsense.org
« on: February 15, 2024, 03:40:59 pm »
Looks like it is fixed now. pkg update and curl succeed again.

4
General Discussion / [Fixed] Certificate issue for pkg.opnsense.org
« on: February 15, 2024, 03:11:49 pm »
The newly issued certificate has some trust issues. Firefox accepts it fine, but pkg, curl and openssl on opnsense 23.7 don't like the new cert.

Code: [Select]
$ sudo pkg update
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!

Code: [Select]
$ curl https://pkg.opnsense.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
When I started seeing the issues, the current certificate was only a couple of minutes old (by now, it's at about 30 minutes).
Code: [Select]
$ echo Q | openssl s_client -connect pkg.opnsense.org:443 2>/dev/null | openssl x509 -subject -issuer -startdate -enddate -ext subjectAltName -noout
subject=CN = pkg.opnsense.org
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020
notBefore=Feb 15 13:35:28 2024 GMT
notAfter=Mar 18 13:35:27 2025 GMT
X509v3 Subject Alternative Name:
    DNS:pkg.opnsense.org

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2