Messages

Hi, could you elaborate on what you did to fix this? (...)

Nothing. After some time (less than an hour, I think) it worked again.

And the time is correct on that FW ?

Haven't double-checked on the FW itself, but I ran the same commands (with the same result) on my laptop (where I confirmed time settings) and got the same errors with curl.

In my home setup, I have three Internet connections, but I'm tight on interfaces on my opnsense hardware, so I want to cover all three with one interface (re0, 192.168.178.3). Currently, I only use IPv4, but intend to change that at some point in the future. But future IPv6 should be irrelevant to this topic.

My Internet connections and gateways are:

• Cable (1Gbit/s down, 50Mbit/s up): GW vodafone_kabel, 192.168.178.179
• DSL (100Mbit/s down, 40Mbit/s up): GW ewe_dsl, 192.168.178.22
• LTE (whatever cheap SIM card I currently got my hands on): GW teltonika, 192.168.178.14

Intuitively, I would add static routes through all 3 gateways and try to control traffic flow with metrics. But that's probably too simplistic. And didn't work either. The static routes get ignored, unless I do some workarounds like 0.0.0.0/1, 128.0.0.0/1 instead of actual default routes.

If I manually add routes on the CLI with route add default ..., it complains about the routes already existing, even though the routing table doesn't show them with netstat -4rn.

I could also turn re0 into a trunk, add dedicated VLANs for each of my three Internet uplinks and start treating them as individual interfaces on the opnsense side. But that seems to be overly complicated.

I've probably created a setup that is unintended from opnsense (or FreeBSD?) side, but from a pure networking perspective it makes sense to me to have a single Internet-facing... interface on the opnsense, then have three different WAN devices each with its own IP in the same network.

Any ideas where to continue troubleshooting?

Looks like it is fixed now. pkg update and curl succeed again.

The newly issued certificate has some trust issues. Firefox accepts it fine, but pkg, curl and openssl on opnsense 23.7 don't like the new cert.

Code Select Expand

$ sudo pkg update
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=pkg.opnsense.org
35070709760:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!


Code Select Expand

$ curl https://pkg.opnsense.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

When I started seeing the issues, the current certificate was only a couple of minutes old (by now, it's at about 30 minutes).

Code Select Expand

$ echo Q | openssl s_client -connect pkg.opnsense.org:443 2>/dev/null | openssl x509 -subject -issuer -startdate -enddate -ext subjectAltName -noout
subject=CN = pkg.opnsense.org
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020
notBefore=Feb 15 13:35:28 2024 GMT
notAfter=Mar 18 13:35:27 2025 GMT
X509v3 Subject Alternative Name:
    DNS:pkg.opnsense.org