post upgrade updates fail with Certificate verification failure.

[Fright]

@franco yep, but I  don’t have enough imagination to suggest the configuration of the rules for @LogicEthos results )

@LogicEthos
can you share the

Code: [Select]

curl -v https://pkg.opnsense.orgresult and

pfctl -vss | grep :443

result right after curl? thanks

[LogicEthos]

I have just forced unbound to issue the IPV4 address, instead of the IPV6 address for pkg.opnsense.org
It now works!  ¯\_(ツ)_/¯

[LogicEthos]

This is what I looks like with IPV6 enabled.

Code: [Select]

root@OPNsense:~ # curl -v https://pkg.opnsense.org
*   Trying 2001:1af8:4f00:a005:5:::443...
* Connected to pkg.opnsense.org (2001:1af8:4f00:a005:5::) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /usr/local/etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=GB; ST=Hampshire; L=Southampton; O=LogicEthos; emailAddress=stuart@something.com; CN=LE-Cert
*  start date: Feb  4 14:48:04 2022 GMT
*  expire date: Mar  8 14:48:04 2023 GMT
* SSL: certificate subject name 'LE-Cert' does not match target host name 'pkg.opnsense.org'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: certificate subject name 'LE-Cert' does not match target host name 'pkg.opnsense.org'
More details here: https://curl.se/docs/sslcerts.html

[Fright]

It now works!  ¯\_(ツ)_/¯

still not clear why the request with ipv6 is hitting the local port. perhaps the output of pfctl right after curl would help to understand.

[LogicEthos]

still not clear why the request with ipv6 is hitting the local port. perhaps the output of pfctl right after curl would help to understand.

It generates a lot of data.  This seems to be the relevant bit.

Code: [Select]

all tcp 2a02:my:ip:xxx::1[50482] -> 2001:1af8:4f00:a005:5::[443]       FIN_WAIT_2:FIN_WAIT_2

[Fright]

hm. no translation is visible.
the last idea is to try to trace requests to dst_port 443 in the firewall live log (with the default rules logging enabled in SYSTEM: SETTINGS: LOGGING)

[LogicEthos]

upload img

[Fright]

hm dont know what to say (is GUI listening on :443?). not translation is visible but there is no incoming hits on GUI either 

[maxim_al]

Running OPNsense as a VM on Virtualbox 6.1

Post upgrade I'm unable to check for package updates.

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct  6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify

I have the same problem.
For quite a long time everything worked fine and was updated. However, at some point in time I got the same error.
I read the topic, but did not understand whether the problem was solved and how or not.

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.3 (amd64/OpenSSL) at Mon Jun 27 10:33:54 +11 2022
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign