All things HTTPS fail on (almost) freshly installed firewall

[jbattermann]

Good morning,

I have some odd behavior going on and I have no clue where it's coming from, so maybe someone has an idea. I installed OPNsense yesterday on a system and after some basic interface assignments, updates etc.. it appears to be oddly broken insofar as every https request from the system itself fails stating something like this, i.e. when just trying to retrieve a file from a remote webserver via https:

"[...]
root@jBFirewall:~ # curl https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz
curl: (60) SSL: certificate subject name 'jbfirewall.home.local' does not match target host name 'pkg.opnsense.org'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[..]"

Mind you, that certificate subject name is my OPNsense's hostname and I assume my OPNsense's web gui / self signed cert.


Something similar happens when I try to check for updates:

'[...]
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.4 at Fri Sep 15 10:42:13 PDT 2023
Fetching changelog information, please wait... SSL certificate subject doesn't match host pkg.opnsense.org
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
pkg: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
pkg: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
SSL certificate subject doesn't match host mirrors.nycbug.org
pkg: http://mirrors.nycbug.org/pub/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
[..]"


It appears my local, self-signed web gui interface is calling remote https retrievals to fail.. but.. why? I have no captive portal active, no proxy or anything (as far as I can tell), so why is there a mismatch of certs / how does the local one get tangled up there?


Does anyone have any idea where something / I went wrong?

Thanks!

[Maurice]

OPNsense is connecting to its own webserver instead of the remote server. Probably either a DNS override or a port forward.

What does the connectivity audit say?
System: Firmware: Status: Run an audit

Cheers
Maurice

[jbattermann]

Hi Maurice,

thanks for the quick reply & yeah, seems like it.. even though I didn't configure either of those (explicitly). Anyway, audit output is the following:

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.4 at Fri Sep 15 11:19:32 PDT 2023
Checking connectivity for host: mirror.sfo12.us.leaseweb.net -> 209.58.135.187
PING 209.58.135.187 (209.58.135.187): 1500 data bytes

--- 209.58.135.187 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 854 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.sfo12.us.leaseweb.net -> 2605:fe80:2100:b001::5187
PING6(1548=40+8+1500 bytes) 2600:1700:50e7:XYZZ:XYZZ:XYZZ:XYZZ:XYZZ --> 2605:fe80:2100:b001::5187
1508 bytes from 2600:1700:50e7:XYZZ:XYZZ:XYZZ:XYZZ:XYZZ, icmp_seq=0 hlim=64 time=0.091 ms
1508 bytes from 2600:1700:50e7:XYZZ:XYZZ:XYZZ:XYZZ:XYZZ, icmp_seq=1 hlim=64 time=0.204 ms
1508 bytes from 2600:1700:50e7:XYZZ:XYZZ:XYZZ:XYZZ:XYZZ, icmp_seq=2 hlim=64 time=0.271 ms
1508 bytes from 2600:1700:50e7:XYZZ:XYZZ:XYZZ:XYZZ:XYZZ, icmp_seq=3 hlim=64 time=0.200 ms

--- 2605:fe80:2100:b001::5187 ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.091/0.191/0.271/0.064 ms
Checking connectivity for repository (IPv6): http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
pkg: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
pkg: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
SSL certificate subject doesn't match host mirror.sfo12.us.leaseweb.net
pkg: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
***DONE***

[Maurice]

DNS is okay, IPv4 connectivity is okay, IPv6 connectivity is not. A 0.2 ms ping indicates the echo requests never exit your network and something local responds to them.

Did you create any IPv6 firewall rules? Does IPv6 connectivity work in general?