Errors on Update from Console

Started by OppyOppy, October 16, 2023, 04:17:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 16, 2023, 04:17:36 PM
Selected Option 12 from SSH menu

Fetching change log information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
56577144918016:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error

I've seen some references to replacing the certificate but am not comfortable doing this without some sort of confirmation.

Thanks in advance.

Ryan

October 16, 2023, 04:44:49 PM #1
Hi Ryan,

Can you post the full check for update from the GUI?

It's either that the date of the machine is wrong or there is a faulty chain inside the system: trust: authorities section. The option "Store intermediate" should be unchecked under System: Settings: General in order to rule out this issue.


Cheers,
Franco
October 16, 2023, 07:32:25 PM #2
Franco,
Thanks for the response.
I neglected to mention that the GUI is BLANK except for the menu.  I've attached a PNG of the screen.
Below I've included the textual data that follows the initial authentication failure.  This may be superfluous since I'm failing auth, I presume the remaining actions would also fail.

QuoteFetching change log information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
33505417900032:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz: Authentication error

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34927034368:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI...done.
Generating RRD graphs...done.

I've rebooted the machine several times - newbie default action.  :-/

Thanks,
Ryan
October 16, 2023, 07:46:00 PM #3
# opnsense-bootstrap -i

Approach: disk files damaged somehow so let's reinstall everything (keeping the current config in place). The "-i" is for insecure since the verification cannot proceed. Can audit for health later on.

And fingers crossed? :)


Cheers,
Franco
October 16, 2023, 07:46:58 PM #4
Oh, in another German forum thread it was said this can happen when the disk is full... can you double check? Possibly /var/log exploding.


Cheers,
Franco
October 16, 2023, 10:28:07 PM #5
Hi Franco,

When I executed
Code Select
opnsense-bootstrap -i
the system returned a disk full error.

I poked around the system until i found the culprit - the DHCP logs filled up the disk.   Not sure I understand why but it bears some looking into.  Anyways, I removed the DHCP logs and then ran the bootstrap command again and the system rebuilt.    After the reboot, all is back to normal!

Thanks for your help.

Ryan
October 17, 2023, 07:49:15 AM #6
Hi Ryan,

Happy to hear. I think I heard before that DHCP logs could fill up if you have stray devices which are constantly asking for a lease. It should be easy to identify the device from the logs causing the repeated messages.


Cheers,
Franco
October 17, 2023, 02:36:24 PM #7
Quote from: franco on October 17, 2023, 07:49:15 AM
Hi Ryan,

Happy to hear. I think I heard before that DHCP logs could fill up if you have stray devices which are constantly asking for a lease. It should be easy to identify the device from the logs causing the repeated messages.


Cheers,
Franco

Didn't the logs rotate previously?  What was the reasoning behind removing that?
October 17, 2023, 03:04:04 PM #8 Last Edit: October 19, 2023, 08:29:18 PM by franco
They did not rotate. They were using circular buffer logging which used a fixed amount of memory in a single file, but it had other downsides (like e.g. not being supported in FreeBSD and garbage-collecting older log messages very quickly and not being able to handle large log sizes at the same time).


Cheers,
Franco
October 19, 2023, 03:50:28 PM #9
Quote from: franco on October 17, 2023, 03:04:04 PM
They did not rotate. They were using circular buffer logging which used a fixed amount of memory in a single file, but it had other downsides (like e.g. not being supported in FreeBSD and garbage-collecting oder log messages very quickly and not being able to handle large log sizes at the same time).


Cheers,
Franco

Ah, that was what I was thinking of.
Print
Go Up Pages1
User actions