Unable to check for updates.

Started by LogicEthos, September 30, 2021, 04:09:36 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 30, 2021, 04:09:36 PM
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 14:07:04 UTC 2021
Fetching changelog information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4281915764736:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
625717841920:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:

I tried different mirrors.
September 30, 2021, 04:12:33 PM #1
Looks like a proxy intercepting your TLS.


Cheers,
Franco
September 30, 2021, 04:37:12 PM #2
Looks like it, yet from the LAN side there is no problem.  I tried using curl from shell, and it fails with "self signed certificate".
September 30, 2021, 04:38:19 PM #3
Do you have transparent web proxy configured? Maybe you are slurping local firewall traffic onto proxy with port forward rule?


Cheers,
Franco
September 30, 2021, 04:42:58 PM #4
No.

I don't remember there being a reboot, after the last update.  Maybe that's it.  I'll try that when things are quiet.

Thanks.
September 30, 2021, 05:07:45 PM #5
I got this just checking from the console and I don't have any proxy involved.


I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?
September 30, 2021, 05:22:43 PM #6
You need to delete both the expired root CA and the old intermediate ISRG Root X1 with SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f


Cheers,
Franco
September 30, 2021, 05:24:45 PM #7
Same issue here. Those certs don't exist on my system.
September 30, 2021, 05:25:33 PM #8
Quote from: Taomyn on September 30, 2021, 05:07:45 PM
I got this just checking from the console and I don't have any proxy involved.


I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?

Same problem here.
September 30, 2021, 05:31:32 PM #9 Last Edit: September 30, 2021, 05:38:14 PM by dcol
Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror
September 30, 2021, 05:33:30 PM #10
I'm also not able to update to get the latest fix for ACME:


Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:29:13 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
7292707495936:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
September 30, 2021, 05:54:40 PM #11
You can get around this by selecting a HTTP mirror instead of a HTTPS one, provided it has already synced the updates of course. I used WJComms and it worked.
In theory there is no difference between theory and practice. In practice there is.
September 30, 2021, 06:01:16 PM #12 Last Edit: September 30, 2021, 06:08:19 PM by KHE
Quote from: dcol on September 30, 2021, 05:31:32 PM
Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror

https://mirror.dns-root.de has no LE cert. The issue seems to be with LE certs. That would also explain the failure of the DNS over TLS servers I saw this afternoon (unicast.censurfridns.dk, anycast.censurfridns.dk).
If I use dns-root.de I get the following:
Code Select
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:58:32 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
862769819648:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 767 packages processed.
September 30, 2021, 06:06:01 PM #13
Doesn't seem to matter what mirror I choose, it's the same every time  :'(
September 30, 2021, 06:12:33 PM #14
Quote from: Taomyn on September 30, 2021, 06:06:01 PM
Doesn't seem to matter what mirror I choose, it's the same every time  :'(

Do you use other repositories? The one from @minugmail has also this issue. And if one repository having issues, then the update is not possible via WebGUI.
Print
Go Up Pages1 2
User actions