Unable to check for updates.

[LogicEthos]

Code: [Select]

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 14:07:04 UTC 2021
Fetching changelog information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4281915764736:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
625717841920:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
I tried different mirrors.

[franco]

Looks like a proxy intercepting your TLS.


Cheers,
Franco

[LogicEthos]

Looks like it, yet from the LAN side there is no problem.  I tried using curl from shell, and it fails with "self signed certificate".

[franco]

Do you have transparent web proxy configured? Maybe you are slurping local firewall traffic onto proxy with port forward rule?


Cheers,
Franco

[LogicEthos]

No.

I don't remember there being a reboot, after the last update.  Maybe that's it.  I'll try that when things are quiet.

Thanks.

[Taomyn]

I got this just checking from the console and I don't have any proxy involved.


I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?

[franco]

You need to delete both the expired root CA and the old intermediate ISRG Root X1 with SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f


Cheers,
Franco

[dcol]

Same issue here. Those certs don't exist on my system.

[QBANIN]

I got this just checking from the console and I don't have any proxy involved.


I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?

Same problem here.

[dcol]

Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror

[mrpink]

I'm also not able to update to get the latest fix for ACME:

Code: [Select]

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:29:13 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
7292707495936:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

[dinguz]

You can get around this by selecting a HTTP mirror instead of a HTTPS one, provided it has already synced the updates of course. I used WJComms and it worked.

[KHE]

Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror

https://mirror.dns-root.de has no LE cert. The issue seems to be with LE certs. That would also explain the failure of the DNS over TLS servers I saw this afternoon (unicast.censurfridns.dk, anycast.censurfridns.dk).
If I use dns-root.de I get the following:

Code: [Select]

Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:58:32 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
862769819648:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 767 packages processed.

[Taomyn]

Doesn't seem to matter what mirror I choose, it's the same every time 

[KHE]

Doesn't seem to matter what mirror I choose, it's the same every time 

Do you use other repositories? The one from @minugmail has also this issue. And if one repository having issues, then the update is not possible via WebGUI.