OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.7 Legacy Series »
  • Unable to check for updates.
« previous next »
  • Print
Pages: [1] 2

Author Topic: Unable to check for updates.  (Read 6771 times)

LogicEthos

  • Newbie
  • *
  • Posts: 31
  • Karma: 0
    • View Profile
Unable to check for updates.
« on: September 30, 2021, 04:09:36 pm »
Code: [Select]
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 14:07:04 UTC 2021
Fetching changelog information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
4281915764736:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
625717841920:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
I tried different mirrors.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 15072
  • Karma: 1306
    • View Profile
Re: Unable to check for updates.
« Reply #1 on: September 30, 2021, 04:12:33 pm »
Looks like a proxy intercepting your TLS.


Cheers,
Franco
Logged

LogicEthos

  • Newbie
  • *
  • Posts: 31
  • Karma: 0
    • View Profile
Re: Unable to check for updates.
« Reply #2 on: September 30, 2021, 04:37:12 pm »
Looks like it, yet from the LAN side there is no problem.  I tried using curl from shell, and it fails with "self signed certificate".
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 15072
  • Karma: 1306
    • View Profile
Re: Unable to check for updates.
« Reply #3 on: September 30, 2021, 04:38:19 pm »
Do you have transparent web proxy configured? Maybe you are slurping local firewall traffic onto proxy with port forward rule?


Cheers,
Franco
Logged

LogicEthos

  • Newbie
  • *
  • Posts: 31
  • Karma: 0
    • View Profile
Re: Unable to check for updates.
« Reply #4 on: September 30, 2021, 04:42:58 pm »
No.

I don't remember there being a reboot, after the last update.  Maybe that's it.  I'll try that when things are quiet.

Thanks.
Logged

Taomyn

  • Sr. Member
  • ****
  • Posts: 421
  • Karma: 19
    • View Profile
Re: Unable to check for updates.
« Reply #5 on: September 30, 2021, 05:07:45 pm »
I got this just checking from the console and I don't have any proxy involved.


I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 15072
  • Karma: 1306
    • View Profile
Re: Unable to check for updates.
« Reply #6 on: September 30, 2021, 05:22:43 pm »
You need to delete both the expired root CA and the old intermediate ISRG Root X1 with SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f


Cheers,
Franco
Logged

dcol

  • Hero Member
  • *****
  • Posts: 632
  • Karma: 50
    • View Profile
Re: Unable to check for updates.
« Reply #7 on: September 30, 2021, 05:24:45 pm »
Same issue here. Those certs don't exist on my system.
Logged

QBANIN

  • Newbie
  • *
  • Posts: 29
  • Karma: 0
    • View Profile
Re: Unable to check for updates.
« Reply #8 on: September 30, 2021, 05:25:33 pm »
Quote from: Taomyn on September 30, 2021, 05:07:45 pm
I got this just checking from the console and I don't have any proxy involved.


I did resolve the LE certificate stuff myself before the patch and also deleted the expired CA certificate from the firewall, could that be the cause?

Same problem here.
Logged

dcol

  • Hero Member
  • *****
  • Posts: 632
  • Karma: 50
    • View Profile
Re: Unable to check for updates.
« Reply #9 on: September 30, 2021, 05:31:32 pm »
Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror
« Last Edit: September 30, 2021, 05:38:14 pm by dcol »
Logged

mrpink

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Unable to check for updates.
« Reply #10 on: September 30, 2021, 05:33:30 pm »
I'm also not able to update to get the latest fix for ACME:


Code: [Select]
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:29:13 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
7292707495936:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
664417325056:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Logged

dinguz

  • Full Member
  • ***
  • Posts: 214
  • Karma: 8
    • View Profile
Re: Unable to check for updates.
« Reply #11 on: September 30, 2021, 05:54:40 pm »
You can get around this by selecting a HTTP mirror instead of a HTTPS one, provided it has already synced the updates of course. I used WJComms and it worked.
Logged
In theory there is no difference between theory and practice. In practice there is.

KHE

  • Full Member
  • ***
  • Posts: 215
  • Karma: 18
    • View Profile
Re: Unable to check for updates.
« Reply #12 on: September 30, 2021, 06:01:16 pm »
Quote from: dcol on September 30, 2021, 05:31:32 pm
Changed the mirror from default to dns-root.de and it worked. Must be an issue on the default mirror

https://mirror.dns-root.de has no LE cert. The issue seems to be with LE certs. That would also explain the failure of the DNS over TLS servers I saw this afternoon (unicast.censurfridns.dk, anycast.censurfridns.dk).
If I use dns-root.de I get the following:
Code: [Select]
Currently running OPNsense 21.7.3_1 (amd64/OpenSSL) at Thu Sep 30 17:58:32 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
862769819648:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 767 packages processed.
« Last Edit: September 30, 2021, 06:08:19 pm by KHE »
Logged

Taomyn

  • Sr. Member
  • ****
  • Posts: 421
  • Karma: 19
    • View Profile
Re: Unable to check for updates.
« Reply #13 on: September 30, 2021, 06:06:01 pm »
Doesn't seem to matter what mirror I choose, it's the same every time  :'(
Logged

KHE

  • Full Member
  • ***
  • Posts: 215
  • Karma: 18
    • View Profile
Re: Unable to check for updates.
« Reply #14 on: September 30, 2021, 06:12:33 pm »
Quote from: Taomyn on September 30, 2021, 06:06:01 pm
Doesn't seem to matter what mirror I choose, it's the same every time  :'(

Do you use other repositories? The one from @minugmail has also this issue. And if one repository having issues, then the update is not possible via WebGUI.
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.7 Legacy Series »
  • Unable to check for updates.
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2