post upgrade updates fail with Certificate verification failure.

MoonbeamFrame · January 30, 2022, 12:52:06 PM

Running OPNsense as a VM on Virtualbox 6.1

Post upgrade I'm unable to check for package updates.

Quote***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct 6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

franco · January 30, 2022, 01:15:41 PM

So do you have the FreeBSD repository enabled?

Cheers,
Franco

MoonbeamFrame · January 30, 2022, 05:29:29 PM

This is the state of the system having upgraded 21.7.7 to 21.7.8 to 22.1 via the GUI.

No user side changes were made.

LogicEthos · February 01, 2022, 10:13:57 PM

I had this problem too before updating. Still got it. Must be something wrong with my configuration file.

Code Select

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Feb  1 21:10:47 UTC 2022
Fetching changelog information, please wait... Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:

franco · February 02, 2022, 07:51:33 AM

Health audit output would be nice. Also can you try to go to Firmware: Packages tab and grab the version number from "pkg" from the list?

Cheers,
Franco

LogicEthos · February 02, 2022, 02:06:17 PM

pkg = 1.16.3_1

Code Select

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Wed Feb  2 13:05:06 UTC 2022
>>> Check installed kernel version
Version 22.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 65 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.74 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dhcpleases-0.2 has no upstream equivalent
Checking packages: .
dnsmasq-2.86_2,1 has no upstream equivalent
Checking packages: .
dpinger-3.0 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.2P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.2P1_1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.63 has no upstream equivalent
Checking packages: .
monit-5.29.0_1 has no upstream equivalent
Checking packages: .
mpd5-5.9_6 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_4 has no upstream equivalent
Checking packages: .
openssh-portable-8.8.p1_1,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1m_1,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.5 has no upstream equivalent
Checking packages: .
opnsense-22.1 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-21.7.8 has no upstream equivalent
Checking packages: .
opnsense-update-22.1 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.7_9 has no upstream equivalent
Checking packages: .
php74-ctype-7.4.27 has no upstream equivalent
Checking packages: .
php74-curl-7.4.27 has no upstream equivalent
Checking packages: .
php74-dom-7.4.27 has no upstream equivalent
Checking packages: .
php74-filter-7.4.27 has no upstream equivalent
Checking packages: .
php74-gettext-7.4.27 has no upstream equivalent
Checking packages: .
php74-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php74-json-7.4.27 has no upstream equivalent
Checking packages: .
php74-ldap-7.4.27 has no upstream equivalent
Checking packages: .
php74-openssl-7.4.27 has no upstream equivalent
Checking packages: .
php74-pdo-7.4.27 has no upstream equivalent
Checking packages: .
php74-pecl-radius-1.4.0b1_1 has no upstream equivalent
Checking packages: .
php74-phalcon4-4.1.3 has no upstream equivalent
Checking packages: .
php74-phpseclib-2.0.35 has no upstream equivalent
Checking packages: .
php74-session-7.4.27 has no upstream equivalent
Checking packages: .
php74-simplexml-7.4.27 has no upstream equivalent
Checking packages: .
php74-sockets-7.4.27 has no upstream equivalent
Checking packages: .
php74-sqlite3-7.4.27 has no upstream equivalent
Checking packages: .
php74-xml-7.4.27 has no upstream equivalent
Checking packages: .
php74-zlib-7.4.27 has no upstream equivalent
Checking packages: .
pkg-1.16.3_1 has no upstream equivalent
Checking packages: .
py38-Jinja2-3.0.1 has no upstream equivalent
Checking packages: .
py38-dnspython2-2.2.0 has no upstream equivalent
Checking packages: .
py38-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py38-requests-2.25.1 has no upstream equivalent
Checking packages: .
py38-sqlite3-3.8.12_7 has no upstream equivalent
Checking packages: .
py38-ujson-5.0.0 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.7.2_4 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-4.15 has no upstream equivalent
Checking packages: .
strongswan-5.9.4 has no upstream equivalent
Checking packages: .
sudo-1.9.8p2 has no upstream equivalent
Checking packages: .
suricata-6.0.4_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.35.1 has no upstream equivalent
Checking packages: .
unbound-1.14.0 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***

franco · February 02, 2022, 02:11:08 PM

Yours looks ok, though /C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense looks like a local web proxy you're hitting. Configuration error?

(compare with /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign which is the correct root certificate)

Cheers,
Franco

LogicEthos · February 02, 2022, 02:45:22 PM

I have this in my certificates.

franco · February 02, 2022, 03:11:42 PM

Yep so a firewall rule or port forward likely causes your local traffic to hit the GUI for whatever reason.

Cheers,
Franco

LogicEthos · February 03, 2022, 11:11:09 AM

I tried removing port forwarding. Same.
I deleted the certificate that was in my config file. I created a new self-cert certificates

Code Select

fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host www.mirrorservice.org

From my web broser, I can download without problems.

Code Select

https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz

but from the console I get

Code Select

root@OPNsense:~ # curl https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz
curl: (60) SSL: certificate subject name 'LE Cert' does not match target host name 'pkg.opnsense.org'

franco · February 03, 2022, 11:17:13 AM

You're still pointing the box through a proxy either internally or externally. At least from the certificate shift it looks like it's an internal one. You can use "curl -k https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz" to see it download correctly, but that doesn't change the fact you really need to fix your setup.

Cheers,
Franco

MoonbeamFrame · February 03, 2022, 05:08:30 PM

Is the implication here that this is failing because the VM does not have a real external IP?

I've just created a new VM and installed 22.1 from the iso and I see the same error from the CLI and the GUI.

Restoring the previous configuration still results in this error.

LogicEthos · February 03, 2022, 05:13:22 PM

Quote from: MoonbeamFrame on February 03, 2022, 05:08:30 PM
Is the implication here that this is failing because the VM does not have a real external IP?

Perhaps you could try downloading changelog.txz as above. When I do it from OpnSense console, it fails. From my desktop (which is connected via OpnSense) it works. The implication is there is an internal proxy, but I have not been able to find it.

Fright · February 03, 2022, 06:25:51 PM

@MoonbeamFrame

QuoteCurrently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct 6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:

so what time is on your OPN now?
pkg.opnsense.org root cert is only valid until 2029 ;)

franco · February 03, 2022, 07:32:23 PM

Good catch, that year 2189 was also in the original post so both things reported here are local issues.

Cheers,
Franco

post upgrade updates fail with Certificate verification failure.

MoonbeamFrame

January 30, 2022, 12:52:06 PM

franco

January 30, 2022, 01:15:41 PM #1

MoonbeamFrame

January 30, 2022, 05:29:29 PM #2

LogicEthos

February 01, 2022, 10:13:57 PM #3

franco

February 02, 2022, 07:51:33 AM #4

LogicEthos

February 02, 2022, 02:06:17 PM #5

franco

February 02, 2022, 02:11:08 PM #6

LogicEthos

February 02, 2022, 02:45:22 PM #7

franco

February 02, 2022, 03:11:42 PM #8

LogicEthos

February 03, 2022, 11:11:09 AM #9

franco

February 03, 2022, 11:17:13 AM #10

MoonbeamFrame

February 03, 2022, 05:08:30 PM #11

LogicEthos

February 03, 2022, 05:13:22 PM #12

Fright

February 03, 2022, 06:25:51 PM #13

franco

February 03, 2022, 07:32:23 PM #14