post upgrade updates fail with Certificate verification failure.

Started by MoonbeamFrame, January 30, 2022, 12:52:06 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
February 03, 2022, 08:36:09 PM #15
@franco yep, but I  don't have enough imagination to suggest the configuration of the rules for @LogicEthos results )

@LogicEthos
can you share the
Code Select
curl -v https://pkg.opnsense.org
result and
Quotepfctl -vss | grep :443
result right after curl? thanks
February 04, 2022, 06:40:56 PM #16
I have just forced unbound to issue the IPV4 address, instead of the IPV6 address for pkg.opnsense.org
It now works!  ¯\_(ツ)_/¯
February 04, 2022, 07:01:06 PM #17
This is what I looks like with IPV6 enabled.

Code Select
root@OPNsense:~ # curl -v https://pkg.opnsense.org
*   Trying 2001:1af8:4f00:a005:5:::443...
* Connected to pkg.opnsense.org (2001:1af8:4f00:a005:5::) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /usr/local/etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=GB; ST=Hampshire; L=Southampton; O=LogicEthos; emailAddress=stuart@something.com; CN=LE-Cert
*  start date: Feb  4 14:48:04 2022 GMT
*  expire date: Mar  8 14:48:04 2023 GMT
* SSL: certificate subject name 'LE-Cert' does not match target host name 'pkg.opnsense.org'
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (60) SSL: certificate subject name 'LE-Cert' does not match target host name 'pkg.opnsense.org'
More details here: https://curl.se/docs/sslcerts.html
February 05, 2022, 06:20:20 AM #18
QuoteIt now works!  ¯\_(ツ)_/¯
still not clear why the request with ipv6 is hitting the local port. perhaps the output of pfctl right after curl would help to understand.
February 05, 2022, 02:34:10 PM #19
Quote from: Fright on February 05, 2022, 06:20:20 AM
still not clear why the request with ipv6 is hitting the local port. perhaps the output of pfctl right after curl would help to understand.

It generates a lot of data.  This seems to be the relevant bit.

Code Select
all tcp 2a02:my:ip:xxx::1[50482] -> 2001:1af8:4f00:a005:5::[443]       FIN_WAIT_2:FIN_WAIT_2
February 05, 2022, 03:10:31 PM #20
hm. no translation is visible.
the last idea is to try to trace requests to dst_port 443 in the firewall live log (with the default rules logging enabled in SYSTEM: SETTINGS: LOGGING)
February 05, 2022, 03:21:38 PM #21
February 05, 2022, 04:09:05 PM #22
hm dont know what to say (is GUI listening on :443?). not translation is visible but there is no incoming hits on GUI either  :o
June 27, 2022, 02:06:39 AM #23 Last Edit: June 27, 2022, 02:09:05 AM by maxim_al
Quote from: MoonbeamFrame on January 30, 2022, 12:52:06 PM
Running OPNsense as a VM on Virtualbox 6.1

Post upgrade I'm unable to check for package updates.


Quote***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Tue Oct  6 10:11:06 BST 2189
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify

I have the same problem.
For quite a long time everything worked fine and was updated. However, at some point in time I got the same error.
I read the topic, but did not understand whether the problem was solved and how or not.

Quote
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.3 (amd64/OpenSSL) at Mon Jun 27 10:33:54 +11 2022
Fetching changelog information, please wait... Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
Print
Go Up Pages 1 2
User actions