OPNsense 21.7 does not want to update.

[BertM]

One of our older OPNsense devices appears to have a certificate issue and does not want to update.
The hardware is a DEC610 device that was purchased several years ago from applianceshop.eu and that is currently running OPNsense 21.7-amd64.
When I try to Check for updates it fails to fetch the files due to a certificate error.
The log box shows the following:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7 (amd64/OpenSSL) at Tue Jun  6 01:27:54 CEST 2017
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
7163985113088:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
2040999223296:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Does anyone have any idea how to fix this? (preferrably without travelling to this remote location)

Kind regards,
BertM

[franco]

I think we still have HTTP mirrors to work around this?


Cheers,
Franco

[BertM]

Thanks Franco,

Cool, I did not realize that there were still some HTTP mirrors.
Selecting a HTTP mirror did indeed allow me to update to the latest version although during each check for updates, it failed authentication while fetching the changelog.txz.
I had hoped that updating would also solve the certifivate issue, but it did not.
See below the check for update after updating to the latest version while still having a HPPT mirror selected.

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.5 (amd64/OpenSSL) at Wed Jun  7 00:49:12 CEST 2017
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34374492160:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1916:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 785 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Is there an easy way to solve this certificate issue, or should we just re-install OPNsense software from scratch if/when someone from IT is on site?

Kind regards,
Bert

[franco]

Hi Bert,

Maybe you have an older root certificate bundle manually imported in system: trust: authorities? Sometimes CAs reissue their certificates and if an older expired version is still in your system it could cause that.


Cheers,
Franco

[Plaidy]

Hi Bert,

Maybe you have an older root certificate bundle manually imported in system: trust: authorities? Sometimes CAs reissue their certificates and if an older expired version is still in your system it could cause that.


Cheers,
Franco

I am having the same issue. How do I update the certificates?

Edit: Nevermind, I changed to an HTTP provider, performed the update and then changed back and that seems to have fixed the issue.