[GELÖST]Update nicht möglich (Certificate verification failed)

Started by Rolly82, August 15, 2022, 03:33:50 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 15, 2022, 03:33:50 PM Last Edit: August 23, 2022, 09:10:41 PM by Rolly82
Hallo zusammen, ich habe gerade ein Problem beim Updaten meiner sense.
Ich bekomme immer folgende Fehlermeldung:
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1.10_4 (amd64/OpenSSL) at Mon Aug 15 15:31:40 CEST 2022
Fetching changelog information, please wait... SSL certificate subject doesn't match host pkg.opnsense.org
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.pkg: Authentication error
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
SSL certificate subject doesn't match host pkg.opnsense.org
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/packagesite.pkg: Authentication error
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
SSL certificate subject doesn't match host updates.sunnyvalley.io
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.1/OpenSSL/latest/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ....... done
Processing entries: .......... done
mimugmail repository update completed. 175 packages processed.
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Ein LE ZErtifikat hae ich nicht im Einsatz.
Auch die im Forum oder per Google gefundenen Lösungen bringen mich nicht weiter.
Gibt es eine "einfache" möglichkeit die SSL Einstellungen der Sense zurück zu setzen?
Oder bleit nur der komplette REset?

Schon mal danke für eure Hilfe.

MfG
Roland
August 15, 2022, 03:38:05 PM #1
Sieht nach einem SSL Proxy aus der da dazwischen klemmt?


Grüsse
Franco
August 15, 2022, 03:41:44 PM #2
Ich wüsste nicht wo, es sei den die FritzBox verhält sich so  :o.
Habe noch AdGuard laufen, aber das habe ich schon immer und habe auch keine Einstellung geändert.
August 18, 2022, 01:22:09 PM #3
Kann ich irgendwo mittracen um zu schauen, wo es klemmt?
August 22, 2022, 10:25:21 PM #4
So, hab die Kiste nun mal neu aufgesetzt. Gestern ging dann auch alles. Heute wollte ich nochmal auf Updates Prüfen und bekomme folgende Meldungen:
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.2 (amd64/OpenSSL) at Mon Aug 22 22:23:45 CEST 2022
Fetching changelog information, please wait... Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34389172224:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ....... done
Processing entries: .......... done
mimugmail repository update completed. 175 packages processed.
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Ich glaub die Kiste will mich ärgern  ???
August 22, 2022, 10:30:57 PM #5
Datum und Uhrzeit kaputt?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 23, 2022, 09:52:30 AM #6 Last Edit: August 23, 2022, 11:05:49 AM by Rolly82
Guten Morgen,
nein, das Datum/Die Uhrzeit stimmt.

Hier was unter "System: Trust: Certificates" zu finden ist:

Code Select
Name Issuer Distinguished Name
Web GUI TLS certificate

CA: No, Server: Yes self-signed  ST=Zuid-Holland, O=OPNsense self-signed web certificate, L=Middelharnis, CN=OPNsense.localdomain, C=NL
  Valid From: Sun, 21 Aug 2022 09:44:47 +0200
  Valid Until: Fri, 22 Sep 2023 09:44:47 +0200

Web GUI TLS certificate

CA: No, Server: Yes self-signed  ST=Zuid-Holland, O=OPNsense self-signed web certificate, L=Middelharnis, CN=OPNsense.localdomain, C=NL
  Valid From: Sun, 21 Aug 2022 09:50:37 +0200
  Valid Until: Fri, 22 Sep 2023 09:50:37 +0200

Edit:
Was mir gerade aufgefallen ist:
Das Verzeichniss /usr/src auf welches in welchem ja die Unterverzeichnisse mit den zu Prüfenden Zert sein sollen (certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921 oder sehe ich das Falsch?) ist Leer:

Code Select

root@OPNsense:/usr/src # ls -l
total 0
August 23, 2022, 01:49:43 PM #7
> Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate

Wie kommt denn die Default Route darauf, dass pkg.opnsense.org auf die Web GUI (localhost) umzubiegen? Hast du einen Port Forward für den Transparent SSL PROXY aktiviert?


Grüsse
Franco
August 23, 2022, 02:20:53 PM #8
Nicht das ich wüsste, zumindest habe ich nichts angelget.
Unter "Firewall: NAT: Port Forward" ist folgendes Eingetragen:
Code Select
Interface Proto Address Ports Address Ports IP Ports Description
LAN TCP * * LAN address 22, 80, 443 * * Anti-Lockout Rule

August 23, 2022, 02:35:05 PM #9
Okay, dann wollen wir mal schauen was da falsch konfiguriert ist... brauchen den Output der 3 Kommandos:

# cat /etc/resolv.conf
# host pkg.opnsense.org
# echo | openssl s_client -connect pkg.opnsense.org:443


Grüsse
Franco
August 23, 2022, 02:52:48 PM #10
Code Select
root@OPNsense:~ # cat /etc/resolv.conf
domain localdomain
nameserver 127.0.0.1
search localdomain

Code Select
root@OPNsense:~ # host pkg.opnsense.org
pkg.opnsense.org has address 89.149.211.205
pkg.opnsense.org has IPv6 address 2001:1af8:4f00:a005:5::

Code Select
root@OPNsense:~ # echo | openssl s_client -connect pkg.opnsense.org:443
CONNECTED(00000003)
depth=0 CN = OPNsense.localdomain, C = NL, ST = Zuid-Holland, L = Middelharnis, O = OPNsense self-signed web certificate
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = OPNsense.localdomain, C = NL, ST = Zuid-Holland, L = Middelharnis, O = OPNsense self-signed web certificate
verify return:1
---
Certificate chain
0 s:CN = OPNsense.localdomain, C = NL, ST = Zuid-Holland, L = Middelharnis, O = OPNsense self-signed web certificate
   i:CN = OPNsense.localdomain, C = NL, ST = Zuid-Holland, L = Middelharnis, O = OPNsense self-signed web certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHNDCCBRygAwIBAgIUBSKn180gjPS66mep22Mo1IGawHEwDQYJKoZIhvcNAQEL
BQAwgYkxHTAbBgNVBAMMFE9QTnNlbnNlLmxvY2FsZG9tYWluMQswCQYDVQQGEwJO
TDEVMBMGA1UECAwMWnVpZC1Ib2xsYW5kMRUwEwYDVQQHDAxNaWRkZWxoYXJuaXMx
LTArBgNVBAoMJE9QTnNlbnNlIHNlbGYtc2lnbmVkIHdlYiBjZXJ0aWZpY2F0ZTAe
Fw0yMjA4MjEwNzUwMzdaFw0yMzA5MjIwNzUwMzdaMIGJMR0wGwYDVQQDDBRPUE5z
ZW5zZS5sb2NhbGRvbWFpbjELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1aWQtSG9s
bGFuZDEVMBMGA1UEBwwMTWlkZGVsaGFybmlzMS0wKwYDVQQKDCRPUE5zZW5zZSBz
ZWxmLXNpZ25lZCB3ZWIgY2VydGlmaWNhdGUwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQCp4BjjUJ6RH04RIdeUyfZi8FJ2u//ycqDwky5t29y90hcqrvB8
ldb7+xG29zS4cF12YcNbMdH0+QOgJ/2xwdzExnv2x54pWfQkhetdljKlXMqvsYYh
jOr4mlL2YpeIbqGZprvbvSomahQ++fPtLKg/p8jAqskbQKFjl9krj0EooaVmS9nE
0kp9CSkrojnIe4te7LvzzUQcKuostuox0oNPlovlQI85OM88UsMATDPEzncYGkd6
yd6TSpLJGUuP7ghXLgl+hVP3zD4OekLPy2GVpfwkOrN+zerVziMGSp6sewGQI5mL
Zva1fcZj04Y4lAER9uX5J7ZiJ+i36XFnQ9IhaYb6VX4VGqx6HLw9nqV0DKfp/B2Z
GokMBpFJ4bJRwAuB0t4D5ieEOw9ofRNlAwCX+/BeOhuYH7Gp3L/AuTzeQdGLvXP+
IMm98QLrBxOPJpXWMixYwwoFQSdqRm0gE2SvYoZHBUsphR9vc2NjuLTvqQXvyzQx
r3JlCCXWAxe+VuW2Qsl0Vt/+nEY/aqYCxtOtwraE8Uq3L9GoKYFOEc8BPaxSeeBj
EYwgqSKba+TS08TqHoaf6vRGCG8ZfJ0LzzU1NVlTAkQbJe4PwWwSaNwaL0DOc+pb
AJSxckXh/NNAZ9EicKgYpZtJwx4yzC9aMOyVwC3BMvwkTlsXc6k+0yIcHQIDAQAB
o4IBkDCCAYwwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwNAYJYIZIAYb4
QgENBCcWJU9QTnNlbnNlIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD
VR0OBBYEFI4n7lEpoD9T/sP5gITQfKaWr/AEMIHJBgNVHSMEgcEwgb6AFI4n7lEp
oD9T/sP5gITQfKaWr/AEoYGPpIGMMIGJMR0wGwYDVQQDDBRPUE5zZW5zZS5sb2Nh
bGRvbWFpbjELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1aWQtSG9sbGFuZDEVMBMG
A1UEBwwMTWlkZGVsaGFybmlzMS0wKwYDVQQKDCRPUE5zZW5zZSBzZWxmLXNpZ25l
ZCB3ZWIgY2VydGlmaWNhdGWCFAUip9fNIIz0uupnqdtjKNSBmsBxMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQgCAjALBgNVHQ8EBAMCBaAwHwYDVR0RBBgwFoIU
T1BOc2Vuc2UubG9jYWxkb21haW4wDQYJKoZIhvcNAQELBQADggIBAFn4gE7+c5RA
6hqmE+PLc2KlmvVJrceE3Q8H6jpdiPDW33bivBj3qtuMbhrCk9Cl27lOAJ51CE3t
YEJeuBPDse8CfFe18SFLVilK7wOtxAJIiWQfUGl+tBmdBQHdfWAQ1SYGAkI6lmd/
RWFXeQG5g9aheAUaz9bju4jBxi3kaoK74/obcZAIzg/lzLZK5pjifP3dZM4M9wVQ
R58O10ecjR+5zKRsLG3idMPBrByRHiypetSzMY0BSUjIMu3cyEfAnDLqOV9wbsUC
JSCCg3vYj2J+KLjO21QYLx7JmixZOeWYVnnDelGcnXHEvamfzDItA7YY28aiYumW
aWlcolcKlebtKEGbOhbk+XhySNeKSMVx7jY7aRfcZvrV2OpS+25L0577gg35i16w
xESg8437PajUOVtJyJRyEwBq8fi+tLpcmBdLbSKql/3uSFN5kweBGoCddwO/g8vC
zcxbhyQVDph6YxzTUd0X1iHadReasoePjI0r6WbZHdrBBSNyV5k5Y2hYPH0H7xyt
GCK1D1/nZRcUm7QCB8VsnXXQobjFAq6oEsI8bxdRQJRS61nP32/Hq9Iy7fxHNAIH
CK6RPZRy5opj2PPA+u7i43UAYB9n3QACpAR/ApIVl9F3Srfu7+lzruDa2mZd0yHw
xwsYbJZMgEzncdogRoLH2ugekLHmijr0
-----END CERTIFICATE-----
subject=CN = OPNsense.localdomain, C = NL, ST = Zuid-Holland, L = Middelharnis, O = OPNsense self-signed web certificate

issuer=CN = OPNsense.localdomain, C = NL, ST = Zuid-Holland, L = Middelharnis, O = OPNsense self-signed web certificate

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2660 bytes and written 398 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0E7369C9DBAD131E346411A93B5F8A74DB164EEEB15B873E96D19B2DD2A60D5A
    Session-ID-ctx:
    Resumption PSK: 849B198D017BC5EB696EFAAA939DDC4BDB21235F13B26C183C443566C9DDB3C9E5650B733A9466E8A961ECD5CBDC59CB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - fb dc 21 0d 3f 8c 5b b1-d7 ba 38 a4 1e c9 a1 ff   ..!.?.[...8.....
    0010 - 77 dd 4e 2b e4 53 a6 6c-29 bd 8c ea e1 c7 9a 27   w.N+.S.l)......'
    0020 - ef d9 ae d2 17 dc a3 c7-60 70 55 6c 88 56 9d af   ........`pUl.V..
    0030 - 4e 5b 4a 6f fc 1c 24 97-c7 7f a2 3c 63 1b 11 9c   N[Jo..$....<c...
    0040 - 32 1b ac f9 54 e7 30 92-09 3b 10 88 2c 1d 28 f6   2...T.0..;..,.(.
    0050 - 8b 52 4b 4e 13 7d ca fd-00 05 c2 c6 3f eb 2a 6c   .RKN.}......?.*l
    0060 - 51 b4 57 f6 de 91 76 85-3b de 6e b0 f4 09 9c f9   Q.W...v.;.n.....
    0070 - 9b bb c9 6e fc b5 93 38-c7 6e d1 4a 48 77 77 a4   ...n...8.n.JHww.
    0080 - fe aa b4 de c4 22 0e 08-ff d5 94 45 9e 66 2a 9a   .....".....E.f*.
    0090 - fb 77 10 f1 25 64 bb 00-d5 55 f1 4d 54 2b c7 4f   .w..%d...U.MT+.O
    00a0 - 1c d3 97 0d d7 a8 9a 30-13 a2 25 8d 59 70 8a 16   .......0..%.Yp..
    00b0 - 73 7d 8c 5e 88 79 ff 38-7d 4c 77 c8 56 9f dd 9f   s}.^.y.8}Lw.V...
    00c0 - ac d5 50 8a 6a d1 ea a3-83 ab 23 d6 36 5d 4d c9   ..P.j.....#.6]M.

    Start Time: 1661258982
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F0D46A5A40D3C5AE282EA319F24B381331EE032B8B7A84CC5A0B9E0474CA3BB3
    Session-ID-ctx:
    Resumption PSK: F2103EAFEB65BA3D08001787A3AB72625568BDB00C8625977A3CBDDD13E6A2825C4378497B9639BFECD684308C6F4EC6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - fb dc 21 0d 3f 8c 5b b1-d7 ba 38 a4 1e c9 a1 ff   ..!.?.[...8.....
    0010 - d0 14 a5 d6 56 a0 f2 d6-62 3d 36 12 bc 8d 1b 1a   ....V...b=6.....
    0020 - bf 85 57 81 68 d3 3d fe-12 2c 36 8e 67 6a 97 92   ..W.h.=..,6.gj..
    0030 - b2 19 b4 fc 66 16 88 56-c2 42 a1 80 31 4f 39 c6   ....f..V.B..1O9.
    0040 - 46 b3 ff 0e 1d 67 97 50-4e 5d c3 0d 37 45 c1 0f   F....g.PN]..7E..
    0050 - a0 4c b9 8f 92 e0 8f c5-d9 9f 33 b7 32 33 d5 f8   .L........3.23..
    0060 - b6 78 8b bf 8b ff a4 5e-48 dd be 60 47 69 f2 70   .x.....^H..`Gi.p
    0070 - ef 29 5e 44 2b 65 51 ad-6e 9e 1d e1 b5 32 f4 1f   .)^D+eQ.n....2..
    0080 - 44 67 4a 10 83 1e 40 00-0f 06 95 1e 0e b5 cf e6   DgJ...@.........
    0090 - f0 f7 b7 47 ec a9 17 20-63 42 84 c0 f4 8c 0f 21   ...G... cB.....!
    00a0 - 86 14 25 1c f6 66 f9 04-76 66 c3 99 e8 56 c0 1e   ..%..f..vf...V..
    00b0 - 8f 4a f8 36 32 c0 2c 57-cf 77 a9 09 88 5e c2 ee   .J.62.,W.w...^..
    00c0 - a4 e4 2f 44 30 04 af 44-ec 7d 6f 7b a2 ac 3b 08   ../D0..D.}o{..;.

    Start Time: 1661258982
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE


Hier wie gewünscht die Ausgaben. (Sogar jeden Befehl einzeln abgegrenzt  ;) )
August 23, 2022, 05:06:58 PM #11
Ich kann hier beim besten Willen nichts erkennen: resolv.conf ist korrekt, die DNS Antworten auch, aber der Server wird offensichtlich nicht angesprochen sondern eine OPNsense web GUI. Ob es die lokale ist oder eine die davor hängt weiss ich nicht, aber es sieht nach einem Versuch mit transparentem SSL Proxy aus.


Grüsse
Franco
August 23, 2022, 06:52:02 PM #12
Dann skizziere ich mal meinen Netz Aufbau, evtl. hilft das ja:

Code Select
WAN / Internet
            :
            : PPPoE-Provider (Telekom)
            :
      .-----+-----.
      |  Gateway  |  (Fritz!Box 192.168.178.1/24)
      '-----+-----'
            |
            | IPoE (192.168.178.0/24)
            |
      .-----+------.
      |  OPNsense  | (WAN 192.168.178.254/24 outbound NAT is disabled)
      '-----+------' AdGuard auf Port 53 / Unbound auf Port 5335
            |
        LAN | 192.168.10.254/24
            |
      .-----+------.
      | LAN-Switch |
      '-----+------'
            |
    ...-----+------... (Clients/Servers)


Einstellungen des "Interfaces: [WAN]"
Code Select
Block private networks deaktiviert
Block bogon networks deaktiviert
IPv4 Configuration Type Static IPv4
IPv6 Configuration Type SLAAC
IPV4 address 192.168.178.254/24
IPv4 Upstream Gateway FritzBox_IPv4 - 192.168.178.1


Einstellung des "System: Gateways: Single"
Code Select
Name Interface Protocol Priority Gateway Monitor IP RTT RTTd Loss Status Description
FritzBox_IPv4 (active) WAN IPv4 255 (upstream) 192.168.178.1 ~ ~ ~ Online
LAN_TRACK6 (active) LAN IPv6 254 fe80::201:2eff:fea4:30fe ~ ~ ~ Online Interface LAN_TRACK6 Gateway
WAN_DHCP6 WAN IPv6 254 fe80::9a9b:cbff:fe4d:6ea5 ~ ~ ~ Online Interface WAN_DHCP6 Gateway




Ausgabe unter "System:Firmware"
Code Select
Type opnsense
Version 22.7.2
Architecture amd64
Flavour OpenSSL
Commit 412c0b79c
Mirror https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Repositories OPNsense, SunnyValley, mimugmail
Updated on Sun Aug 21 10:54:45 CEST 2022
Checked on Tue Aug 23 18:23:46 CEST 2022

Ausgabe des "AUDIT CONNECTIVITY"
Code Select
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 22.7.2 (amd64/OpenSSL) at Tue Aug 23 18:36:21 CEST 2022
Checking connectivity for host: pkg.opnsense.org -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=57 time=17.031 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=57 time=16.830 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=57 time=17.265 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=57 time=16.841 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.830/16.992/17.265/0.177 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 798 packages processed.
Updating SunnyValley repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .. done
Processing entries: .... done
SunnyValley repository update completed. 31 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ....... done
Processing entries: .......... done
mimugmail repository update completed. 175 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:4f00:a005:5::
PING6(1548=40+8+1500 bytes) 2003:d1:f3a:e600:201:2eff:fea4:30fe --> 2001:1af8:4f00:a005:5::
1508 bytes from 2003:d1:f3a:e600:201:2eff:fea4:30fe, icmp_seq=1 hlim=64 time=0.132 ms
1508 bytes from 2003:d1:f3a:e600:201:2eff:fea4:30fe, icmp_seq=2 hlim=64 time=0.125 ms
1508 bytes from 2003:d1:f3a:e600:201:2eff:fea4:30fe, icmp_seq=3 hlim=64 time=0.068 ms

--- 2001:1af8:4f00:a005:5:: ping6 statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/std-dev = 0.068/0.108/0.132/0.029 ms
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /CN=OPNsense.localdomain/C=NL/ST=Zuid-Holland/L=Middelharnis/O=OPNsense self-signed web certificate
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: No address record
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: No address record
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: No address record
Unable to update repository mimugmail
Error updating repositories!
***DONE***

Schon mal danke für die Hilfe.
August 23, 2022, 08:49:16 PM #13
Der Verbindungstest meint ein Problem mit IPv6 zu haben. Scheinbar endet die Default Route auf localhost. SLAAC abschalten, denn das funktioniert nicht.

Möglich ist zwar auch IPv4 bei der Auflösung zu bevorzugen führt aber schnell wieder zum gleichen Problem.


Grüsse
Franco
August 23, 2022, 09:09:13 PM #14
Hab es von SLAAC auf DHCPv6 umgestellt, nun funktioniert es  :D
Vielen Dank!!!

P.S.: wie kann man Änderungen am ,,WAN" Interface übernehmen, ohne dass man die OPNsense neu booten muss?
Wenn ich dies nämlich nicht mache, habe ich nach Änderungen am ,,WAN" Interface kein Verbindung mehr ins INet. Ein de- un reaktivieren hat (bei mir) zumindest nicht geholfen.
Print
Go Up Pages1 2
User actions