OPNSense 25.4.1 wont Update anymore, Certificate verification failed

Started by SchengFui, August 18, 2025, 09:03:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 18, 2025, 09:03:58 AM
Hi there,

OPNSense search for Updates fails with Certificate verification failed.

Last successfull Update was on Tue Aug 5 21:15:40 CEST 2025 (25.4.1)

Date and Time is correct, IPV6 is disabled.

Audit Conenctivity Log:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.4.1 (amd64) at Mon Aug 18 08:48:05 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=58 time=13.925 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=58 time=13.682 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=58 time=13.605 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=58 time=13.734 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.605/13.737/13.925/0.118 ms
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002061CDEB140000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G3
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS ECC CA G1
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE
***DONE***

Any Ideas?

Thank you in advance for any help!

Kind regards,
 SchengFui
August 18, 2025, 02:07:03 PM #1
Hi,

Error (12) means X509_V_ERR_CRL_HAS_EXPIRED, which could be the case, but the lifetime seems to be 1 hour so trying again should work now?


Cheers,
Franco
August 18, 2025, 02:11:24 PM #2
no, still not working:

Log from just now:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.1 (amd64) at Mon Aug 18 14:09:42 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... Certificate verification failed for /CN=opnsense-update.deciso.com (12)
00206177F6400000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/subscription: Authentication error
Fetching changelog information, please wait... Certificate verification failed for /CN=opnsense-update.deciso.com (12)
00206187D3370000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.pkg: Authentication error
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=opnsense-update.deciso.com (12)
002081C0571A0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/25.4/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
August 18, 2025, 03:23:37 PM #3
Try to purge the CRLs...

# ls /etc/ssl/certs/*.r*

But I also think that you're not able to download CLRs either...


Cheers,
Franco
August 18, 2025, 03:35:17 PM #4
Hi Franco,

i purged 2 lists, now System: Firmware: Updates is showing 73 pending updates...

I think ist working again.

Thank you very much!

Kind regards;
 SchengFui
August 19, 2025, 10:35:08 AM #5
Ok, not sure why it got stuck there but I'll keep an eye on it.


Cheers,
Franco
Print
Go Up Pages1
User actions