Certificate failure

Started by cdn, September 17, 2025, 02:17:43 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 17, 2025, 02:17:43 PM Last Edit: September 17, 2025, 02:27:56 PM by cdn
Since using latest business version of opnsense, we cannot update zenarmor:


Code Select
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
008041EBCD2D0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Code Select
echo | openssl s_client -connect updates.zenarmor.net:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = zenarmor.net
verify return:1
---
Certificate chain
 0 s:CN = zenarmor.net
   i:C = US, O = Google Trust Services, CN = WE1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Aug 10 23:04:34 2025 GMT; NotAfter: Nov  9 00:04:29 2025 GMT
 1 s:C = US, O = Google Trust Services, CN = WE1
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R4
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDpzCCA06gAwIBAgIRAM7MeBZKS0C6E1y3P1w7IVgwCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI1MDgxMDIzMDQzNFoXDTI1MTEwOTAwMDQyOVowFzEVMBMG
A1UEAxMMemVuYXJtb3IubmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOUQp
32kVzkNFnPuZlCO1LKGqHgElMsQN2eyunq+HNKQifWt1lIbzxdOgT2DIYSC7cfXg
/6sJ8ymG2iHidML64aOCAlUwggJRMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAK
BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTXor9dxRcwnplbGKD7
nJ6BWJ2gdzAfBgNVHSMEGDAWgBSQd5I1Z8T/qMyp5nvZgHl7zJP5ODBeBggrBgEF
BQcBAQRSMFAwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vLnBraS5nb29nL3Mvd2UxL3pz
dzAlBggrBgEFBQcwAoYZaHR0cDovL2kucGtpLmdvb2cvd2UxLmNydDAnBgNVHREE
IDAeggx6ZW5hcm1vci5uZXSCDiouemVuYXJtb3IubmV0MBMGA1UdIAQMMAowCAYG
Z4EMAQIBMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dlMS8y
RHFmUzI0a2NkSS5jcmwwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwAaBP9J0FQd
QK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZiWcXTQAAAEAwBIMEYCIQD2vY/C
0gy8T9UfDv98fPAYCNNYoU/Krwx1Tfc1Uqp0FgIhAO6NggTlj/J00qmxkagg2mBZ
colOtERewKQIGTRRwVRSAHUAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WG
JjoAAAGYlnF0owAABAMARjBEAiBiVyasybNzcO6CxnJN2SNPbYpkHDttkTtqaMfi
d9QYBAIgaTlFBY+o/x3YupcGBnGPHetyj4Uu82fAOplbcWUHz3AwCgYIKoZIzj0E
AwIDRwAwRAIgJhtyGLmhvN9NTrjXkSHMIYQJ7HSWcjw4O2P4Nw5fmnoCIBHatruL
jr4ViDG0QcyfOZW0QWR//OzHw7LkmHGcOuWT
-----END CERTIFICATE-----
subject=CN = zenarmor.net
issuer=C = US, O = Google Trust Services, CN = WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2827 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

host updates.zenarmor.net
updates.zenarmor.net has address 104.26.13.173
updates.zenarmor.net has address 104.26.12.173
updates.zenarmor.net has address 172.67.74.209
updates.zenarmor.net has IPv6 address 2606:4700:20::681a:dad
updates.zenarmor.net has IPv6 address 2606:4700:20::ac43:4ad1
updates.zenarmor.net has IPv6 address 2606:4700:20::681a:cad

cat /etc/resolv.conf
domain DOMAIN
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 8.8.8.8
September 17, 2025, 02:35:19 PM #1
Hi,

Did you check the system date and time?
September 17, 2025, 04:01:19 PM #2
sure. Time and date is okay.
September 18, 2025, 07:02:22 PM #3
i posted over here: https://forum.opnsense.org/index.php?topic=48962.0 but yea i am encountering the same issue
September 19, 2025, 11:54:55 AM #4
noone an idea?
September 19, 2025, 12:39:23 PM #5
Can confirm this is also happening on the Business Mirror.
September 19, 2025, 06:15:27 PM #6
Same issue here. I tried both Danish and US repositories.
September 19, 2025, 06:43:01 PM #7
Quote from: sammycda on September 19, 2025, 06:15:27 PMSame issue here. I tried both Danish and US repositories.

i dont think the opnsense mirrors do not have anything to do with the problem, the problem appears to be with the zenarmor repo
Code Select
pkg-static: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
September 20, 2025, 03:03:47 AM #8
Also having this error on 24.5.3 and trying all the commercial repos.
September 21, 2025, 06:20:11 AM #9
Hi all,

The issue has been identified and will be resolved on the repository server side. Thank you for your patience and understanding.
September 21, 2025, 01:26:11 PM #10 Last Edit: September 21, 2025, 02:36:27 PM by Smove99
Hi at all!

Sorry, but I'm still having this problem with Business 25.4.3.
Does the fix need more time on the repository servers?

Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 25.4.3 (amd64) at Sun Sep 21 13:19:38 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
Fetching subscription information, please wait... done
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 908 packages processed.
Updating SunnyValley repository catalogue...
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/meta.txz: Authentication error
repository SunnyValley has no meta file, using default settings
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.pkg: Authentication error
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /CN=85bd57b0.sni.cloudflaressl.com (44)
0020217E09280000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: https://updates.zenarmor.net/opnsense/FreeBSD:14:amd64/25.1/${SUBSCRIPTION}/packagesite.txz: Authentication error
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
September 22, 2025, 04:50:18 PM #11
this is still happening, i only replying because you said it fixed server side.
September 22, 2025, 09:36:52 PM #12
Its pretty unacceptable to pay this much money for a product and the access to maintain it is down for over 4 days (and still counting).
September 23, 2025, 12:59:56 AM #13 Last Edit: September 23, 2025, 03:45:50 PM by dirtyfreebooter
this also makes all the plugins and packages "orphaned", preventing you for adding or removing any other packages, even ones not related to zenarmor.. if we aren't going to get a fix, can we at least get updates? like why its not getting fixed or taking longer than expected, so we aren't left in the dark?


September 23, 2025, 03:18:48 PM #14 Last Edit: September 23, 2025, 03:20:50 PM by sy
Hi all,

We are actively working on a solution. In the meantime, you can apply the following workaround to resolve the issue:

1. Log into the CLI as root.
2. Edit the files located at `/usr/local/etc/pkg/repos/SunnyValley.conf` and `/usr/local/etc/pkg/repos/SunnyValley.conf.sample`.
3. Replace "25.1" with "25.4" in both files.

After making this change, the URL should appear as follows: 

url: "https://updates.zenarmor.net/opnsense/${ABI}/25.4/latest",

Print
Go Up Pages1 2
User actions