Telemetry status Failed to load widget - ETPRO Telemetry edition

robert.haugen@gmail.com · September 18, 2025, 11:09:57 AM

Hi,

Yesterday, Telemetry status Failed to load widget appeared. Using ETPRO Telemetry edition.

Using curl from OPNsense:
OPNsense:~ # curl -v https://opnsense.emergingthreats.net/api/v1/telemetry
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
* Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

OPNefx · September 18, 2025, 12:26:49 PM

Hello, same problem here, but How to fix it I don't understand. Some "how to" explanation available?

meyergru · September 18, 2025, 01:12:02 PM

That is because curl does not trust the certificate for opnsense.emergingthreats.net, which is issued by Sectigo.

You can verify this via:

Code Select

# curl -v https://opnsense.emergingthreats.net
* Host opnsense.emergingthreats.net:443 was resolved.
* IPv6: (none)
* IPv4: 72.12.200.25
*   Trying 72.12.200.25:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

IDK why it is not trusted, though, because the top-level issuer "Sectigo Public Server Authentication Root R46" CA seems to be present.

robert.haugen@gmail.com · September 18, 2025, 02:27:23 PM

Quote from: meyergru on September 18, 2025, 01:12:02 PMThat is because curl does not trust the certificate for opnsense.emergingthreats.net, which is issued by Sectigo.

You can verify this via:

Code Select Expand
# curl -v https://opnsense.emergingthreats.net * Host opnsense.emergingthreats.net:443 was resolved. * IPv6: (none) * IPv4: 72.12.200.25 * Trying 72.12.200.25:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * closing connection #0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the webpage mentioned above.
IDK why it is not trusted, though, because the top-level issuer "Sectigo Public Server Authentication Root R46" CA seems to be present.

Is the code that´s handling the telemetry and signature trusting Sectigo?

robert.haugen@gmail.com · September 18, 2025, 05:13:54 PM

An insecure fix:

Modify /usr/local/opnsense/scripts/suricata/lib/downloader.py

Code Select

if str(url).split(':')[0].lower() in ('http', 'https'):
            frm_url = url.replace('//', '/').replace(':/', '://')
            # stream to temp file
            if frm_url not in self._download_cache:
                req_opts = {
                    'url': frm_url,
                    'stream': True,
                    'verify': False  
                }

Modify

/usr/local/opnsense/scripts/etpro_telemetry

send_heartbeat.py
send_telemetry.py
sensor_info.py

Code Select

parser.add_argument('-i', '--insecure', help='Insecure, skip certificate validation',
                    action="store_true", default=True)

meyergru · September 18, 2025, 05:19:03 PM

Or wait until they fix their certificate, see: https://github.com/opnsense/plugins/issues/4943#issuecomment-3307339653

Patrick M. Hausen · September 18, 2025, 05:26:01 PM

Wouldn't finding the Sectigo intermediate - surely they publish it somewhere in the docs for their cert customers like everyone does - and importing it into OPNsense help?

viragomann · September 18, 2025, 05:46:21 PM

Seems, it's already on the server. I'm able to download it.

meyergru · September 18, 2025, 06:04:23 PM

Quote from: Patrick M. Hausen on September 18, 2025, 05:26:01 PMWouldn't finding the Sectigo intermediate - surely they publish it somewhere in the docs for their cert customers like everyone does - and importing it into OPNsense help?

The intermediate cert is "Sectigo Public Server Authentication CA OV R36", which you can inspect with most browsers and download it. I tried to import it into OpnSense's trust store via System: Trust: Certificates to no avail. I also tried importing the root CA "Sectigo Public Server Authentication Root R46", which already is in /usr/share/certs/trusted/Sectigo_Public_Server_Authentication_Root_R46.pem.

At least the curl test still failed with that, also when I explicitely specified the ca path with /usr/local/share/certs/trusted.

I think it does not work because it is not self-signed and thus no root certificate. I even copied the file to /usr/share/certs/trusted and used "certctl rehash" to install it.

robert.haugen@gmail.com · September 18, 2025, 07:54:09 PM

Add Sectigo Public Server Authentication CA OV R36 to

Save this as a file with a txt editor: Sectigo Public Server Authentication CA OV R36.pem

Code Select

copy the file to /usr/share/certs/trusted/ (WinSCP...)
Symlink the file /etc/ssl/certs

Reboot

It Works !

This is a temporary fix until they get the cert for opnsense.emergingthreats.net fixed !

Telemetry status Failed to load widget - ETPRO Telemetry edition

robert.haugen@gmail.com

September 18, 2025, 11:09:57 AM

OPNefx

September 18, 2025, 12:26:49 PM #1

meyergru

September 18, 2025, 01:12:02 PM #2

robert.haugen@gmail.com

September 18, 2025, 02:27:23 PM #3

robert.haugen@gmail.com

September 18, 2025, 05:13:54 PM #4

meyergru

September 18, 2025, 05:19:03 PM #5

Patrick M. Hausen

September 18, 2025, 05:26:01 PM #6

viragomann

September 18, 2025, 05:46:21 PM #7

meyergru

September 18, 2025, 06:04:23 PM #8 Last Edit: September 18, 2025, 06:09:41 PM by meyergru

robert.haugen@gmail.com

September 18, 2025, 07:54:09 PM #9 Last Edit: September 18, 2025, 08:02:40 PM by robert.haugen@gmail.com