Bug #10614: Unable to update packages due to missing/invalid certs - pfSense - pfSense bugtracker

Actions

Copy link

Bug #10614

closed

Unable to update packages due to missing/invalid certs

Added by alzee bum almost 4 years ago. Updated almost 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Administrivia

Target version:

Start date:

05/30/2020

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.4.5

Affected Architecture:

Description

Fresh pfSense 2.4.5-RELEASE installation. The package manager in the web interface states "Unable to retrieve package information" when clicking the "Available Packages" tab. On the command line, "pkg update" reports numerous errors related to invalid/missing certificates. Packages such as ca_root_nss (which might fix this) thus cannot be installed via pkg on the command line.

Example output:

[2.4.5-RELEASE][admin@wanfirewall.localdomain]/root: pkg update
Updating pfSense-core repository catalogue...
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-pfSense_v2_4_5/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-pfSense_v2_4_5/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!

Similarly, the package repository name does not seem to resolve via an otherwise functional DNS setup.

[2.4.5-RELEASE][admin@wanfirewall.localdomain]/root: dig pkg.pfsense.org

; <<>> DiG 9.14.9 <<>> pkg.pfsense.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pkg.pfsense.org.               IN      A

;; AUTHORITY SECTION:
pfsense.org.            290     IN      SOA     ns1.netgate.com. admin.netgate.com. 201912020 3600 7200 1209600 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat May 30 10:18:12 EDT 2020
;; MSG SIZE  rcvd: 101

Then with a trace from root to eliminate local resolver issues:

[2.4.5-RELEASE][admin@wanfirewall.localdomain]/root: dig pkg.pfsense.org +trace

; <<>> DiG 9.14.9 <<>> pkg.pfsense.org +trace
;; global options: +cmd
.                       85683   IN      NS      a.root-servers.net.
.                       85683   IN      NS      b.root-servers.net.
.                       85683   IN      NS      c.root-servers.net.
.                       85683   IN      NS      d.root-servers.net.
.                       85683   IN      NS      e.root-servers.net.
.                       85683   IN      NS      f.root-servers.net.
.                       85683   IN      NS      g.root-servers.net.
.                       85683   IN      NS      h.root-servers.net.
.                       85683   IN      NS      i.root-servers.net.
.                       85683   IN      NS      j.root-servers.net.
.                       85683   IN      NS      k.root-servers.net.
.                       85683   IN      NS      l.root-servers.net.
.                       85683   IN      NS      m.root-servers.net.
.                       85683   IN      RRSIG   NS 8 0 518400 20200612050000 20200530040000 48903 . oT2vo5V8f3e3MObazDmiYGigJ2iWR4wRZ4kaN1x+zBCdIwEv0BUHqU4T Y+VTV/GUsU2HTT7juj+PQ2UCyVLPlvGKKrUNn0UDvxPdQGrFE76sjITD LQCnTubO3rxUvosWXh0wn2nIHikD0HA9iErV2JRoTtvlZsQdoZTQRbYU hYsRZh2xXCHb8wbMZgAKXhncqtgZshDK9Kos4KSBevMKFZlkmCwWe5SP Y+KuZ2TprBetjGujFuP1BbXzsWn/qy2m+s7ZIp5qKcSchHqZMRdBVkeI 9mG5maSse/hKaP2GTh3UKoZGbSvCUd+tCwbmReJmYravuCQzRglgwdJX uy7dIQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
org.                    86400   IN      DS      17883 7 1 38C5CF93B369C7557E0515FAAA57060F1BFB12C1
org.                    86400   IN      DS      17883 7 2 D889CAD790F01979E860D6627B58F85AB554E0E491FE06515F35548D 1EB4E6EE
org.                    86400   IN      RRSIG   DS 8 1 86400 20200612050000 20200530040000 48903 . qM9rDBItAt1HVul9MGuGL/fooTI0Po6TCBym2NRMlmsii/XFumDbL3YP 1L54WbZ72pa0LhfzZ+pfLFp5yjOYdfSEAUHqei31xALMuaWAA6sWai1E wwCxV7aebT7tSMTVcSdFIBrWZj/grh3MOeF4T59RKqboAr4qpX9cJjJ+ JJR/QCjO7CbOIFD5CGYc2VxvUOXL9MmfG03Dih8VhewN/wWoMqfw9MHu IL/ckO+4bDrMGGvxybwDOk9JUQEXRQX/ZRJcgUQf/+rbbQoRKGVzmoGd /pB7hAiHLb+FHzaUi7HKpaZyNQgstZwnicR0bEBK1OYh8k2rypJsVCeT /Mlt2g==
;; Received 817 bytes from 199.7.91.13#53(d.root-servers.net) in 22 ms

pfsense.org.            86400   IN      NS      ns2.netgate.com.
pfsense.org.            86400   IN      NS      ns1.netgate.com.
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20200620141737 20200530131737 27074 org. Rpi03/qZT3WYfwXbmYxdd4YaVgAU2FDSG/oxudDSorRfkT43PydaE0RZ NFOZTsUzRFXcuwdfI+XLz2Dr1+nWM+NwARnB8u9jdZvH3J1PbNM75egB i0ZhunSX8KqoJqV2Uzhjg9wFr5Usfj0GdKJBOj3DBrooA1PcpTZFUqlQ cEQ=
de3draqrbskiggnjhbft3q5d9kjhp0do.org. 86400 IN NSEC3 1 1 1 D399EAAB DE3VOAA2GTPA9A43D8BDIP43BMOTM0AQ NS DS RRSIG
de3draqrbskiggnjhbft3q5d9kjhp0do.org. 86400 IN RRSIG NSEC3 7 2 86400 20200615152106 20200525142106 27074 org. jx6lkSfzv5q9RK6GuZMyOwGUjCIq+/cufH0vnLEi7ZLdGvQwUBXbSp06 0Fmqj9Nwf0bVQApRvNEXFgYBYRRMnLLRIADVKVYrTpzXCAgoTGRaBBwk mdkqRx1NwSCkY+mvyyHIG3BbVPQ8YNDBKDtfkTZmswxD+rYOixbH80Ti Pc8=
;; Received 584 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 89 ms

pfsense.org.            300     IN      SOA     ns1.netgate.com. admin.netgate.com. 201912020 3600 7200 1209600 3600
;; Received 101 bytes from 162.208.119.38#53(ns2.netgate.com) in 17 ms