Bug #10614
closedUnable to update packages due to missing/invalid certs
0%
Description
Fresh pfSense 2.4.5-RELEASE installation. The package manager in the web interface states "Unable to retrieve package information" when clicking the "Available Packages" tab. On the command line, "pkg update" reports numerous errors related to invalid/missing certificates. Packages such as ca_root_nss (which might fix this) thus cannot be installed via pkg on the command line.
Example output:
[2.4.5-RELEASE][admin@wanfirewall.localdomain]/root: pkg update Updating pfSense-core repository catalogue... Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/packagesite.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-pfSense_v2_4_5/meta.txz: Authentication error repository pfSense has no meta file, using default settings Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-pfSense_v2_4_5/packagesite.txz: Authentication error Unable to update repository pfSense Error updating repositories!
Similarly, the package repository name does not seem to resolve via an otherwise functional DNS setup.
[2.4.5-RELEASE][admin@wanfirewall.localdomain]/root: dig pkg.pfsense.org ; <<>> DiG 9.14.9 <<>> pkg.pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42917 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pkg.pfsense.org. IN A ;; AUTHORITY SECTION: pfsense.org. 290 IN SOA ns1.netgate.com. admin.netgate.com. 201912020 3600 7200 1209600 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat May 30 10:18:12 EDT 2020 ;; MSG SIZE rcvd: 101
Then with a trace from root to eliminate local resolver issues:
[2.4.5-RELEASE][admin@wanfirewall.localdomain]/root: dig pkg.pfsense.org +trace ; <<>> DiG 9.14.9 <<>> pkg.pfsense.org +trace ;; global options: +cmd . 85683 IN NS a.root-servers.net. . 85683 IN NS b.root-servers.net. . 85683 IN NS c.root-servers.net. . 85683 IN NS d.root-servers.net. . 85683 IN NS e.root-servers.net. . 85683 IN NS f.root-servers.net. . 85683 IN NS g.root-servers.net. . 85683 IN NS h.root-servers.net. . 85683 IN NS i.root-servers.net. . 85683 IN NS j.root-servers.net. . 85683 IN NS k.root-servers.net. . 85683 IN NS l.root-servers.net. . 85683 IN NS m.root-servers.net. . 85683 IN RRSIG NS 8 0 518400 20200612050000 20200530040000 48903 . oT2vo5V8f3e3MObazDmiYGigJ2iWR4wRZ4kaN1x+zBCdIwEv0BUHqU4T Y+VTV/GUsU2HTT7juj+PQ2UCyVLPlvGKKrUNn0UDvxPdQGrFE76sjITD LQCnTubO3rxUvosWXh0wn2nIHikD0HA9iErV2JRoTtvlZsQdoZTQRbYU hYsRZh2xXCHb8wbMZgAKXhncqtgZshDK9Kos4KSBevMKFZlkmCwWe5SP Y+KuZ2TprBetjGujFuP1BbXzsWn/qy2m+s7ZIp5qKcSchHqZMRdBVkeI 9mG5maSse/hKaP2GTh3UKoZGbSvCUd+tCwbmReJmYravuCQzRglgwdJX uy7dIQ== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 86400 IN DS 17883 7 1 38C5CF93B369C7557E0515FAAA57060F1BFB12C1 org. 86400 IN DS 17883 7 2 D889CAD790F01979E860D6627B58F85AB554E0E491FE06515F35548D 1EB4E6EE org. 86400 IN RRSIG DS 8 1 86400 20200612050000 20200530040000 48903 . qM9rDBItAt1HVul9MGuGL/fooTI0Po6TCBym2NRMlmsii/XFumDbL3YP 1L54WbZ72pa0LhfzZ+pfLFp5yjOYdfSEAUHqei31xALMuaWAA6sWai1E wwCxV7aebT7tSMTVcSdFIBrWZj/grh3MOeF4T59RKqboAr4qpX9cJjJ+ JJR/QCjO7CbOIFD5CGYc2VxvUOXL9MmfG03Dih8VhewN/wWoMqfw9MHu IL/ckO+4bDrMGGvxybwDOk9JUQEXRQX/ZRJcgUQf/+rbbQoRKGVzmoGd /pB7hAiHLb+FHzaUi7HKpaZyNQgstZwnicR0bEBK1OYh8k2rypJsVCeT /Mlt2g== ;; Received 817 bytes from 199.7.91.13#53(d.root-servers.net) in 22 ms pfsense.org. 86400 IN NS ns2.netgate.com. pfsense.org. 86400 IN NS ns1.netgate.com. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20200620141737 20200530131737 27074 org. Rpi03/qZT3WYfwXbmYxdd4YaVgAU2FDSG/oxudDSorRfkT43PydaE0RZ NFOZTsUzRFXcuwdfI+XLz2Dr1+nWM+NwARnB8u9jdZvH3J1PbNM75egB i0ZhunSX8KqoJqV2Uzhjg9wFr5Usfj0GdKJBOj3DBrooA1PcpTZFUqlQ cEQ= de3draqrbskiggnjhbft3q5d9kjhp0do.org. 86400 IN NSEC3 1 1 1 D399EAAB DE3VOAA2GTPA9A43D8BDIP43BMOTM0AQ NS DS RRSIG de3draqrbskiggnjhbft3q5d9kjhp0do.org. 86400 IN RRSIG NSEC3 7 2 86400 20200615152106 20200525142106 27074 org. jx6lkSfzv5q9RK6GuZMyOwGUjCIq+/cufH0vnLEi7ZLdGvQwUBXbSp06 0Fmqj9Nwf0bVQApRvNEXFgYBYRRMnLLRIADVKVYrTpzXCAgoTGRaBBwk mdkqRx1NwSCkY+mvyyHIG3BbVPQ8YNDBKDtfkTZmswxD+rYOixbH80Ti Pc8= ;; Received 584 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 89 ms pfsense.org. 300 IN SOA ns1.netgate.com. admin.netgate.com. 201912020 3600 7200 1209600 3600 ;; Received 101 bytes from 162.208.119.38#53(ns2.netgate.com) in 17 ms
Updated by Jim Pingle over 4 years ago
- Category set to Administrivia
- Status changed from New to Resolved
This was a server side issue and has been resolved.
Updated by sezer h over 4 years ago
hi everyone,
first off all you need open this file /usr/local/share/cert/ca-root-nss.txt
and you need the delete two cert
AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
AddTrust TTP Network, CN=AddTrust Class 1 CA Root
and then you need try again.
dont forget give backup this file.