Actions
Bug #10729
open
Certificate verification failed for pkg.freebsd.org
Status:
New
Priority:
Normal
Assignee:
-
Category:
Package System
Target version:
-
Start date:
07/05/2020
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.5-p1
Affected Architecture:
SG-1100
Description
https://forum.netgate.com/topic/155037/pkg-add-authentication-error-connecting-to-pkg-freebsd-org-let-s-encrypt-cert:
I'm attempting to install some additional packages on SG-1100 but when I'm tying to use the pkg add command,
I'm getting an "Authentication error" returned due to what looks like a certificate verification issue:
[2.4.5-RELEASE][admin@pfsense]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz: Authentication error
No such issue on SG-3100:
[2.4.5-RELEASE][root@sg3100.home.int]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz Fetching snappy-1.1.6.txz: 100% 58 KiB 59.8kB/s 00:01 Installing snappy-1.1.6... pkg: wrong architecture: FreeBSD:11:aarch64 instead of FreeBSD:11:armv6 Extracting snappy-1.1.6: 100%
both appliances have the same ca_root_nss-3.51
OpenSSL s_client output:
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = pkg.freebsd.org
verify return:1
---
Certificate chain
0 s:/CN=pkg.freebsd.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=pkg.freebsd.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3567 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 3F3AF9F43A0A22D4BE70C62C56907D9BC0D7B506543787F1690A59D258269235
Session-ID-ctx:
Master-Key: 6FABF4232FE6E122C07ED8B1E49D8A466077DD4237E9BFFEDBF740B2204058A2FA05BD163057B02441F99A510B58AB7C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1593929396
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
No data to display
Actions