Project

General

Profile

Bug #3691

Fetch error on HTTPS console update by URL

Added by Jim Pingle over 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Upgrade
Target version:
Start date:
06/04/2014
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.2
Affected Architecture:
All

Description

When performing a console update by URL from an HTTPS URL, fetch displays an error validating the certificate.

Fetching file...
looking up snapshots.pfsense.org
connecting to snapshots.pfsense.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /etc/ssl/cert.pem
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
34380912584:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1167:
fetch: https://snapshots.pfsense.org/FreeBSD_stable/10//amd64/pfSense_HEAD/.updaters//latest.tgz: Authentication error

It appears to not know where the CA is, as this works when run manually

fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt https://snapshots.pfsense.org/FreeBSD_stable/10//amd64/pfSense_HEAD/.updaters//latest.tgz

Switching that to CURL may be better long-term.

Associated revisions

Revision 1c52509c (diff)
Added by Renato Botelho over 5 years ago

Fix #3691, use curl instead of fetch to download update files

Revision 764ac8c7 (diff)
Added by Renato Botelho over 5 years ago

Fix #3691, use curl instead of fetch to download update files

History

#1 Updated by Chris Buechler over 5 years ago

just needs a symlink.

 ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem 

#2 Updated by Renato Botelho over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Renato Botelho about 5 years ago

  • Status changed from Feedback to Resolved

#5 Updated by Willy Tenner over 4 years ago

I have only a question for understanding: I just looked into a running pfSense 2.2.1 and found no symlink, no hardlink, but two separate files of equal size and contents:

ls -li /usr/local/share/certs/ca-root-nss.crt
67112 -rw-r--r-- 1 root wheel 910032 Mar 13 14:49 /usr/local/share/certs/ca-root-nss.crt
ls -li /etc/ssl/cert.pem
45708 -rw-r--r-- 1 root wheel 910032 Mar 13 14:49 /etc/ssl/cert.pem
diff /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

Is this the intended behavior? Otherwise we could save over 900kb of space with a symlink.

Kind regards.

Chris Buechler wrote:

just needs a symlink.

[...]

Also available in: Atom PDF