Bug #3691
closedFetch error on HTTPS console update by URL
100%
Description
When performing a console update by URL from an HTTPS URL, fetch displays an error validating the certificate.
Fetching file... looking up snapshots.pfsense.org connecting to snapshots.pfsense.org:443 SSL options: 81004bff Peer verification enabled Using CA cert file: /etc/ssl/cert.pem Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 34380912584:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1167: fetch: https://snapshots.pfsense.org/FreeBSD_stable/10//amd64/pfSense_HEAD/.updaters//latest.tgz: Authentication error
It appears to not know where the CA is, as this works when run manually
fetch --ca-cert=/usr/local/share/certs/ca-root-nss.crt https://snapshots.pfsense.org/FreeBSD_stable/10//amd64/pfSense_HEAD/.updaters//latest.tgz
Switching that to CURL may be better long-term.
Updated by Chris Buechler over 10 years ago
just needs a symlink.
ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Updated by Renato Botelho over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 1c52509cabc014ca55e07548338b3990bfc2ace9.
Updated by Renato Botelho over 10 years ago
Applied in changeset 764ac8c73a7529740b80773d6c8bf44c3a2244df.
Updated by Renato Botelho over 10 years ago
- Status changed from Feedback to Resolved
Updated by Willy Tenner almost 10 years ago
I have only a question for understanding: I just looked into a running pfSense 2.2.1 and found no symlink, no hardlink, but two separate files of equal size and contents:
ls -li /usr/local/share/certs/ca-root-nss.crt
67112 -rw-r--r-- 1 root wheel 910032 Mar 13 14:49 /usr/local/share/certs/ca-root-nss.crt
ls -li /etc/ssl/cert.pem
45708 -rw-r--r-- 1 root wheel 910032 Mar 13 14:49 /etc/ssl/cert.pem
diff /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Is this the intended behavior? Otherwise we could save over 900kb of space with a symlink.
Kind regards.
Chris Buechler wrote:
just needs a symlink.
[...]