SSL certificate subject doesn't match host...
-
This might be related. I saw an error on my Version widget on the Dashboard that it was unable to check for updates so I ran pkg update from the command line and there seem to be some certificate errors. This was working fine earlier today and seems to have happened just in the last few hours (I've been troubleshooting some firewall rules so I've been in and out a lot today). This is an SG1100. I checked a different site and it's doing the same thing so it's Netgate, not me.
[22.01-RELEASE][admin@router.localdomain]/root: pkg update Updating pfSense-core repository catalogue... SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com pkg: https://repo00.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/meta.tx z: Authentication error repository pfSense-core has no meta file, using default settings SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com pkg: https://repo00.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/package site.pkg: Authentication error SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com pkg: https://repo00.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/package site.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus _v22_01/meta.txz: Authentication error repository pfSense has no meta file, using default settings SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus _v22_01/packagesite.pkg: Authentication error SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus _v22_01/packagesite.txz: Authentication error Unable to update repository pfSense Error updating repositories! -
@zitstif said in SSL certificate subject doesn't match host...:
any ideas
Yep : one !
Shut down your 1100 box cleanly, using Diagnostics > Halt System.
Power it down (remove the power).
Cool down 30 seconds.
Power it up.
Re test. -
@ex1580 Yep I'm pretty much getting the same error message any time I try to work with pkg:
Updating pfSense-core repository catalogue... SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/packagesite.pkg: Authentication error SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/packagesite.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... -
@gertjan Thanks for the input. I tried this and still no dice.
-
@johnpoz No.. I didn't just pull the power. lol I used the poweroff command then pulled the power. :-)
-
@zitstif yes. I have the same exact issue. Must be something at Netgate.
-
I'm not certain if this is related but if you look at the cert for 'repo01.atx.netgate.com' using your browser, the cert expires Monday, November 17, 2521 at 10:07:17 AM Eastern Standard Time.
Aren't legit SSL certs only supposed to be 13 months max in age?
-
This is what firefox says if you go to the site. I can see the packages just fine in the web browser
-
First picture was from http:// If you put https:// in front of it you get a 400 error
-
@mheidelberger here is the thing, those sorts of tests are not always valid for for stuff like this.
Pretty sure you have to auth with cert from pfsense to be able to access that stuff.
Must be something at Netgate.
If that was the case why is it working fine for me? Now that @Gertjan mentioned complete power down... I do recall some threads where sim sort of issue, and the correction was to do a complete power down reboot. Let me see if can dig up those old thread I think @stephenw10 had supplied info related to the issue in those old thread(s)
-
@johnpoz I halted my system and unplugged my power cable for 5 minutes. Plugged back in power cable and booted up. Problem remains.
-
@johnpoz I think you're thinking of
https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#segmentation-fault-in-pkg which is a different error. And IIRC was fixed after upgrading to either 21.05 or 22.01 (don't recall which).@zitstif What are you upgrading? (to 22.01?)
22.05 RC has been out, it might be possible they are prepping for release... in which case if you're upgrading packages be sure to get them for the correct pfSense version.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
Of the Netgate hardware I can check at the moment I only have a couple of SG1100s running pfSense Plus (22.01-RELEASE) and it is happening on both of them (on different sides of the USA no less). One of those is pretty basic, no packages to speak of. I did also check a test VM I use running pfSense CE (2.6.0-RELEASE) and that one is working fine. This might be one of those really specific issues and I am fairly certain that a reboot is not going to fix it.
-
@steveits yeah prob right, but why I said sim sort of issue ;) hehehe
I don't have a sg1100 to test with.. But your theory of prep for 22.05 release could be on to something.
-
@zitstif I'm getting the same issue as well with a new SG-1100. Just picked it up today.
-
-
S SteveITS referenced this topic on
-
@steveits I'm already on 22.01:
[22.01-RELEASE][admin@firewallname]/root: uname -a
FreeBSD firewallname 12.3-STABLE FreeBSD 12.3-STABLE plus-RELENG_22_01-n202637-97cc5c23e13 pfSense arm64I just check for updates on a regular basis.
I ran into this issue just today and was wondering if there was something wrong with my setup. -
@zitstif One could say that 21.05 supercedes the version we are running. After it will take the official place of stable version. However to change over this system requires some background changes the could cause some confusion to those that are only running a stable version. The system that the firewall is referencing to check for updates would be adapted to show the newest version. Again that RC version we are not running running as it is marked RC or release candidate. Once it becomes officially the new stable version I hope it will show are a new update ready to install. Netgate may be currently going through a update normalization to move all over to a new stable version.
-
And now everything is working.
-
@jbreaux yep working for me!
