Upgrade to 22.05 Process Fails Cert Validation
-
1100 device attempts to upgrade using normal upgrade process and fails.
Looks like Certificate verification fails for repo01.atx.netgate.com and a nice seg fault to go with. System time is correct.
Ideas? Because i'm not touching the big appliance for upgrade until this is sorted.
-
Also happening when attempting to upgrade individual packages. Cert validation fails repo00.atx.netgate.com as well. Not good.
Ideas? Reboot did zero things to fix stuff.
Edit 1: a word.
-
pcap shows tlsv1.2 client hello , then server hello and immediately after that Certificate, Client Key Exchange, Alert Level: Fatal, Description: Internal Error.
After this, the setup attempt happens again, but ends with a very troubling Fatal alert this time : Unknown CA.
Not feeling good about pfsense appliance calling home and feeling like it doesn't know the CA related to the update server it's speaking with.
Fingerprint of server cert matches when pulled by openssl s_client on the device and when pulled from elsewhere in the world by the same method.
Ideas to try here?
-
pkg-static -d updatedid not go well either. Opens libfetch fetcher, says connecting, shows trying to fetch meta.conf ... and then tls_construct_cert_verify starts complaining and then the cert validation failure and the final seg fault.
A second 1100 on the same outbound path does just fine though.
-
Contacted TAC who was amazingly fast (much appreciated, folks!) and requested a fresh installer download. Got it and will just do that.
Buuuuuut, before all that, if there are shenanigans afoot on the machine, i'd like to dig into that and find the who/what/where/how. Best way to image an 1100 for later perusal?
-
The segfault during cert validation on the SG-1100 is a known issue and happens if the crypto chip gets "stuck" in a certain mode. The only way to reset that chip is with a complete power-off reset. Simply rebooting the box does not do it.
Do a controlled shutdown of the box, verify it is actually halted (by being connected to the console if possible), then remove power for about 30 seconds. Restore power and see if it behaves better then.
The power cycle reset may well fix your issue and you will not need to re-image the appliance. But you will have the image to use if reinstall becomes necessary.
-
@bmeeks rgr that and thank you for the info. I did go ahead with the full reinstall just to be sure, but being able to reset is good option and thank you for the reply.
