cert fail update to 22.05 on 2100

GrizzlySoup

getting a certification failed error updating from 22.01 to 22.05 on a 2100

excerpt:

[191/222] Fetching gdbm-1.23.pkg: .......... done
[192/222] Fetching freetype2-2.11.1.pkg: .......... done
[193/222] Fetching fontconfig-2.13.94_2,1.pkg: .......... done
[194/222] Fetching filterlog-0.1_9.pkg: .. done
[195/222] Fetching filterdns-2.0_6.pkg: ... done
[196/222] Fetching expiretable-0.6_2.pkg: . done
1082953728:error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_lib.c:283:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.atx.netgate.com
1082953728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Child process pid=35019 terminated abnormally: Segmentation fault
Failed

jimp

Probably this:

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#segmentation-fault-in-pkg

tl;dr the hardware needs a power cycle (halt gracefully, then remove power for a few seconds, then plug back in).

GrizzlySoup

@jimp
That is bizarre! Kind of scary actually. I'll give it a try. thx!

GrizzlySoup

It took me a while. But this worked. 1) Halt Netgate 2) unplug power 3) restart 4) run Update.

anthonys

@jimp Is there a reason that the pkg executable can't detect and handle this known cryptographic hardware issue, and rather than segmentation fault, exit less ungracefully with appropriate error messaging?

jimp

It does what it can on the most recent version(s) but IIRC there are a couple edge cases that the upstream library itself doesn't handle well that our outside of our control (or pkg). We try to find and replicate/fix them as we can.