upgrade woes - openssl SSL alert

j3hst3r

Hey there,

I've gone through old posts and other websites to try and find the answer but nothing seems to work. I am unable to access 'available packages' or even attempt to update via CLI.

Unable to update repository pfSense-core
Updating pfSense repository catalogue...
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_05_aarch64-pfSense_plus_v22_05/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_05_aarch64-pfSense_plus_v22_05/packagesite.pkg: Authentication error
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_05_aarch64-pfSense_plus_v22_05/packagesite.txz: Authentication error

I am running a Netgate 1100 and haven't had an issue before. Anybody hit this issue before?

And yes, I have power cycled the box (unplugged, waited a minute, plugged back in [thus, I have tried turning if off and on again])

Thanks

stephenw10

Hmm, that was a known issue during 22.05 development but should be fixed in the release images. Has that been running release for some time?

Try running at the command line:

pkg-static -d update

Should show that same error but with more debug output.
Then try:

pkg -d update

That may succeed.

Steve

j3hst3r

For more information, there seems to be a local cert issue? Not sure why, I never changed anything in terms of the certificates in the cert store:

curl -vvv https://repo01.atx.netgate.com

• Trying 208.123.73.209:443...
• Connected to repo01.atx.netgate.com (208.123.73.209) port 443 (#0)
• ALPN: offers h2
• ALPN: offers http/1.1
• CAfile: /usr/local/share/certs/ca-root-nss.crt
• CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection 0
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

stephenw10

Yes, that's expected to fail unless you pass the client cert with the request.

j3hst3r

@stephenw10

I've done each one. The initial post was pfSense-upgrade -d but all pkg commands or pfSense-upgrade fails with the same :(

And yes, you're right, I just passed -k and handshake went through

j3hst3r

@stephenw10

pkg -d update:

DBG(1)[5558]> PkgRepo: extracting packagesite.yaml of repo pfSense
DBG(1)[18095]> PkgRepo: extracting signature of repo in a sandbox
pkg: No trusted public keys found
Unable to update repository pfSense
Error updating repositories!

pkg-static -d update throws the same as pfSense-upgrade -d

and this 120 seconds post time restriction due to reputation is lame :)

stephenw10

So fails with both pkg and pkg-static?

Last time I saw this is was due to an older version of pkg-static being incorrectly installed by a package.

stephenw10

Well I can try to fix your reputation....

j3hst3r

@stephenw10
pkg -v is 1.18.3 -- is this accurate?

stephenw10

Hmm, no that's actually newer than the 22.05 repo version:

Command history storage is enabled. Clear history with: history -c; history -S.
[22.05-RELEASE][admin@2100-3.stevew.lan]/root: pkg -v
1.17.5
[22.05-RELEASE][admin@2100-3.stevew.lan]/root: pkg-static -v
1.17.5

Checking....

j3hst3r

For those who are still watching...the HOW of the issue is unclear but regardless, i'm just resetting the box to move on with life...

thanks @stephenw10 for the help

thread closed