No Updates or Packages

heper

whats the time on your pfsense system ? is ntp running?

if you clock is off … then ssl doesnt work

theflu

The time server is set to 0.pfsense.pool.ntp.org time.nist.gov
US/eastern

The time showing on the dashboard is correct with US/Eastern Time

johnpoz

Can you open https://updates.pfsense.org/_updaters/amd64/ in your browser?

cmb

Got something upstream of that, like a proxy/web content filter/similar doing SSL MITM? That should be the only reason you'd end up with that specific error. Try going to a command prompt and running:

fetch https://packages.pfsense.org 

and see what that results in.

johnpoz

I would think you would want to see -v

fetch https://packages.pfsense.org -v
looking up packages.pfsense.org
connecting to packages.pfsense.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
local size / mtime: 23 / 1394690197
remote size / mtime: 23 / 1394690197
packages.pfsense.org                          100% of  23  B  80 kBps 00m00s

cmb

@johnpoz:

I would think you would want to see -v

That'd be even better. Just the fetch alone is enough to tell if it's failing the cert check or not there, but adding the -v will tell more as to why if it is.

doktornotor

I have seen this as well 2-3 times at well… 1000% sure there's no MITM proxy anywhere. Also, at times, it simply breaks with IPv6 intermittently.

johnpoz

to see if ipv6 issue couldn't you just set pfsense to prefer ipv4 and then it wouldn't try ipv6

theflu

It started working after a while don't know what I actually changed. I was making a  lot of changes to get the box to work in general.

KOM

You should always document what you change so that 1) you know what you did to fix the issue, 2) you can undo your changes if you break something.  I have had to clean up so many messes because my boss like to fiddle & play but doesn't know what he's doing, doesn't write anything down and doesn't remember what he did.

Logharn

Hi!
I'm having the same exact issue as the OP.
It's a fresh install that I'm building up.

2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9

Results for "fetch https://packages.pfsense.org -v"

looking up packages.pfsense.org
connecting to packages.pfsense.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
34381030760:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1026:
fetch: transfer timed out

The error message is almost clear, I suppose.
Anyway:
Clock is working fine.
DNS resolution working.
Browsing to https://updates.pfsense.org/_updaters/amd64/ works.
I've disabled WAN IPv6.

Thanks.

francisvgarcia

Good night everyone,

I was having the same issue after implementing the Hurricane Electric's IPv6 tunnel service. I ended up checking "Prefer to use IPv4 even if IPv6 is available" in System: Advanced: Networking. This solved my problem and I didn't have to deactivate IPv6.

Good luck

Francis V Garcia