The package server's SSL certificate could not be verified.

NOYB

I wonder if this could be related to the issue I'm seeing with 2 url table aliases no longer able to download via ssl after upgrade from 2.2.5 to 2.2.6.  Even after a fresh full install.

https://forum.pfsense.org/index.php?topic=104392.0

USB memstick, i386, VGA

cmb

That's definitely indicative of a problem of some sort. If you go to a command prompt and run the following, what do you get?

fetch https://packages.pfsense.org

@NOYB:

I wonder if this could be related to the issue I'm seeing with 2 url table aliases no longer able to download via ssl after upgrade from 2.2.5 to 2.2.6. 
https://forum.pfsense.org/index.php?topic=104392.0

If you'd do what I asked in that thread and post back results there, maybe we could determine that.

ctirado

I get

$ fetch https://packages.pfsense.org
packages.pfsense.org                                     0  B    0  Bps

when I run that command on:

2.2.6-RELEASE (amd64)
built on Mon Dec 21 14:50:08 CST 2015
FreeBSD 10.1-RELEASE-p25

Carlos

cmb

@ctirado:

I get

$ fetch https://packages.pfsense.org
packages.pfsense.org                                     0  B    0  Bps

That's the correct expected output. I presume in your case your interest is re: the IPsec post you made, which is completely unrelated to what this thread is about. IPsec certificates are a completely different, separate component and their verification has no relation to fetch.

ctirado

No, I just thought it might be helpful. I was already remoted into my pfSense box and it only took a minute or two to put together the post.

Carlos

Darkk

I am getting this when trying to fetch it in the command prompt:

$ fetch https://packages.pfsense.org
No server SSL certificate
fetch: https://packages.pfsense.org: Authentication error

cmb

@Darkk:

I am getting this when trying to fetch it in the command prompt:

$ fetch https://packages.pfsense.org
No server SSL certificate
fetch: https://packages.pfsense.org: Authentication error

That's why. What files do you have in /usr/local/etc/ssl/?

Darkk

Just one file:

[2.2.6-RELEASE]/usr/local/etc/ssl: ls -l
total 960
-rw-r–r--  1 root  wheel  944280 Dec 21 13:20 cert.pem

Looking inside the pem file it's just a standard CA signed root certs.  Alot of them set to expire around 2020 to 2030

cmb

That looks correct. Exactly the same file size as it should be.

-rw-r--r--  1 root  wheel  944280 Dec 21 15:20 cert.pem

Guessing it likely matches this SHA.

: sha256 /usr/local/etc/ssl/cert.pem
SHA256 (/usr/local/etc/ssl/cert.pem) = 2629766a1e695df07dfcdc86eae7afa562a43f8d6d2a74a8e9eddccf5ece5dd6

Which does work.

: fetch -v https://packages.pfsense.org
looking up packages.pfsense.org
connecting to packages.pfsense.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
remote size / mtime: 23 / 1394690197
packages.pfsense.org                          100% of   23  B  202 kBps 00m00s

litmk

I had this same problem. My certificates were also there and the sha256 matched. I finally rebooted and the problem was fixed.