Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] need to add an upstream certificate for my FW.

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Anony_Moose
      last edited by

      So, here's a new one.

      I'm running pfSense in my test lab to mess with virtual routing and SDNs. My internet connection is provided by my school so I'm dealing with their MITM certificate for our Fortigate FW.

      I added the certificate to the system via CAs in the certs menu of the webconfigurator, but when trying to check for updates the system says it's up to date (which I know it's not), and when trying to update from console I get this:

      >>> Updating repositories metadata...
      Updating pfSense-core repository catalogue...
      pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/meta.txz: Authentication error
      repository pfSense-core has no meta file, using default settings
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/packagesite.txz: Authentication error
      Unable to update repository pfSense-core
      Updating pfSense repository catalogue...
      pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/meta.txz: Authentication error
      repository pfSense has no meta file, using default settings
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com
      12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
      pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/packagesite.txz: Authentication error
      Unable to update repository pfSense
      

      I understand this isn't a normal requirement, but I'm not sure where to go from here, I've even tried amending the certificate to```
      /usr/local/share/certs/ca-root-nss.crt

      
      TLDR: I need to install a root CA but I can't for the life of me get pfSense to accept the certificate as valid.

      I'm not exactly sure what I'm doing here.

      1 Reply Last reply Reply Quote 0
      • GrimsonG
        Grimson Banned
        last edited by

        There are two places where cerificates are stored on pfSense:

        
        /usr/local/etc/ssl/cert.pem
        /usr/local/share/certs/ca-root-nss.crt
        
        

        so try to add your cert to the list in /usr/local/etc/ssl/cert.pem too.

        1 Reply Last reply Reply Quote 0
        • A
          Anony_Moose
          last edited by

          @Grimson:

          There are two places where cerificates are stored on pfSense:

          
          /usr/local/etc/ssl/cert.pem
          /usr/local/share/certs/ca-root-nss.crt
          
          

          so try to add your cert to the list in /usr/local/etc/ssl/cert.pem too.

          So I did this, and now both files are empty…..

          I'm not exactly sure what I'm doing here.

          1 Reply Last reply Reply Quote 0
          • GrimsonG
            Grimson Banned
            last edited by

            @ipat8:

            So I did this, and now both files are empty…..

            pfSense doesn't empty them, it might overwrite them during an update but nothing more than that. So take the backup you made (you did backup these files before editing them, didn't you?) and try again.

            1 Reply Last reply Reply Quote 0
            • A
              Anony_Moose
              last edited by

              @Grimson:

              @ipat8:

              So I did this, and now both files are empty…..

              pfSense doesn't empty them, it might overwrite them during an update but nothing more than that. So take the backup you made (you did backup these files before editing them, didn't you?) and try again.

              It's a VM, I'll just reinstall, but moreover, they are empty, and the templates are empty as well. I edited them through the webUI, so I'll try with vi and see if that makes a difference.

              I'm not exactly sure what I'm doing here.

              1 Reply Last reply Reply Quote 0
              • A
                Anony_Moose
                last edited by

                So, solution update. Editing the files via the webconfigurator was my problem. It seems as though the editor was saving blank files instead of my changes, and as such nothing was working. I edited the files with VI and the cert was accepted into the system. I do still have a issue with a different upstream cert, but I can fix that based on my fix with this one.

                Thanks for everyone's help, I'll try to add a guide on my site for this because I couldn't find anywhere online that referenced both files.

                I'm not exactly sure what I'm doing here.

                1 Reply Last reply Reply Quote 0
                • M mt_onsemi referenced this topic on
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.