No Updates or Packages

theflu · Apr 20, 2015, 5:04 PM

I can't get my pfsense box to up or install packages.

2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9

It is setup as a transparent firewall.

I have checked DNS resolution and its working.
I can ping the update server and package server.
I also did a traceroute to the servers.

Errors I get:

The package server's SSL certificate could not be verified. The SSL certificate itself may be invalid, its chain of trust may have failed validation, or the server may have been impersonated. Downloaded packages may come from an untrusted source. Proceed with caution.

Unable to communicate with https://packages.pfsense.org. Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity.

Downloading new version information…done
Unable to check for updates.
Could not contact pfSense update server https://updates.pfsense.org/_updaters/amd64

heper · Apr 20, 2015, 5:07 PM

whats the time on your pfsense system ? is ntp running?

if you clock is off … then ssl doesnt work

theflu · Apr 20, 2015, 5:12 PM

The time server is set to 0.pfsense.pool.ntp.org time.nist.gov
US/eastern

The time showing on the dashboard is correct with US/Eastern Time

johnpoz · Apr 20, 2015, 8:21 PM

Can you open https://updates.pfsense.org/_updaters/amd64/ in your browser?

cmb · Apr 21, 2015, 12:15 AM

Got something upstream of that, like a proxy/web content filter/similar doing SSL MITM? That should be the only reason you'd end up with that specific error. Try going to a command prompt and running:

fetch https://packages.pfsense.org

and see what that results in.

johnpoz · Apr 21, 2015, 2:25 AM

I would think you would want to see -v

fetch https://packages.pfsense.org -v
looking up packages.pfsense.org
connecting to packages.pfsense.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
local size / mtime: 23 / 1394690197
remote size / mtime: 23 / 1394690197
packages.pfsense.org 100% of 23 B 80 kBps 00m00s

cmb · Apr 21, 2015, 4:19 AM

@johnpoz:

I would think you would want to see -v

That'd be even better. Just the fetch alone is enough to tell if it's failing the cert check or not there, but adding the -v will tell more as to why if it is.

doktornotor · Apr 21, 2015, 6:29 AM

I have seen this as well 2-3 times at well… 1000% sure there's no MITM proxy anywhere. Also, at times, it simply breaks with IPv6 intermittently.

johnpoz · Apr 21, 2015, 1:01 PM

to see if ipv6 issue couldn't you just set pfsense to prefer ipv4 and then it wouldn't try ipv6

theflu · Apr 29, 2015, 3:12 PM

It started working after a while don't know what I actually changed. I was making a lot of changes to get the box to work in general.

KOM · Apr 29, 2015, 4:46 PM

You should always document what you change so that 1) you know what you did to fix the issue, 2) you can undo your changes if you break something. I have had to clean up so many messes because my boss like to fiddle & play but doesn't know what he's doing, doesn't write anything down and doesn't remember what he did.

Logharn · May 1, 2015, 4:19 PM

Hi!
I'm having the same exact issue as the OP.
It's a fresh install that I'm building up.

2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015
FreeBSD 10.1-RELEASE-p9

Results for "fetch https://packages.pfsense.org -v"

looking up packages.pfsense.org
connecting to packages.pfsense.org:443
SSL options: 81004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
34381030760:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1026:
fetch: transfer timed out

The error message is almost clear, I suppose.
Anyway:
Clock is working fine.
DNS resolution working.
Browsing to https://updates.pfsense.org/_updaters/amd64/ works.
I've disabled WAN IPv6.

Thanks.

francisvgarcia · May 6, 2015, 12:27 AM

Good night everyone,

I was having the same issue after implementing the Hurricane Electric's IPv6 tunnel service. I ended up checking "Prefer to use IPv4 even if IPv6 is available" in System: Advanced: Networking. This solved my problem and I didn't have to deactivate IPv6.

Good luck

Francis V Garcia