Easylist update fails. Expired Cert
-
@jimmythedog Thanks! Good find on that Sophos link.
-
@jimmythedog That is both correct and incorrect.
The problem is that none of the chains presented by the server will end up chaining to the expired AddTrust cert UNLESS that is what is presented by the server. Server administrators SHOULD NOT be including the CA certificates that SHOULD be being pulled from the clients trusted root store in the first place. They should only be pushing as much of the chain as necessary to get the client chained into and pulling from its own trusted CA store.
Some clients (macOS, Windows) ignore superfluous certificates from the server and use their own store as soon as they have a match up the chain so they continue to validate even when the server admin makes a mistake.
Some (like OpenSSL in FreeBSD and CentOS at least) try to use what is pushed to them by the server. Those fail.
-
Well, now that I have made the modifications, Arpwatch now sends me these alerts:
X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin> X-Cron-Env: <HOME=/root> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34374270280:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: fetch: https://files.pfsense.org/lists/fullbogons-ipv4.txt: Authentication error Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root {many more of these}
-
@drewsaur said in Easylist update fails. Expired Cert:
Well, now that I have made the modifications, Arpwatch now sends me these alerts:
X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin> X-Cron-Env: <HOME=/root> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34374270280:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: fetch: https://files.pfsense.org/lists/fullbogons-ipv4.txt: Authentication error Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root {many more of these}
I'm also having this issue too. Looks like there's one more server that needs to be updated on pfSense's side?
-
@jsylvia007 This is something our IT team is aware of and they are working to resolve.
-
@costanzo Quick update: Got a response from @AdblockPlus via twitter. They let their filter team know.
-
@jimmythedog Great, it works for me too. but you have to be careful while doing that I recommend to take a backup of this file before starting this process.
Steps here if someone wants to follow:
After you access the file /usr/local/share/certs/ca-root-nss.crt focus on this "Not After : Jan 1 00:00:00 2020 GMT" check the month and year if expired delete from "Certificate:" until "-----END CERTIFICATE-----". In my case, I found two then save and run update.
-
@Alanesi I totally agree about backing up the file first
-
Seems like they have fixed their Cert.
I don't see any errors using the pfBlockerNG default settings for EasyList.-Rico
-
@Rico said in Easylist update fails. Expired Cert:
Seems like they have fixed their Cert.
I don't see any errors using the pfBlockerNG default settings for EasyList.-Rico
Concur. Same here.
-
Fixed between 06/12/20 19:15:00 and 06/12/20 20:15:00 (UTC+1)
[ EasyList ] Downloading update . cURL Error: 60 SSL certificate problem: certificate has expired Retry in 5 seconds... . cURL Error: 60 SSL certificate problem: certificate has expired Retry in 5 seconds... . cURL Error: 60 SSL certificate problem: certificate has expired Retry in 5 seconds... .. unknown http status code | 0 [ DNSBL_EasyList - EasyList ] Download FAIL [ 06/12/20 19:15:28 ]
[ EasyList ] Downloading update .. 200 OK. ---------------------------------------------------------------------- Orig. Unique # Dups # White # TOP1M Final ---------------------------------------------------------------------- 2491 2452 5 0 0 2447 ---------------------------------------------------------------------- [ EasyPrivacy ] Downloading update [ 06/12/20 20:15:17 ] .. 200 OK.
-Rico