Having problems with Firewall Aliases URLs not working since update to 2.4.5-p1
-
@IsaacFL Successfully added https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone to my fw aliases on 2.4.5-p1
or is this error only occurring on updates?
-
@viktor_g
It occurred on the update, but even after deleting them, I can't recreate them.I always get:
The following input errors were detected: Unable to fetch usable data from URL https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
At least I know it is on my end.
-
are you able to fetch it manually from pfSense?
# fetch https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
in command line
-
@viktor_g said in Having problems with Firewall Aliases URLs not working since update to 2.4.5-p1:
fetch https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone
This is the error I got:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34374270280:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: fetch: https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone: Authentication error
-
When I open the link on a browser, it says the certificate is valid. Both Edge Chromium and Firefox.
-
Changing https to http does allow it to work.
Seems to be an issue with verifying the certificate?
-
I do have Check certificate of aliases URLs Enabled.
Verify HTTPS certificates when downloading alias URLs Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.
Not sure when I did that.
-
fetch https://www.spamhaus.org/drop/dropv6.txt
yields:
dropv6.txt 1068 B 14 MBps 00sSo it works for some sites.
-
I'm not a pfBlockerNG user, but I've seen this particular problem posted about previously, and the cause is the expired AddTrust certificate. There are apparently two solutions. One involves finding and manually deleting that expired certificate in the pfSense CLI. The other solution used by some was to change the URL mode in pfBlockerNG so that the cert is not validated. While not the most secure way of doing things, it was a "working" workaround for the folks posting.
-
@bmeeks I am not using pfBlockerNG either.
Just trying to download Alias/URL Table.
Does get me something google, but for now I just changed my urls from https to http. Which to be honest it isn't needed to encrypt a list of ips.
I assume there will be a fix at some point.
-
@IsaacFL ipdeny.com https server is misconfigured and is offering an expired CA certificate (AddTrust) in the chain.
you can try this workaround: https://redmine.pfsense.org/issues/10616#note-3
more about AddTrust expriration issue: https://www.ssl.com/blogs/addtrust-external-ca-root-expired-may-30-2020/
-
Once I read about the cert issue, and that it is an external issue, I decided to just use the http (80) link to ipdeny at least for now.
I am not concerned about the country ip list being encrypted and figure they will probably fix it at some point.