"pkg add" Authentication error connecting to pkg.freebsd.org + Let's Encrypt cert
-
Hi,
Just taken delivery of a new SG-1100, which is great.
I'm attempting to install some additional packages on to the unit but when I'm tying to use the pkg add command, I'm getting an "Authentication error" returned due to what looks like a certificate verification issue:
[2.4.5-RELEASE][admin@pfsense]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz: Authentication errorUsing OpenSSL to test the connection to pkg.freebsd.org I get the following:
[2.4.5-RELEASE][admin@pfsense]/root: openssl s_client -connect pkg.freebsd.org:443 CONNECTED(00000003) --- Certificate chain 0 s:/CN=pkg.freebsd.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIGVzCCBT+gAwIBAgISBKCR8MCSFMytVGv+LS+XIGqxMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MTkyMTEwMDFaFw0y MDA4MTcyMTEwMDFaMBoxGDAWBgNVBAMTD3BrZy5mcmVlYnNkLm9yZzCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBAL3uxdRoVra92Xgn1j40ndaB1bNBjXcv NYgydsOyudwqxMXW/ZW8llXUD4yvzeb47ztv9vkf70z+PffLeaPi1rHnWdNNIKml yEy7tAfAsHj66VdMzve9+5UIjMRJI537MySC9VA094wpFv7jzn/W+uvdldy2jCEy UJqwNY3L8rE0Bx40bhFtrGYbxYSGJJbWhh+ui9TLKKW9GwBarcOcA//ohdH4CnGO gljuVuLGOkMxKKJGJQMmwi9mCVpf7+tbG8eEp9aZuooSNbVXNKS4YvSPRrS+aiNA RL+L20hC9Jar/DYpGnUmRmeZccTxdsojP9O7bRJ3NdGSBIRM4AW7kchFDNUGMy+x pcnYvImOeSss+dNofAJ7XDoJSNvEqZydm/QeXyBXGDnnoeHghknay7sZOajUNTP1 jWKYlEZZMAZ3DUsGN+S5YWnN4kjNk+0Nhueb9jznX36C2EB9V2FSIgZN1ifp05+d 32tNFXqTIJKnChVlQkj4QYHSt0ePvaehTbHhvK0BfPxVK3YuT+pavJPb+I6gwLmN AK9M3nMZ3M6Y5vQdpLZYHl3+fPEafufUgYZYuIDmMwJl766Oy3rM/59ylMVzXfli 9tZLQtZASjwC5UEuJF5qBV44q1iG1QL+1tl6Fx82zdBSswhwMkv+9zFiCC+8vd4X HKdSKl0O9dfZAgMBAAGjggJlMIICYTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDe4 ey4hffSoQhBmlxDIpU0hc9V1MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z qOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50 LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50 LXgzLmxldHNlbmNyeXB0Lm9yZy8wGgYDVR0RBBMwEYIPcGtnLmZyZWVic2Qub3Jn MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB 9gSB8wDxAHcAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFyLvyH vwAABAMASDBGAiEAk/L7n9qhU9KbZDTY9JFP8J0lJ7C3qi63eoIX0XsqVhUCIQD4 FCibXqk4lRsvL47lqanReGgdI5A7odP85pK4JBDIwQB2AG9Tdqwx8DEZ2JkApFEV /3cVHBHZAsEAKQaNsgiaN9kTAAABci78h/YAAAQDAEcwRQIgexwfdP4URv7P7MbQ TnQn8A2gh1WJDfG6K+ATHbhHZu0CIQCUhXKNlKb9zunUaXRfBnLGBEmEHp9fiDUW eQKdgzcQdzANBgkqhkiG9w0BAQsFAAOCAQEAS8KQbBLAmDPsZbX7uI2JlN4FIy1r PX1EKyh7AjfodcmB6izVtPBc96uEsrONFNdy9uDEx3z5o+Jxt21IgJJ+Vo6wukc0 jg8Sr+Y7ovVFgFTOchbqLK/fc/fj9mE85TIRhShOTmrKKI3UprJD+p7aCLuFE8Kr XUD3XnV1wI1DhCD1Db9iBVYtOYCJkg/Oia29nsuno30n6/P+SkTaysWVaFL5PFdj AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB 9gSB8wDxAHcAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFyLvyH vwAABAMASDBGAiEAk/L7n9qhU9KbZDTY9JFP8J0lJ7C3qi63eoIX0XsqVhUCIQD4 FCibXqk4lRsvL47lqanReGgdI5A7odP85pK4JBDIwQB2AG9Tdqwx8DEZ2JkApFEV /3cVHBHZAsEAKQaNsgiaN9kTAAABci78h/YAAAQDAEcwRQIgexwfdP4URv7P7MbQ TnQn8A2gh1WJDfG6K+ATHbhHZu0CIQCUhXKNlKb9zunUaXRfBnLGBEmEHp9fiDUW eQKdgzcQdzANBgkqhkiG9w0BAQsFAAOCAQEAS8KQbBLAmDPsZbX7uI2JlN4FIy1r PX1EKyh7AjfodcmB6izVtPBc96uEsrONFNdy9uDEx3z5o+Jxt21IgJJ+Vo6wukc0 jg8Sr+Y7ovVFgFTOchbqLK/fc/fj9mE85TIRhShOTmrKKI3UprJD+p7aCLuFE8Kr XUD3XnV1wI1DhCD1Db9iBVYtOYCJkg/Oia29nsuno30n6/P+SkTaysWVaFL5PFdj lNXea+OwPts2ae/jGtPHxVLC4Kn7PjOvMhCL1f3hFAP5CwtPG4OWBWf3REOI7ytg 2d7kknofZZvA+vx+mpRLdhk7gjBfoTmKSx5qsT2LH6ELS6ieF/KJ83FtgQ== -----END CERTIFICATE----- subject=/CN=pkg.freebsd.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3567 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 108BB848A983EC7FA39ED5B281D149CA4F183F7EC253160908EE2D52AF68A737 Session-ID-ctx: Master-Key: 85630B40640FABB868851B92BD92D6124CDC010DB4C086D1222A2F83EFCCB7A067A41ABA05CA4C9568A689D5125FD13B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1593898229 Timeout : 300 (sec) Verify return code: 0 (ok) ---The verify code at the end looking good and although it should be fine for applications to verify the Let's Encrypt cert and connect to the site.
My
ca_root_nsspackage is v3.51 (latest), I've tried force reinstalling and checked that all cert directories are symlinked correctly.Is there something I'm missing here? Does
pkguse some other source for verifying certificates or could this be a bug?pfSense v2.4.5-p1
-
@mikeyjb said in "pkg add" Authentication error connecting to pkg.freebsd.org + Let's Encrypt cert:
pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
No such error on 2.4.5-p1 (SG-3100):
[2.4.5-RELEASE][root@sg3100.home.int]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz Fetching snappy-1.1.6.txz: 100% 58 KiB 59.8kB/s 00:01 Installing snappy-1.1.6... pkg: wrong architecture: FreeBSD:11:aarch64 instead of FreeBSD:11:armv6 Extracting snappy-1.1.6: 100%But the same error on SG-1100 2.4.5-p1;
[2.4.5-RELEASE][root@pf1100.home.int]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz: Authentication errorredmine issue created: https://redmine.pfsense.org/issues/10729
-
as a workaround you can simply fetch pkg:
[2.4.5-RELEASE][root@pf1100.home.int]/root: fetch https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz snappy-1.1.6.txz 58 kB 245 kBps 00s [2.4.5-RELEASE][root@pf1100.home.int]/root: pkg install snappy-1.1.6.txz -
Awesome, thanks @viktor_g :)
I'm pretty new to BSD so was hoping there might be a workaround. Appreciate you taking the time to set it out
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.