Unable to check for update netgate sg-2220 release 21.05
-
On a Netgate SG-2220 Release 21.05 I am unable to update packages or check for system updates.
I did follow the update debug steps, they dont work for this issue.
I did shutdown, completely removed power + boot up. See the cert validation failure here and the Authentication error
pkg update -f Updating pfSense-core repository catalogue... Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 34376073216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/build/plus-crossbuild-2105-amd64/sources/FreeBSD-src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 34376073216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/build/plus-crossbuild-2105-amd64/sources/FreeBSD-src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 34376073216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/build/plus-crossbuild-2105-amd64/sources/FreeBSD-src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 34376073216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/build/plus-crossbuild-2105-amd64/sources/FreeBSD-src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 34376073216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/build/plus-crossbuild-2105-amd64/sources/FreeBSD-src/crypto/openssl/ssl/statem/statem_clnt.c:1915: Certificate verification failed for /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 34376073216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/build/plus-crossbuild-2105-amd64/sources/FreeBSD-src/crypto/openssl/ssl/statem/statem_clnt.c:1915: pkg: https://files00.netgate.com/pkg/pfSense_plus-v21_05_amd64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings -
Okay the system time/date was totally wrong. :|
I was able to spot it with
openssl s_client -connect files01.netgate.com:443which gave meverify error:num=9:certificate is not yet valid.Indeed the system date/time was set in 2017.
Looks like it's caused by dns resolution not working hence ntpd failing to sync time since update :(
-
@mrbabiebob said in Unable to check for update netgate sg-2220 release 21.05:
Okay the system time/date was totally wrong. :|
I was able to spot it usps tracking with
openssl s_client -connect files01.netgate.com:443which gave meverify error:num=9:certificate is not yet valid.Indeed the system date/time was set in 2017.
Looks like it's caused by dns resolution not working hence ntpd failing to sync time since update :(
Even i have noticed that there is no updates
Thanks & Regards
redik -
@ridek724 Did you find Upgrade not Offered / Library Errors
-
The SG-2220 does not have an RTC clock battery so if it's been off for some time it may revert to the initial time/date.
If you do not have at least one NTP server defined by IP and you have DNSSec enabled in Unbound and no other DNS servers set then you have a chicken/egg situation. The firewall cannot recolve any time servers because DNS doesn't work when the clock is wrong!Setting either a fixed NTP server or an alternative DNS server will prevent that.
Steve
