• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

repo01.netgate.com TLS cert seems invalid

Official NetgateĀ® Hardware
9
43
9.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    seanmcb
    last edited by Aug 8, 2021, 7:40 PM

    Trying to update to v21_05_1 got me this:

    1082880000:error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error:/usr/local/poudriere/jails/pfSense_plus-v21_05_aarch64/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 50
    1082880000:error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib:/usr/local/poudriere/jails/pfSense_plus-v21_05_aarch64/usr/src/crypto/openssl/ssl/statem/statem_lib.c:283:
    pkg-static: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/All/voucher-0.1_2.txz: Authentication error
    Failed
    

    Checking repo01.netgate.com with ssllabs.com says that the TLS cert is invalid.

    Anyone else seeing this?

    B 1 Reply Last reply Aug 9, 2021, 11:29 AM Reply Quote 0
    • B
      BaseBallHat @seanmcb
      last edited by Aug 9, 2021, 11:29 AM

      @seanmcb Yup, I'm getting this too. I'm running 21.05 on an SG-1100.

      login-to-view

      1 Reply Last reply Reply Quote 0
      • S
        stephenw10 Netgate Administrator
        last edited by Aug 9, 2021, 1:28 PM

        On an SG-1100 that is probably a client side crypto hardware issue. If you have not done so try a full power cycle (disconnect the power for 30s) to reset it. A reboot is insufficient.

        I'm not seeing any issues hitting that repo from here now. Are you still unable to connect?

        Steve

        S B 2 Replies Last reply Aug 9, 2021, 1:48 PM Reply Quote 1
        • S
          seanmcb @stephenw10
          last edited by Aug 9, 2021, 1:48 PM

          @stephenw10 don't see how it can be client side, as I said, ssllabs.com also reports an invalid cert, see:

          https://www.ssllabs.com/ssltest/analyze.html?d=repo01.netgate.com&s=162.208.119.40&hideResults=on&ignoreMismatch=on

          J 1 Reply Last reply Aug 9, 2021, 2:01 PM Reply Quote 0
          • B
            BaseBallHat @stephenw10
            last edited by Aug 9, 2021, 1:54 PM

            @stephenw10

            A full power cycle worked for me. Thanks!

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @seanmcb
              last edited by johnpoz Aug 9, 2021, 2:04 PM Aug 9, 2021, 2:01 PM

              @seanmcb said in repo01.netgate.com TLS cert seems invalid:

              don't see how it can be client side, as I said, ssllabs.com also reports an invalid cert

              Not all things are used in the fashion that ssllabs tests for - the cert could be perfectly valid for how its used by pfsense. Such tests are not always valid ways to test functionality.

              Maybe @stephenw10 could link to info or hint at how this specific server is used with pfsense and updates. To explain why ssllabs fails - even though working fine. I am not sure on the details, just know that not all things always work as ssllabs tests for..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              S 1 Reply Last reply Aug 9, 2021, 2:28 PM Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Aug 9, 2021, 2:07 PM

                Right, because it's never supposed to be accessed like that.

                What do you see at the command line? For example:

                [21.05.1-RELEASE][admin@1100-2.stevew.lan]/root: pkg -d update
                DBG(1)[50476]> pkg initialized
                Updating pfSense-core repository catalogue...
                DBG(1)[50476]> PkgRepo: verifying update for pfSense-core
                DBG(1)[50476]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
                DBG(1)[50476]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/meta.conf
                DBG(1)[50476]> opening libfetch fetcher
                DBG(1)[50476]> Fetch > libfetch: connecting
                DBG(1)[50476]> Fetch: fetching from: https://repo00.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/meta.conf with opts "i"
                DBG(1)[50476]> Fetch: fetcher chosen: https
                DBG(1)[50476]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/packagesite.txz
                DBG(1)[50476]> opening libfetch fetcher
                DBG(1)[50476]> Fetch > libfetch: connecting
                DBG(1)[50476]> Fetch: fetching from: https://repo00.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/packagesite.txz with opts "i"
                pfSense-core repository is up to date.
                Updating pfSense repository catalogue...
                DBG(1)[50476]> PkgRepo: verifying update for pfSense
                DBG(1)[50476]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
                DBG(1)[50476]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/meta.conf
                DBG(1)[50476]> opening libfetch fetcher
                DBG(1)[50476]> Fetch > libfetch: connecting
                DBG(1)[50476]> Fetch: fetching from: https://repo00.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/meta.conf with opts "i"
                DBG(1)[50476]> Fetch: fetcher chosen: https
                DBG(1)[50476]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/packagesite.txz
                DBG(1)[50476]> opening libfetch fetcher
                DBG(1)[50476]> Fetch > libfetch: connecting
                DBG(1)[50476]> Fetch: fetching from: https://repo00.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/packagesite.txz with opts "i"
                pfSense repository is up to date.
                All repositories are up to date.
                

                Steve

                1 Reply Last reply Reply Quote 0
                • S
                  seanmcb @johnpoz
                  last edited by Aug 9, 2021, 2:28 PM

                  @johnpoz said in repo01.netgate.com TLS cert seems invalid:

                  Not all things are used in the fashion that ssllabs tests for

                  Maybe so, but Firefox also shows "invalid cert" if you visit https://repo01.netgate.com/

                  J 1 Reply Last reply Aug 9, 2021, 2:33 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @seanmcb
                    last edited by johnpoz Aug 9, 2021, 2:38 PM Aug 9, 2021, 2:33 PM

                    And again that has zero to do with how pfsense uses it.. ssllab tests for how your browser would use a ssl cert. So yeah if ssllabs fails - its pretty much a given your browser would balk at it as well ;)

                    Relate it to how users say pkg.pfsense.org isn't working because they try and use A/AAAA record when its actually a SRV record, etc. Which is really _https._tcp.pkg.pfsense.org for example..

                    If you do not test functionally - on how the functionality was designed.. Then yeah you can see red herrings all over the place.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    S 1 Reply Last reply Aug 9, 2021, 3:02 PM Reply Quote 1
                    • S
                      seanmcb @johnpoz
                      last edited by Aug 9, 2021, 3:02 PM

                      @johnpoz the certificate given by repo01.netgate.com has "Common name" of pfsense.org and "Alternative names" of *.pfsense.com *.pfsense.org pfsense.com pfsense.org. What is the advantage for the cert to omit repo01.netgate.com from its list of names?

                      J 1 Reply Last reply Aug 9, 2021, 3:29 PM Reply Quote 0
                      • S
                        stephenw10 Netgate Administrator
                        last edited by Aug 9, 2021, 3:14 PM

                        It's because that repo is authenticated. It expects the client to send a cert and your browser does not. Neither does ssllabs. That said that's not the error I see if I try to visit it directly. I see the far more useful:

                        400 Bad Request
                        No required SSL certificate was sent
                        

                        Steve

                        S 1 Reply Last reply Aug 9, 2021, 3:36 PM Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator @seanmcb
                          last edited by Aug 9, 2021, 3:29 PM

                          @seanmcb said in repo01.netgate.com TLS cert seems invalid:

                          cert to omit repo01.netgate.com from its list of names?

                          Sure looks like its there to me..

                          login-to-view

                          While I don't see a SAN entry - the CN is there that matches.. Again - trying to check a ssl cert without fully understanding how the cert is used in the specific applications design use of said ssl can and does lead to red herring rabbit holes ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 1
                          • S
                            seanmcb @stephenw10
                            last edited by Aug 9, 2021, 3:36 PM

                            @stephenw10 said in repo01.netgate.com TLS cert seems invalid:

                            It's because that repo is authenticated. It expects the client to send a cert and your browser does not. Neither does ssllabs

                            Ah, thanks for the actual explanation. Much appreciated.

                            I'll have access to the device again in about 10 hours and can try from the shell the steps you asked about.

                            1 Reply Last reply Reply Quote 0
                            • S
                              stephenw10 Netgate Administrator
                              last edited by Aug 9, 2021, 4:10 PM

                              Let us know if you're still seeing that.

                              S 1 Reply Last reply Aug 10, 2021, 2:18 AM Reply Quote 0
                              • S
                                seanmcb @stephenw10
                                last edited by Aug 10, 2021, 2:18 AM

                                @stephenw10 my output is quite like yours:

                                [21.05-RELEASE][admin@pfSense.localdomain]/root: pkg -d update
                                DBG(1)[42611]> pkg initialized
                                Updating pfSense-core repository catalogue...
                                DBG(1)[42611]> PkgRepo: verifying update for pfSense-core
                                DBG(1)[42611]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
                                DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/meta.conf
                                DBG(1)[42611]> opening libfetch fetcher
                                DBG(1)[42611]> Fetch > libfetch: connecting
                                DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/meta.conf with opts "i"
                                DBG(1)[42611]> Fetch: fetcher chosen: https
                                DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/packagesite.txz
                                DBG(1)[42611]> opening libfetch fetcher
                                DBG(1)[42611]> Fetch > libfetch: connecting
                                DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/packagesite.txz with opts "i"
                                pfSense-core repository is up to date.
                                Updating pfSense repository catalogue...
                                DBG(1)[42611]> PkgRepo: verifying update for pfSense
                                DBG(1)[42611]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
                                DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/meta.conf
                                DBG(1)[42611]> opening libfetch fetcher
                                DBG(1)[42611]> Fetch > libfetch: connecting
                                DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/meta.conf with opts "i"
                                DBG(1)[42611]> Fetch: fetcher chosen: https
                                Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
                                DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/packagesite.txz
                                DBG(1)[42611]> opening libfetch fetcher
                                DBG(1)[42611]> Fetch > libfetch: connecting
                                DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/packagesite.txz with opts "i"
                                DBG(1)[42611]> Fetch: fetcher chosen: https
                                Fetching packagesite.txz: 100%  129 KiB 131.8kB/s    00:01    
                                DBG(1)[42611]> PkgRepo: extracting packagesite.yaml of repo pfSense
                                DBG(1)[43042]> PkgRepo: extracting signature of repo in a sandbox
                                DBG(1)[42611]> Pkgrepo, reading new packagesite.yaml for '/var/db/pkg/repo-pfSense.sqlite'
                                Processing entries: 100%
                                pfSense repository update completed. 464 packages processed.
                                All repositories are up to date.
                                

                                Biggest difference is repo00.netgate.com vs repo01.netgate.com and mine has additional output Fetch: fetcher chosen: https.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by Aug 10, 2021, 12:20 PM

                                  repo00 and repo01 should be identical there, that shouldn't matter.

                                  S 1 Reply Last reply Aug 10, 2021, 2:48 PM Reply Quote 0
                                  • S
                                    seanmcb @stephenw10
                                    last edited by Aug 10, 2021, 2:48 PM

                                    @stephenw10 so do you think the part about Fetch: fetcher chosen: https is the difference that explains the failure I see?

                                    I could always try a magic reboot, but I'm not in a huge rush to update. If there's something more we can troubleshoot to find this bug, I'm game.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      stephenw10 Netgate Administrator
                                      last edited by Aug 10, 2021, 3:40 PM

                                      @seanmcb said in repo01.netgate.com TLS cert seems invalid:

                                      Processing entries: 100%
                                      pfSense repository update completed. 464 packages processed.
                                      All repositories are up to date.

                                      It looks to be updating from the repo successfully. What failure are you seeing?

                                      My output also shows it choosing https, I don't think that's an issue.

                                      Steve

                                      S 1 Reply Last reply Aug 10, 2021, 5:20 PM Reply Quote 0
                                      • S
                                        seanmcb @stephenw10
                                        last edited by Aug 10, 2021, 5:20 PM

                                        @stephenw10 the failure I'm seeing is as per my first message in this thread. The update fails with the error message text I pasted.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          stephenw10 Netgate Administrator
                                          last edited by Aug 10, 2021, 5:33 PM

                                          Hmm, OK try running at the command line: pfSense-upgrade -d

                                          S 1 Reply Last reply Aug 11, 2021, 12:35 AM Reply Quote 0
                                          8 out of 43
                                          • First post
                                            8/43
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.