Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Update check & package install behind MITM proxy?

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cszikszoy
      last edited by

      I have a situation where I'm forced to use a corporate proxy to access the Internet. Our proxy rewrites SSL and basically acts as a MITM. Because of this, requests to https urls (like the pfsense packages url, for example) will fail unless the SSL certs for the corporate proxy are trusted. I've added both of our company's certs to pfSense's Cert (see attachment). Manager and they were accepted, however the update check & package installation pages still fail.

      I've verified that I have access to the Internet (through our proxy) by using curl:

      [2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>m:8123 [url]http://google.com[/url]
      
      <title>301 Moved</title>
      
      # 301 Moved
      
      The document has moved
      [here.](http://www.google.com/)</myproxy> 
      ``` [**Requesting https through the proxy shows this:**
      

      [2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>:8123 [url]https://google.com[/url]
      curl: (60) SSL certificate problem: unable to get local issuer certificate
      More details here: [url]https://curl.haxx.se/docs/sslcerts.html[/url]

      curl performs SSL certificate verification by default, using a "bundle"
      of Certificate Authority (CA) public keys (CA certs). If the default
      bundle file isn't adequate, you can specify an alternate file
      using the --cacert option.
      If this HTTPS server uses a certificate signed by a CA represented in
      the bundle, the certificate verification probably failed due to a
      problem with the certificate (it might be expired, or the name might
      not match the domain name in the URL).
      If you'd like to turn off curl's verification of the certificate, use
      the -k (or --insecure) option.</myproxy>

      **Telling curl to ignore certificates shows this (which works):**](http://www.google.com/) ```
      [[2.3.2-RELEASE][[email]admin@lab-firewall.hts.lab]/root: curl -x <<<myproxy>>>:8123 [url]https://google.com[/url] -k
      
      <title>301 Moved</title>
      
      # 301 Moved
      
      The document has moved</myproxy>](http://www.google.com/) [here.](https://www.google.com/) 
      ``` [I've set up an intermediary proxy between pfSense and our company proxy to see what's going on. I can see pfSense firewall asking for "pkg.pfsense.org:443" in the squid logs (shown below).
      

      1478163783.083    533 x.x.x.x TCP_MISS/000 2976 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163784.417    321 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163784.738    318 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163786.059    314 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163786.392    331 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163787.645    249 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163787.962    315 x.x.x.x TCP_MISS/000 1571 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -
      1478163789.300    319 x.x.x.x TCP_MISS/000 2939 CONNECT pkg.pfsense.org:443 - FIRST_UP_PARENT/proxy.<<<company>>>.com -</company></company></company></company></company></company></company></company>

      But the upgrade check & check for packages always fails.
      
      Thank you in advance and I appreciate any ideas or suggestions!
      
      ![pfsensecerts.PNG](/public/_imported_attachments_/1/pfsensecerts.PNG)
      ![pfsensecerts.PNG_thumb](/public/_imported_attachments_/1/pfsensecerts.PNG_thumb)](https://www.google.com/)
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.