Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense update over SSL fails.

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    5 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nonconformist
      last edited by

      Hi all,

      Been scratching my head trying to figure this issue out on my own, without having to reintsall the latest version of pfSense, but very close to giving up. WOuld appreciate if anyone can point me in the right direction of what to do, apart from a backup and reinstall. Here's a summary of what's happening:

      Originally had issues upgrading to pfSense 2.4.0 from 2.3.1 (GUI would always say up to date, connecting through SSH update would say packages were up to date after pkg update and pkg upgrade). The same behaviour happened when upgrading plugins too.

      Got around that by modifying```
      /usr/local/etc/pkg/repos/pfSense.conf

      
However, that file gets overwritten back with https periodically, which means everytime I have to update pfSense or a plugin, the only way I can do so is changing https to http.

Browsing the forums further to troubleshoot the issue, I executed the 'fetch' command to packages.pfsense.org with these results: (not at home right now, copy pasting command results from earlier today)

      fetch -v https://packages.pfsense.org   
      resolving server address: packages.pfsense.org:443
      SSL options: 83004bff
      Peer verification enabled
      Using CA cert file: /usr/local/etc/ssl/cert.pem
      No server SSL certificate
      fetch: https://packages.pfsense.org: Authentication error

      
Looks like cert.pem doesn't have the right certs or has not been updated (probably because I updated using HTTP and not HTTPS?). I can get to the URL perfectly from any host on the rest of the LAN.

Is there a way I can repair cert.pem to use the correct certs or anything else I can do to fix the authentication error?

Thanks in advance!
      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Not being an 'ssl' expert, I have this feeling that your certificate from "/usr/local/etc/ssl/cert.pem" isn't important.

        Btw, executing the your command command fetch -v https://packages.pfsense.org downloads just fine 23 bytes, maybe not what you are looking for :

        [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://packages.pfsense.org
resolving server address: packages.pfsense.org:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
remote size / mtime: 23 / 1394690197
packages.pfsense.org                          100% of   23  B  136 kBps 00m00s

        THat (your) "No server SSL certificate" message means the openssl part didn't get a certificate from the web server running at https://packages.pfsense.org (again, some one has to acknowledge this).
        My test show that a certificate comes from
        Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
        Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
        which seams fine to me, and is fine for pfSense, which is logic (because built-in) the trusted cert list.

        Or, if you want to download what is being seen on https://packages.pfsense.org/ (the web page, port 443 )

        packages.pfsense.org

        then it is ok …  ;)

        Still, I advise you to hire a USB key, download the firmware (2.4.2 if amd64 proc - if not 2.3.5) the old fashioned way, extract (see procedure) the firmware to the key and install from there.
        Take a copy of your config before  - just to be save.
        That works, straights out any issues - and plain works.
        NO updating for whatever reason is not a good plan. It brings troubles ...

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • N
          Nonconformist
          last edited by

          Thanks for your reply Gertjan, I should probably have been more clear in my original post. See the part where you do this?

          [quote][2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://packages.pfsense.org
resolving server address: packages.pfsense.org:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
requesting https://packages.pfsense.org/
remote size / mtime: 23 / 1394690197
packages.pfsense.org                          100% of   23  B  136 kBps 00m00s[/quote]

          For me, The TLS connection is never established after the 'authentication error' and it returns to the bash prompt. So, with HTTPS, the update will never happen. Even when I try doingpkg update, it is unresponsive for a while and intermittently will return```
          No Server SSL certificate

          
Regardless, I think I'm close to giving up and directly installing 2.4.2 like you suggested. My only worry is the same issue shouldn't crop up again. Once again, thanks for your help!
          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            It looks actually that you can go 'out' on port "443", thus enabling a http ssl connection - (what ever ssl connection).
            Or worse, your pfSense is that old that you won the price : your openssl (built into pfsense) is rejected because known buggy … (just guessing).

            Can you do this

            fetch -v https://www.google.com

            :

            [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root:
fetch -v https://www.google.com
resolving server address: www.google.com:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-ECDSA-AES128-GCM-SHA256
Certificate subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
Certificate issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
requesting https://www.google.com/
302 redirect to https://www.google.fr/?gfe_rd=cr&dcr=0&ei=u2sYWqrfLauGtgfpsJiABg
resolving server address: www.google.fr:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
Verify hostname
TLSv1.2 connection established using ECDHE-ECDSA-AES128-GCM-SHA256
Certificate subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
Certificate issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
requesting https://www.google.fr/?gfe_rd=cr&dcr=0&ei=u2sYWqrfLauGtgfpsJiABg
fetch: https://www.google.com: size of remote file is not known
www.google.com                                          11 kB 2397 kBps 00m00s

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • N
              Nonconformist
              last edited by

              Yep you're right - that was indeed one of the problems.

              fetch -v https://www.google.com
resolving server address: www.google.com:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
No server SSL certificate
fetch: https://www.google.com: Authentication error

              I thought I had fixed it by SCPing over cert.pem from the source tar.gz and updating the symlinks everywhere, but that wasn't working reliably. Two consecutive fetch commands right after one another would have different results, one would connect over TLS successfully and the second would fail. I think I've messed up horribly somewhere when tweaking the box.

              Finally gave up and restored factory settings, and everything seems to be good again - was also able to upgrade to 2.4.2 without issues.

              Thanks Gertjan for all your help.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.