PfSense update over SSL fails.



  • Hi all,

    Been scratching my head trying to figure this issue out on my own, without having to reintsall the latest version of pfSense, but very close to giving up. WOuld appreciate if anyone can point me in the right direction of what to do, apart from a backup and reinstall. Here's a summary of what's happening:

    Originally had issues upgrading to pfSense 2.4.0 from 2.3.1 (GUI would always say up to date, connecting through SSH update would say packages were up to date after pkg update and pkg upgrade). The same behaviour happened when upgrading plugins too.

    Got around that by modifying```
    /usr/local/etc/pkg/repos/pfSense.conf

    
    However, that file gets overwritten back with https periodically, which means everytime I have to update pfSense or a plugin, the only way I can do so is changing https to http.
    
    Browsing the forums further to troubleshoot the issue, I executed the 'fetch' command to packages.pfsense.org with these results: (not at home right now, copy pasting command results from earlier today)
    
    

    fetch -v https://packages.pfsense.org   
    resolving server address: packages.pfsense.org:443
    SSL options: 83004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    No server SSL certificate
    fetch: https://packages.pfsense.org: Authentication error

    
    Looks like cert.pem doesn't have the right certs or has not been updated (probably because I updated using HTTP and not HTTPS?). I can get to the URL perfectly from any host on the rest of the LAN.
    
    Is there a way I can repair cert.pem to use the correct certs or anything else I can do to fix the authentication error?
    
    Thanks in advance!


  • Not being an 'ssl' expert, I have this feeling that your certificate from "/usr/local/etc/ssl/cert.pem" isn't important.

    Btw, executing the your command command fetch -v https://packages.pfsense.org downloads just fine 23 bytes, maybe not what you are looking for :

    [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://packages.pfsense.org
    resolving server address: packages.pfsense.org:443
    SSL options: 83004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    Verify hostname
    TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384
    Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
    Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    requesting https://packages.pfsense.org/
    remote size / mtime: 23 / 1394690197
    packages.pfsense.org                          100% of   23  B  136 kBps 00m00s
    

    THat (your) "No server SSL certificate" message means the openssl part didn't get a certificate from the web server running at https://packages.pfsense.org (again, some one has to acknowledge this).
    My test show that a certificate comes from
    Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
    Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    which seams fine to me, and is fine for pfSense, which is logic (because built-in) the trusted cert list.

    Or, if you want to download what is being seen on https://packages.pfsense.org/ (the web page, port 443 )

    packages.pfsense.org

    then it is ok …  ;)

    Still, I advise you to hire a USB key, download the firmware (2.4.2 if amd64 proc - if not 2.3.5) the old fashioned way, extract (see procedure) the firmware to the key and install from there.
    Take a copy of your config before  - just to be save.
    That works, straights out any issues - and plain works.
    NO updating for whatever reason is not a good plan. It brings troubles ...



  • Thanks for your reply Gertjan, I should probably have been more clear in my original post. See the part where you do this?

    [quote][2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://packages.pfsense.org
    resolving server address: packages.pfsense.org:443
    SSL options: 83004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    Verify hostname
    TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384
    Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
    Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    requesting https://packages.pfsense.org/
    remote size / mtime: 23 / 1394690197
    packages.pfsense.org                          100% of   23  B  136 kBps 00m00s[/quote]
    

    For me, The TLS connection is never established after the 'authentication error' and it returns to the bash prompt. So, with HTTPS, the update will never happen. Even when I try doingpkg update, it is unresponsive for a while and intermittently will return```
    No Server SSL certificate

    
    Regardless, I think I'm close to giving up and directly installing 2.4.2 like you suggested. My only worry is the same issue shouldn't crop up again. Once again, thanks for your help!


  • It looks actually that you can go 'out' on port "443", thus enabling a http ssl connection - (what ever ssl connection).
    Or worse, your pfSense is that old that you won the price : your openssl (built into pfsense) is rejected because known buggy … (just guessing).

    Can you do this

    fetch -v https://www.google.com

    :

    [2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root:
    fetch -v https://www.google.com
    resolving server address: www.google.com:443
    SSL options: 83004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    Verify hostname
    TLSv1.2 connection established using ECDHE-ECDSA-AES128-GCM-SHA256
    Certificate subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    Certificate issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
    requesting https://www.google.com/
    302 redirect to https://www.google.fr/?gfe_rd=cr&dcr=0&ei=u2sYWqrfLauGtgfpsJiABg
    resolving server address: www.google.fr:443
    SSL options: 83004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    Verify hostname
    TLSv1.2 connection established using ECDHE-ECDSA-AES128-GCM-SHA256
    Certificate subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
    Certificate issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
    requesting https://www.google.fr/?gfe_rd=cr&dcr=0&ei=u2sYWqrfLauGtgfpsJiABg
    fetch: https://www.google.com: size of remote file is not known
    www.google.com                                          11 kB 2397 kBps 00m00s
    


  • Yep you're right - that was indeed one of the problems.

    fetch -v https://www.google.com
    resolving server address: www.google.com:443
    SSL options: 83004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    No server SSL certificate
    fetch: https://www.google.com: Authentication error
    

    I thought I had fixed it by SCPing over cert.pem from the source tar.gz and updating the symlinks everywhere, but that wasn't working reliably. Two consecutive fetch commands right after one another would have different results, one would connect over TLS successfully and the second would fail. I think I've messed up horribly somewhere when tweaking the box.

    Finally gave up and restored factory settings, and everything seems to be good again - was also able to upgrade to 2.4.2 without issues.

    Thanks Gertjan for all your help.


Log in to reply