PfSense update over SSL fails.
-
Hi all,
Been scratching my head trying to figure this issue out on my own, without having to reintsall the latest version of pfSense, but very close to giving up. WOuld appreciate if anyone can point me in the right direction of what to do, apart from a backup and reinstall. Here's a summary of what's happening:
Originally had issues upgrading to pfSense 2.4.0 from 2.3.1 (GUI would always say up to date, connecting through SSH update would say packages were up to date after pkg update and pkg upgrade). The same behaviour happened when upgrading plugins too.
Got around that by modifying```
/usr/local/etc/pkg/repos/pfSense.confHowever, that file gets overwritten back with https periodically, which means everytime I have to update pfSense or a plugin, the only way I can do so is changing https to http. Browsing the forums further to troubleshoot the issue, I executed the 'fetch' command to packages.pfsense.org with these results: (not at home right now, copy pasting command results from earlier today)
fetch -v https://packages.pfsense.org
resolving server address: packages.pfsense.org:443
SSL options: 83004bff
Peer verification enabled
Using CA cert file: /usr/local/etc/ssl/cert.pem
No server SSL certificate
fetch: https://packages.pfsense.org: Authentication errorLooks like cert.pem doesn't have the right certs or has not been updated (probably because I updated using HTTP and not HTTPS?). I can get to the URL perfectly from any host on the rest of the LAN. Is there a way I can repair cert.pem to use the correct certs or anything else I can do to fix the authentication error? Thanks in advance!
-
Not being an 'ssl' expert, I have this feeling that your certificate from "/usr/local/etc/ssl/cert.pem" isn't important.
Btw, executing the your command command fetch -v https://packages.pfsense.org downloads just fine 23 bytes, maybe not what you are looking for :
[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://packages.pfsense.org resolving server address: packages.pfsense.org:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384 Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA requesting https://packages.pfsense.org/ remote size / mtime: 23 / 1394690197 packages.pfsense.org 100% of 23 B 136 kBps 00m00s
THat (your) "No server SSL certificate" message means the openssl part didn't get a certificate from the web server running at https://packages.pfsense.org (again, some one has to acknowledge this).
My test show that a certificate comes from
Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
which seams fine to me, and is fine for pfSense, which is logic (because built-in) the trusted cert list.Or, if you want to download what is being seen on https://packages.pfsense.org/ (the web page, port 443 )
packages.pfsense.org
then it is ok … ;)
Still, I advise you to hire a USB key, download the firmware (2.4.2 if amd64 proc - if not 2.3.5) the old fashioned way, extract (see procedure) the firmware to the key and install from there.
Take a copy of your config before - just to be save.
That works, straights out any issues - and plain works.
NO updating for whatever reason is not a good plan. It brings troubles ... -
Thanks for your reply Gertjan, I should probably have been more clear in my original post. See the part where you do this?
[quote][2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://packages.pfsense.org resolving server address: packages.pfsense.org:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-RSA-AES256-GCM-SHA384 Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA requesting https://packages.pfsense.org/ remote size / mtime: 23 / 1394690197 packages.pfsense.org 100% of 23 B 136 kBps 00m00s[/quote]
For me, The TLS connection is never established after the 'authentication error' and it returns to the bash prompt. So, with HTTPS, the update will never happen. Even when I try doing
pkg update
, it is unresponsive for a while and intermittently will return```
No Server SSL certificateRegardless, I think I'm close to giving up and directly installing 2.4.2 like you suggested. My only worry is the same issue shouldn't crop up again. Once again, thanks for your help!
-
It looks actually that you can go 'out' on port "443", thus enabling a http ssl connection - (what ever ssl connection).
Or worse, your pfSense is that old that you won the price : your openssl (built into pfsense) is rejected because known buggy … (just guessing).Can you do this
fetch -v https://www.google.com
:
[2.4.2-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: fetch -v https://www.google.com resolving server address: www.google.com:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-ECDSA-AES128-GCM-SHA256 Certificate subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com Certificate issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2 requesting https://www.google.com/ 302 redirect to https://www.google.fr/?gfe_rd=cr&dcr=0&ei=u2sYWqrfLauGtgfpsJiABg resolving server address: www.google.fr:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.2 connection established using ECDHE-ECDSA-AES128-GCM-SHA256 Certificate subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com Certificate issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2 requesting https://www.google.fr/?gfe_rd=cr&dcr=0&ei=u2sYWqrfLauGtgfpsJiABg fetch: https://www.google.com: size of remote file is not known www.google.com 11 kB 2397 kBps 00m00s
-
Yep you're right - that was indeed one of the problems.
fetch -v https://www.google.com resolving server address: www.google.com:443 SSL options: 83004bff Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem No server SSL certificate fetch: https://www.google.com: Authentication error
I thought I had fixed it by SCPing over cert.pem from the source tar.gz and updating the symlinks everywhere, but that wasn't working reliably. Two consecutive fetch commands right after one another would have different results, one would connect over TLS successfully and the second would fail. I think I've messed up horribly somewhere when tweaking the box.
Finally gave up and restored factory settings, and everything seems to be good again - was also able to upgrade to 2.4.2 without issues.
Thanks Gertjan for all your help.