[Solved] need to add an upstream certificate for my FW.
-
So, here's a new one.
I'm running pfSense in my test lab to mess with virtual routing and SDNs. My internet connection is provided by my school so I'm dealing with their MITM certificate for our Fortigate FW.
I added the certificate to the system via CAs in the certs menu of the webconfigurator, but when trying to check for updates the system says it's up to date (which I know it's not), and when trying to update from console I get this:
>>> Updating repositories metadata... Updating pfSense-core repository catalogue... pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/packagesite.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/meta.txz: Authentication error repository pfSense has no meta file, using default settings Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/emailAddress=support@fortinet.com 12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/packagesite.txz: Authentication error Unable to update repository pfSenseI understand this isn't a normal requirement, but I'm not sure where to go from here, I've even tried amending the certificate to```
/usr/local/share/certs/ca-root-nss.crtTLDR: I need to install a root CA but I can't for the life of me get pfSense to accept the certificate as valid. -
There are two places where cerificates are stored on pfSense:
/usr/local/etc/ssl/cert.pem /usr/local/share/certs/ca-root-nss.crtso try to add your cert to the list in /usr/local/etc/ssl/cert.pem too.
-
There are two places where cerificates are stored on pfSense:
/usr/local/etc/ssl/cert.pem /usr/local/share/certs/ca-root-nss.crtso try to add your cert to the list in /usr/local/etc/ssl/cert.pem too.
So I did this, and now both files are empty…..
-
@ipat8:
So I did this, and now both files are empty…..
pfSense doesn't empty them, it might overwrite them during an update but nothing more than that. So take the backup you made (you did backup these files before editing them, didn't you?) and try again.
-
@ipat8:
So I did this, and now both files are empty…..
pfSense doesn't empty them, it might overwrite them during an update but nothing more than that. So take the backup you made (you did backup these files before editing them, didn't you?) and try again.
It's a VM, I'll just reinstall, but moreover, they are empty, and the templates are empty as well. I edited them through the webUI, so I'll try with vi and see if that makes a difference.
-
So, solution update. Editing the files via the webconfigurator was my problem. It seems as though the editor was saving blank files instead of my changes, and as such nothing was working. I edited the files with VI and the cert was accepted into the system. I do still have a issue with a different upstream cert, but I can fix that based on my fix with this one.
Thanks for everyone's help, I'll try to add a guide on my site for this because I couldn't find anywhere online that referenced both files.
-
M mt_onsemi referenced this topic on Dec 26, 2023, 8:12 PM