AddTrust External CA Root certificate has expired! Cannot update packages..
-
It seems the CA root certificate that PFSense pkg server uses has expired.
"System / Package Manager / Available Packages" shows "Unable to retrieve package information."
In root shell:
[2.4.5-RELEASE][root@xxxxxxx.dy.fi]/root: pkg update Updating pfSense-core repository catalogue... Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings ....Using openssl from SSH console we can see that the CA certificate has expired:
[2.4.5-RELEASE][root@xxxxxxxx.dy.fi]/root: openssl s_client -connect files00.netgate.com:443 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=10:certificate has expired notAfter=May 30 10:48:38 2020 GMT --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIG0jCCBbqgAwIBAgIRAJbkq+buFk0H+xHys22qIpEwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTgwODEwMDAwMDAwWhcNMjAwODIxMjM1OTU5WjBaMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp bGRjYXJkMRYwFAYDVQQDDA0qLnBmc2Vuc2Uub3JnMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEA1doFAwhvJG90WH/BzP7svg1n/6wwxaBj1gkh8pl2F2wV 8Bw/yvxXzzq4TnqskEMxipZYB05VMGsESkRS15EgM7i7Uh9Q/LloUTqAu/TJy0Sj GD2Ssj6mkAoDsi7wKBF/Co7RTbGTxJS+FkpchS2+me322A1qjV0b/yQjyjq05uCJ 5K8KTvX0XLeB1PsiEseUCtkEoHSAo31pLcgHuY5psNtrTeOLrW7iZORafHJiSk08 TGrxG+wvcNy4igfgU/3R/vKz6uWDC1/GD2I46+hIETM1wZ7sXZ0R3dbMHh0uvWNI jSDequy7/RAYJ4CM8a33o2W7WmL7v1uutIZM9wYTDwIDAQABo4IDWjCCA1YwHwYD VR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFL1I93WZLbK8 U78Z6gpP6eGtejMTMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEB AgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BT MAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3Js MIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2Rv Y2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5j cnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREE HjAcgg0qLnBmc2Vuc2Uub3JnggtwZnNlbnNlLm9yZzCCAX8GCisGAQQB1nkCBAIE ggFvBIIBawFpAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFl JM7IPAAABAMARjBEAiADCkP9mMwYmIMPM2x2iyojDEQuA3g0aorXElAvDHlP3QIg e1my+pzzW0sVz9z8j8s79Xvc0IMSBELvOQ7EHkx5lH0AdwBep3P531bA57U2SH3Q SeAyepGaDIShEhKEGHWWgXFFWAAAAWUkzsiBAAAEAwBIMEYCIQCv30QiixrkpjC2 gVyNviNYcJRlxzJ11HmulbwMpZFrWgIhAIw60cbQbcZAlrRr34M4nQ1p4ohw1uZU 694m2hj2EDAiAHcAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFl JM7IYgAABAMASDBGAiEA3skhrWpIeeBsdwOAx0A8ihd//JIMXHQgczyLTFFAlMcC IQDTXcGXn84EIdpurzfdyQhk82HddRNv77OPPrV/kdQ5dTANBgkqhkiG9w0BAQsF AAOCAQEAZEO9OZut0oEeJyJEd72voyKU8D+/p4cjv4W/BwEQAxKE0TGTXlRH5M2e XMls+SpqUZELe8E5fR/g3D4B+hA0XXyCInEhGkcQDRp/PCqtmc+DVtJid7ARRqbS 77hqG81TPo87bRKCa8kQo8BimGJQEWJgorSpWDsWmDsx/j8JVWsZ8erTwkYROuYd LNTNPIv6LrvCm28GTeCtlE7nH1QL5Q9V//91NTe/PwVnmxc6RkwEJRCDSQaypjvj vXBVQuBJUaNofLnnsL9pqP3kaGrKOzvYIF/AfpL340xgMO7tSLCmoABJZvZAcvTR hmRrL+s11yDlW4i2VFX7wbevShfFxQ== -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5216 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 72C46655130B4FEBF6E7410902B06414095A4F0046E2A55F84F3ADE9AB34DC1A Session-ID-ctx: Master-Key: 4A204497F3E2C53906466A0376BB9A08EF8A4AD64B8867CDF3A6682FD240E52C24D89FEEDE1044D97E8979A337BDFF27 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1590839382 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- closedFirst I thought my system date was incorrect, but via google I can see that the AddTrust CA certificate will/has indeed expired today!
https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020How can I force the pkg update now and also install additional packages?
-
Thank you! I just did a clean re-install on my device due to some virtualisation issues and got half way through when package manager appeared to fall over. At least I know I'm not going mad now, though I have wasted the last 4 hours!
Is there a way of manually getting the appropriate packages, wget style?
-
@mjuhanne Just got bitten by this same issue. Eagerly waiting for a fix. Restoring old apliance for now.
-
This post is deleted! -
As mentioned here: https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired
I downloaded the needed Packages by faking the date to make AddTrust revalid.
But that's not at all a solution. Barely a workaround. -
@fishbone222 said in AddTrust External CA Root certificate has expired! Cannot update packages..:
https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired
That's useful thanks, worked for me! Seems problem is fixed now.