Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AddTrust External CA Root certificate has expired! Cannot update packages..

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mjuhanne
      last edited by mjuhanne

      It seems the CA root certificate that PFSense pkg server uses has expired.

      "System / Package Manager / Available Packages" shows "Unable to retrieve package information."

      In root shell:

      [2.4.5-RELEASE][root@xxxxxxx.dy.fi]/root: pkg update 
      Updating pfSense-core repository catalogue...
      Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
      repository pfSense-core has no meta file, using default settings
      ....
      

      Using openssl from SSH console we can see that the CA certificate has expired:

      [2.4.5-RELEASE][root@xxxxxxxx.dy.fi]/root: openssl s_client -connect files00.netgate.com:443 
      CONNECTED(00000003)
      depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
      verify error:num=10:certificate has expired
      notAfter=May 30 10:48:38 2020 GMT
      ---
      Certificate chain
       0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
         i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
       1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
         i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
       2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
         i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      MIIG0jCCBbqgAwIBAgIRAJbkq+buFk0H+xHys22qIpEwDQYJKoZIhvcNAQELBQAw
      gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
      BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
      VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
      Q0EwHhcNMTgwODEwMDAwMDAwWhcNMjAwODIxMjM1OTU5WjBaMSEwHwYDVQQLExhE
      b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
      bGRjYXJkMRYwFAYDVQQDDA0qLnBmc2Vuc2Uub3JnMIIBIjANBgkqhkiG9w0BAQEF
      AAOCAQ8AMIIBCgKCAQEA1doFAwhvJG90WH/BzP7svg1n/6wwxaBj1gkh8pl2F2wV
      8Bw/yvxXzzq4TnqskEMxipZYB05VMGsESkRS15EgM7i7Uh9Q/LloUTqAu/TJy0Sj
      GD2Ssj6mkAoDsi7wKBF/Co7RTbGTxJS+FkpchS2+me322A1qjV0b/yQjyjq05uCJ
      5K8KTvX0XLeB1PsiEseUCtkEoHSAo31pLcgHuY5psNtrTeOLrW7iZORafHJiSk08
      TGrxG+wvcNy4igfgU/3R/vKz6uWDC1/GD2I46+hIETM1wZ7sXZ0R3dbMHh0uvWNI
      jSDequy7/RAYJ4CM8a33o2W7WmL7v1uutIZM9wYTDwIDAQABo4IDWjCCA1YwHwYD
      VR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFL1I93WZLbK8
      U78Z6gpP6eGtejMTMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
      JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEB
      AgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BT
      MAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2Nh
      LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3Js
      MIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2Rv
      Y2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5j
      cnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREE
      HjAcgg0qLnBmc2Vuc2Uub3JnggtwZnNlbnNlLm9yZzCCAX8GCisGAQQB1nkCBAIE
      ggFvBIIBawFpAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFl
      JM7IPAAABAMARjBEAiADCkP9mMwYmIMPM2x2iyojDEQuA3g0aorXElAvDHlP3QIg
      e1my+pzzW0sVz9z8j8s79Xvc0IMSBELvOQ7EHkx5lH0AdwBep3P531bA57U2SH3Q
      SeAyepGaDIShEhKEGHWWgXFFWAAAAWUkzsiBAAAEAwBIMEYCIQCv30QiixrkpjC2
      gVyNviNYcJRlxzJ11HmulbwMpZFrWgIhAIw60cbQbcZAlrRr34M4nQ1p4ohw1uZU
      694m2hj2EDAiAHcAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFl
      JM7IYgAABAMASDBGAiEA3skhrWpIeeBsdwOAx0A8ihd//JIMXHQgczyLTFFAlMcC
      IQDTXcGXn84EIdpurzfdyQhk82HddRNv77OPPrV/kdQ5dTANBgkqhkiG9w0BAQsF
      AAOCAQEAZEO9OZut0oEeJyJEd72voyKU8D+/p4cjv4W/BwEQAxKE0TGTXlRH5M2e
      XMls+SpqUZELe8E5fR/g3D4B+hA0XXyCInEhGkcQDRp/PCqtmc+DVtJid7ARRqbS
      77hqG81TPo87bRKCa8kQo8BimGJQEWJgorSpWDsWmDsx/j8JVWsZ8erTwkYROuYd
      LNTNPIv6LrvCm28GTeCtlE7nH1QL5Q9V//91NTe/PwVnmxc6RkwEJRCDSQaypjvj
      vXBVQuBJUaNofLnnsL9pqP3kaGrKOzvYIF/AfpL340xgMO7tSLCmoABJZvZAcvTR
      hmRrL+s11yDlW4i2VFX7wbevShfFxQ==
      -----END CERTIFICATE-----
      subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
      issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
      ---
      No client certificate CA names sent
      Peer signing digest: SHA512
      Server Temp Key: ECDH, P-256, 256 bits
      ---
      SSL handshake has read 5216 bytes and written 433 bytes
      ---
      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : ECDHE-RSA-AES256-GCM-SHA384
          Session-ID: 72C46655130B4FEBF6E7410902B06414095A4F0046E2A55F84F3ADE9AB34DC1A
          Session-ID-ctx: 
          Master-Key: 4A204497F3E2C53906466A0376BB9A08EF8A4AD64B8867CDF3A6682FD240E52C24D89FEEDE1044D97E8979A337BDFF27
          Key-Arg   : None
          PSK identity: None
          PSK identity hint: None
          SRP username: None
          Start Time: 1590839382
          Timeout   : 300 (sec)
          Verify return code: 10 (certificate has expired)
      ---
      closed
      
      

      First I thought my system date was incorrect, but via google I can see that the AddTrust CA certificate will/has indeed expired today!
      https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020

      How can I force the pkg update now and also install additional packages?

      C 1 Reply Last reply Reply Quote 2
      • D
        darckense
        last edited by

        Thank you! I just did a clean re-install on my device due to some virtualisation issues and got half way through when package manager appeared to fall over. At least I know I'm not going mad now, though I have wasted the last 4 hours!

        Is there a way of manually getting the appropriate packages, wget style?

        F 1 Reply Last reply Reply Quote 0
        • C
          cchaduka @mjuhanne
          last edited by

          @mjuhanne Just got bitten by this same issue. Eagerly waiting for a fix. Restoring old apliance for now.

          1 Reply Last reply Reply Quote 0
          • F
            fishbone222 @darckense
            last edited by fishbone222

            This post is deleted!
            D 1 Reply Last reply Reply Quote 0
            • F
              fishbone222
              last edited by

              As mentioned here: https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired

              I downloaded the needed Packages by faking the date to make AddTrust revalid.
              But that's not at all a solution. Barely a workaround.

              1 Reply Last reply Reply Quote 1
              • D
                darckense @fishbone222
                last edited by darckense

                @fishbone222 said in AddTrust External CA Root certificate has expired! Cannot update packages..:

                https://forum.netgate.com/topic/154033/unable-to-download-available-package-list-cert-expired

                That's useful thanks, worked for me! Seems problem is fixed now.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.