Unable to Download Available Package List - Cert Expired?

chall32

Tried from GUI, no dice. Trying from command line:

[2.4.5-RELEASE][root@XXXXX.XXX]/root: pkg update
Updating pfSense-core repository catalogue...
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

Error updating repositories!

Looking in /usr/local/share/certs/vi ca-root-nss.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

Expired earlier today.

Any ideas?

fishbone222

Same problem here.
AddTrust External CA Root is well known to expire today.
https://www.tbs-certificates.co.uk/FAQ/en/357.html

I downloaded the needed Package by faking the date:
disable ntp
date 2005291212
pkg update
install package
enable ntp

even "pkg upgrade" and "pkg install ca_root_nss" didn't fix the problem.

"openssl s_client -connect files01.netgate.com:443" results also in an certificate expired warning.

Is there a new pgk server for pfsense?

There is also another thread about that topic with a better name:
https://forum.netgate.com/topic/154032/addtrust-external-ca-root-certificate-has-expired-cannot-update-packages

DaddyGo

I join this:

dennis_s

Thanks for reporting. ‪Our IT team is aware of the issue and they are working to correct now. We’ll post an update when it is resolved. ‬

kristian

@dennis_s Awesome!

The issue seems to be that files00.netgate.com and files01.netgate.com are providing invalid certificate chain.

However, SSL Labs and my Ubuntu Dekstop does not seem to care about provided chain and still find the correct validation path on it's own (Path #1).

The server is however reporting Path #2 and pfSense box sticks to that - which fails.

Hiteshk

Ahh, I'm struggling with this since Morning (GMT +5:30). Thinking that I'm a newbie to pfsense and then I found this thread @dennis_s hope you guys resolve it soon.

kristian

It work's again! :)

No need to restart or update anything, they just remove the last erroneous cerificate from the provided chain.

DaddyGo

We have already received an answer!
It is a pity to increase this further!
THX @dennis_s

edit: @kristian Kristian this is not just ...
It's been a time since the guys are working on it, we're just in different time zones!

chall32

Boom thanks all

Hiteshk

YEA IT's working now :)

pvtbrutus

Configuration backups still failing; cat /tmp/acb_backupdebug.txt:

https://acb.netgate.com/listaction=showbackups

SSL certificate problem: certificate has expired

If i use KeyStore Explorer with url "acb.netgate.com", i still see that the cert "USERTrust RSA Certification Authority" is expired

carobell

While the packages list is resolved, I also have a big problem with the expired certificate.
DDNS not updating and webservers that are updated I cannot access because of certificate expiration.

https://forum.netgate.com/topic/154043/ddns-not-updating-cert-expired

joeker

@kristian How do I do this?

rcoleman-netgate

@joeker Your issue is not related to this.

Open a ticket with TAC. https://go.netgate.com/