Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to Download Available Package List - Cert Expired?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    14 Posts 10 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chall32
      last edited by

      Tried from GUI, no dice. Trying from command line:

      [2.4.5-RELEASE][root@XXXXX.XXX]/root: pkg update
      Updating pfSense-core repository catalogue...
      Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      
      Error updating repositories!
      

      Looking in /usr/local/share/certs/vi ca-root-nss.crt

      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 1 (0x1)
          Signature Algorithm: sha1WithRSAEncryption
              Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
              Validity
                  Not Before: May 30 10:48:38 2000 GMT
                  Not After : May 30 10:48:38 2020 GMT
              Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (2048 bit)
      

      Expired earlier today.

      Any ideas?

      dennis_sD 1 Reply Last reply Reply Quote 0
      • F
        fishbone222
        last edited by fishbone222

        Same problem here.
        AddTrust External CA Root is well known to expire today.
        https://www.tbs-certificates.co.uk/FAQ/en/357.html

        I downloaded the needed Package by faking the date:
        disable ntp
        date 2005291212
        pkg update
        install package
        enable ntp

        even "pkg upgrade" and "pkg install ca_root_nss" didn't fix the problem.

        "openssl s_client -connect files01.netgate.com:443" results also in an certificate expired warning.

        Is there a new pgk server for pfsense?

        There is also another thread about that topic with a better name:
        https://forum.netgate.com/topic/154032/addtrust-external-ca-root-certificate-has-expired-cannot-update-packages

        1 Reply Last reply Reply Quote 0
        • DaddyGoD
          DaddyGo
          last edited by

          I join this:

          ba026ad0-bc85-42f4-afad-da9e5fd5f907-image.png

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          1 Reply Last reply Reply Quote 0
          • dennis_sD
            dennis_s @chall32
            last edited by

            Thanks for reporting. ‪Our IT team is aware of the issue and they are working to correct now. We’ll post an update when it is resolved. ‬

            1 Reply Last reply Reply Quote 3
            • K
              kristian
              last edited by

              @dennis_s Awesome!

              The issue seems to be that files00.netgate.com and files01.netgate.com are providing invalid certificate chain.

              However, SSL Labs and my Ubuntu Dekstop does not seem to care about provided chain and still find the correct validation path on it's own (Path #1).

              The server is however reporting Path #2 and pfSense box sticks to that - which fails.

              alt text

              1 Reply Last reply Reply Quote 0
              • H
                Hiteshk
                last edited by Hiteshk

                Ahh, I'm struggling with this since Morning (GMT +5:30). Thinking that I'm a newbie to pfsense and then I found this thread @dennis_s hope you guys resolve it soon.

                certificateError.png

                1 Reply Last reply Reply Quote 0
                • K
                  kristian
                  last edited by

                  It work's again! :)

                  No need to restart or update anything, they just remove the last erroneous cerificate from the provided chain.

                  J 1 Reply Last reply Reply Quote 0
                  • DaddyGoD
                    DaddyGo
                    last edited by DaddyGo

                    We have already received an answer!
                    It is a pity to increase this further!
                    THX @dennis_s

                    edit: @kristian Kristian this is not just ...
                    It's been a time since the guys are working on it, we're just in different time zones! ☺

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    1 Reply Last reply Reply Quote 0
                    • C
                      chall32
                      last edited by

                      Boom thanks all 👍😎👍

                      1 Reply Last reply Reply Quote 0
                      • H
                        Hiteshk
                        last edited by

                        YEA IT's working now :)

                        1 Reply Last reply Reply Quote 0
                        • pvtbrutusP
                          pvtbrutus
                          last edited by pvtbrutus

                          Configuration backups still failing; cat /tmp/acb_backupdebug.txt:

                          https://acb.netgate.com/listaction=showbackups

                          SSL certificate problem: certificate has expired

                          If i use KeyStore Explorer with url "acb.netgate.com", i still see that the cert "USERTrust RSA Certification Authority" is expired

                          1 Reply Last reply Reply Quote 0
                          • C
                            carobell
                            last edited by

                            While the packages list is resolved, I also have a big problem with the expired certificate.
                            DDNS not updating and webservers that are updated I cannot access because of certificate expiration.

                            https://forum.netgate.com/topic/154043/ddns-not-updating-cert-expired

                            1 Reply Last reply Reply Quote 0
                            • J
                              joeker @kristian
                              last edited by

                              @kristian How do I do this?

                              R 1 Reply Last reply Reply Quote 0
                              • R
                                rcoleman-netgate Netgate @joeker
                                last edited by

                                @joeker Your issue is not related to this.

                                Open a ticket with TAC. https://go.netgate.com/

                                Ryan
                                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                                Requesting firmware for your Netgate device? https://go.netgate.com
                                Switching: Mikrotik, Netgear, Extreme
                                Wireless: Aruba, Ubiquiti

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.