Unable to Download Available Package List - Cert Expired?
Tried from GUI, no dice. Trying from command line:
[2.4.5-RELEASE][root@XXXXX.XXX]/root: pkg update Updating pfSense-core repository catalogue... Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269: Error updating repositories!
Looking in /usr/local/share/certs/vi ca-root-nss.crt
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Validity Not Before: May 30 10:48:38 2000 GMT Not After : May 30 10:48:38 2020 GMT Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)
Expired earlier today.
Same problem here.
AddTrust External CA Root is well known to expire today.
I downloaded the needed Package by faking the date:
even "pkg upgrade" and "pkg install ca_root_nss" didn't fix the problem.
"openssl s_client -connect files01.netgate.com:443" results also in an certificate expired warning.
Is there a new pgk server for pfsense?
There is also another thread about that topic with a better name:
DaddyGo last edited by
I join this:
Thanks for reporting. Our IT team is aware of the issue and they are working to correct now. We’ll post an update when it is resolved.
The issue seems to be that files00.netgate.com and files01.netgate.com are providing invalid certificate chain.
However, SSL Labs and my Ubuntu Dekstop does not seem to care about provided chain and still find the correct validation path on it's own (Path #1).
The server is however reporting Path #2 and pfSense box sticks to that - which fails.
Ahh, I'm struggling with this since Morning (GMT +5:30). Thinking that I'm a newbie to pfsense and then I found this thread @dennis_s hope you guys resolve it soon.
It work's again! :)
No need to restart or update anything, they just remove the last erroneous cerificate from the provided chain.
DaddyGo last edited by DaddyGo
Boom thanks all
YEA IT's working now :)
pvtbrutus last edited by pvtbrutus
Configuration backups still failing; cat /tmp/acb_backupdebug.txt:
SSL certificate problem: certificate has expired
If i use KeyStore Explorer with url "acb.netgate.com", i still see that the cert "USERTrust RSA Certification Authority" is expired
While the packages list is resolved, I also have a big problem with the expired certificate.
DDNS not updating and webservers that are updated I cannot access because of certificate expiration.