Easylist update fails. Expired Cert

jsylvia007

@drewsaur said in Easylist update fails. Expired Cert:

Well, now that I have made the modifications, Arpwatch now sends me these alerts:

X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
34374270280:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://files.pfsense.org/lists/fullbogons-ipv4.txt: Authentication error
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root


{many more of these}

I'm also having this issue too. Looks like there's one more server that needs to be updated on pfSense's side?

dennis_s

@jsylvia007 This is something our IT team is aware of and they are working to resolve.

costanzo

@costanzo Quick update: Got a response from @AdblockPlus via twitter. They let their filter team know.

Alanesi

@jimmythedog Great, it works for me too. but you have to be careful while doing that I recommend to take a backup of this file before starting this process.

Steps here if someone wants to follow:

After you access the file /usr/local/share/certs/ca-root-nss.crt focus on this "Not After : Jan 1 00:00:00 2020 GMT" check the month and year if expired delete from "Certificate:" until "-----END CERTIFICATE-----". In my case, I found two then save and run update.

jimmythedog

@Alanesi I totally agree about backing up the file first

Rico

Seems like they have fixed their Cert.
I don't see any errors using the pfBlockerNG default settings for EasyList.

-Rico

jsylvia007

@Rico said in Easylist update fails. Expired Cert:

Seems like they have fixed their Cert.
I don't see any errors using the pfBlockerNG default settings for EasyList.

-Rico

Concur. Same here.

Rico

Fixed between 06/12/20 19:15:00 and 06/12/20 20:15:00 (UTC+1)

[ EasyList ]			 Downloading update . cURL Error: 60
SSL certificate problem: certificate has expired Retry in 5 seconds...
. cURL Error: 60
SSL certificate problem: certificate has expired Retry in 5 seconds...
. cURL Error: 60
SSL certificate problem: certificate has expired Retry in 5 seconds...
.. unknown http status code | 0

 [ DNSBL_EasyList - EasyList ] Download FAIL [ 06/12/20 19:15:28 ]

[ EasyList ]			 Downloading update .. 200 OK.
  ----------------------------------------------------------------------
  Orig.    Unique     # Dups     # White    # TOP1M    Final                
  ----------------------------------------------------------------------
  2491     2452       5          0          0          2447                 
  ----------------------------------------------------------------------

[ EasyPrivacy ]			 Downloading update [ 06/12/20 20:15:17 ] .. 200 OK.

-Rico

Vatreni

@jimmythedog said in Easylist update fails. Expired Cert:

Hi All,
First time user, so please be gentle with me!

I think this article describes the problem quite well - especially the Cross-signing section

So, to fix it, I deleted the old CA from the /usr/local/share/certs/ca-root-nss.crt file (lines 423-512 in my version), as described in the What to do? section in that link above

HTH

Old thread but still relevant and found in google. I have an older pfsense install that I can't update for now. The CA file referred to above in mine has dozens of certs now out of date.

I have removed some that had "not after" prior to today, and it let the update of easylist work, so many thanks.

There are plenty to still remove, and while I'm sure the official solution is "update pfsense ffs", is there a place to just download an up-to-date valid ca-root-nss.crt
that will work?

And thanks for your update - v helpful

Gertjan

@Vatreni

Just thinking out loud : what about getting an ISO from 'whatever' open source project ? FreeBSD or Debian etc.
Copy what you find under /etc/ssl/.

edit : forgot about the most obvious one : get the latest pfSense !!!!!
( as you need it even when you don't install it !!)

and get the latest ca-root certs out of it.

Btw: having troubles with expired certs if the top of the ice-berg(problem).