"pkg add" Authentication error connecting to pkg.freebsd.org + Let's Encrypt cert



  • Hi,

    Just taken delivery of a new SG-1100, which is great.

    I'm attempting to install some additional packages on to the unit but when I'm tying to use the pkg add command, I'm getting an "Authentication error" returned due to what looks like a certificate verification issue:

    [2.4.5-RELEASE][admin@pfsense]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
    Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg: https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz: Authentication error
    
    

    Using OpenSSL to test the connection to pkg.freebsd.org I get the following:

    [2.4.5-RELEASE][admin@pfsense]/root: openssl s_client -connect pkg.freebsd.org:443
    
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/CN=pkg.freebsd.org
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGVzCCBT+gAwIBAgISBKCR8MCSFMytVGv+LS+XIGqxMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MTkyMTEwMDFaFw0y
    MDA4MTcyMTEwMDFaMBoxGDAWBgNVBAMTD3BrZy5mcmVlYnNkLm9yZzCCAiIwDQYJ
    KoZIhvcNAQEBBQADggIPADCCAgoCggIBAL3uxdRoVra92Xgn1j40ndaB1bNBjXcv
    NYgydsOyudwqxMXW/ZW8llXUD4yvzeb47ztv9vkf70z+PffLeaPi1rHnWdNNIKml
    yEy7tAfAsHj66VdMzve9+5UIjMRJI537MySC9VA094wpFv7jzn/W+uvdldy2jCEy
    UJqwNY3L8rE0Bx40bhFtrGYbxYSGJJbWhh+ui9TLKKW9GwBarcOcA//ohdH4CnGO
    gljuVuLGOkMxKKJGJQMmwi9mCVpf7+tbG8eEp9aZuooSNbVXNKS4YvSPRrS+aiNA
    RL+L20hC9Jar/DYpGnUmRmeZccTxdsojP9O7bRJ3NdGSBIRM4AW7kchFDNUGMy+x
    pcnYvImOeSss+dNofAJ7XDoJSNvEqZydm/QeXyBXGDnnoeHghknay7sZOajUNTP1
    jWKYlEZZMAZ3DUsGN+S5YWnN4kjNk+0Nhueb9jznX36C2EB9V2FSIgZN1ifp05+d
    32tNFXqTIJKnChVlQkj4QYHSt0ePvaehTbHhvK0BfPxVK3YuT+pavJPb+I6gwLmN
    AK9M3nMZ3M6Y5vQdpLZYHl3+fPEafufUgYZYuIDmMwJl766Oy3rM/59ylMVzXfli
    9tZLQtZASjwC5UEuJF5qBV44q1iG1QL+1tl6Fx82zdBSswhwMkv+9zFiCC+8vd4X
    HKdSKl0O9dfZAgMBAAGjggJlMIICYTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
    FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDe4
    ey4hffSoQhBmlxDIpU0hc9V1MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/z
    qOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50
    LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50
    LXgzLmxldHNlbmNyeXB0Lm9yZy8wGgYDVR0RBBMwEYIPcGtnLmZyZWVic2Qub3Jn
    MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUH
    AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB
    9gSB8wDxAHcAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFyLvyH
    vwAABAMASDBGAiEAk/L7n9qhU9KbZDTY9JFP8J0lJ7C3qi63eoIX0XsqVhUCIQD4
    FCibXqk4lRsvL47lqanReGgdI5A7odP85pK4JBDIwQB2AG9Tdqwx8DEZ2JkApFEV
    /3cVHBHZAsEAKQaNsgiaN9kTAAABci78h/YAAAQDAEcwRQIgexwfdP4URv7P7MbQ
    TnQn8A2gh1WJDfG6K+ATHbhHZu0CIQCUhXKNlKb9zunUaXRfBnLGBEmEHp9fiDUW
    eQKdgzcQdzANBgkqhkiG9w0BAQsFAAOCAQEAS8KQbBLAmDPsZbX7uI2JlN4FIy1r
    PX1EKyh7AjfodcmB6izVtPBc96uEsrONFNdy9uDEx3z5o+Jxt21IgJJ+Vo6wukc0
    jg8Sr+Y7ovVFgFTOchbqLK/fc/fj9mE85TIRhShOTmrKKI3UprJD+p7aCLuFE8Kr
    XUD3XnV1wI1DhCD1Db9iBVYtOYCJkg/Oia29nsuno30n6/P+SkTaysWVaFL5PFdj
    AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB
    9gSB8wDxAHcAsh4FzIuizYogTodm+Su5iiUgZ2va+nDnsklTLe+LkF4AAAFyLvyH
    vwAABAMASDBGAiEAk/L7n9qhU9KbZDTY9JFP8J0lJ7C3qi63eoIX0XsqVhUCIQD4
    FCibXqk4lRsvL47lqanReGgdI5A7odP85pK4JBDIwQB2AG9Tdqwx8DEZ2JkApFEV
    /3cVHBHZAsEAKQaNsgiaN9kTAAABci78h/YAAAQDAEcwRQIgexwfdP4URv7P7MbQ
    TnQn8A2gh1WJDfG6K+ATHbhHZu0CIQCUhXKNlKb9zunUaXRfBnLGBEmEHp9fiDUW
    eQKdgzcQdzANBgkqhkiG9w0BAQsFAAOCAQEAS8KQbBLAmDPsZbX7uI2JlN4FIy1r
    PX1EKyh7AjfodcmB6izVtPBc96uEsrONFNdy9uDEx3z5o+Jxt21IgJJ+Vo6wukc0
    jg8Sr+Y7ovVFgFTOchbqLK/fc/fj9mE85TIRhShOTmrKKI3UprJD+p7aCLuFE8Kr
    XUD3XnV1wI1DhCD1Db9iBVYtOYCJkg/Oia29nsuno30n6/P+SkTaysWVaFL5PFdj
    lNXea+OwPts2ae/jGtPHxVLC4Kn7PjOvMhCL1f3hFAP5CwtPG4OWBWf3REOI7ytg
    2d7kknofZZvA+vx+mpRLdhk7gjBfoTmKSx5qsT2LH6ELS6ieF/KJ83FtgQ==
    -----END CERTIFICATE-----
    subject=/CN=pkg.freebsd.org
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 3567 bytes and written 433 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 108BB848A983EC7FA39ED5B281D149CA4F183F7EC253160908EE2D52AF68A737
        Session-ID-ctx: 
        Master-Key: 85630B40640FABB868851B92BD92D6124CDC010DB4C086D1222A2F83EFCCB7A067A41ABA05CA4C9568A689D5125FD13B
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1593898229
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    

    The verify code at the end looking good and although it should be fine for applications to verify the Let's Encrypt cert and connect to the site.

    My ca_root_nss package is v3.51 (latest), I've tried force reinstalling and checked that all cert directories are symlinked correctly.

    Is there something I'm missing here? Does pkg use some other source for verifying certificates or could this be a bug?

    pfSense v2.4.5-p1



  • @mikeyjb said in "pkg add" Authentication error connecting to pkg.freebsd.org + Let's Encrypt cert:

    pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz

    No such error on 2.4.5-p1 (SG-3100):

    [2.4.5-RELEASE][root@sg3100.home.int]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
    Fetching snappy-1.1.6.txz: 100%   58 KiB  59.8kB/s    00:01    
    Installing snappy-1.1.6...
    pkg: wrong architecture: FreeBSD:11:aarch64 instead of FreeBSD:11:armv6
    Extracting snappy-1.1.6: 100%
    

    But the same error on SG-1100 2.4.5-p1;

    [2.4.5-RELEASE][root@pf1100.home.int]/root: pkg add -f https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
    Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    1086510128:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/factory-crossbuild-245-aarch64/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg: https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz: Authentication error
    

    redmine issue created: https://redmine.pfsense.org/issues/10729



  • as a workaround you can simply fetch pkg:

    [2.4.5-RELEASE][root@pf1100.home.int]/root: fetch https://pkg.freebsd.org/FreeBSD:11:aarch64/latest/All/snappy-1.1.6.txz
    snappy-1.1.6.txz                                        58 kB  245 kBps    00s
    [2.4.5-RELEASE][root@pf1100.home.int]/root: pkg install snappy-1.1.6.txz
    


  • Awesome, thanks @viktor_g :)

    I'm pretty new to BSD so was hoping there might be a workaround. Appreciate you taking the time to set it out 👍


Log in to reply