• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

files.pfsense.org : Lets Encrypt certificate has expired

Scheduled Pinned Locked Moved General pfSense Questions
12 Posts 4 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    monotypeTattoo
    last edited by monotypeTattoo Jan 28, 2021, 11:58 AM Jan 28, 2021, 11:57 AM

    Good Morning,

    This morning our Snort Open AppId rules update failed getting updates from https://files.pfsense.org/openappid/.

    	Snort AppID Open Text Rules md5 download failed.
    	Server returned error code 0.
    	Server error message was: SSL certificate problem: certificate has expired
    	Snort AppID Open Text Rules will not be updated
    

    This is the current certificate served by files.pfsense.org. I note that it SANed for pfsense.org which is serving up a non-expired certificate, albeit with differrent public key.

    Capture.PNG

    I believe we have had this problem before; Is there any monitoring on certificate validity for files.pfsense.org?

    Thank you.

    G 1 Reply Last reply Jan 28, 2021, 2:02 PM Reply Quote 0
    • G
      Gertjan @monotypeTattoo
      last edited by Gertjan Jan 28, 2021, 2:06 PM Jan 28, 2021, 2:02 PM

      edit : Oops.

      Re read the question - and found out I was reading something else.

      I pulled the same cert :

      b5a1c51b-2cc4-44d0-82a4-953027d062a5-image.png

      are we not looking at the same site, for example : https://www.pfsense.org ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      J 1 Reply Last reply Jan 28, 2021, 2:11 PM Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator @Gertjan
        last edited by Jan 28, 2021, 2:11 PM

        @gertjan said in files.pfsense.org : Lets Encrypt certificate has expired:

        are we not looking at the same site, for example : https://www.pfsense.org ?

        Check site https://files.pfsense.org/

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        G 1 Reply Last reply Jan 28, 2021, 3:11 PM Reply Quote 1
        • G
          Gertjan @johnpoz
          last edited by Jan 28, 2021, 3:11 PM

          Is also *.pfsense.org is ok for me.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          J 1 Reply Last reply Jan 28, 2021, 3:12 PM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @Gertjan
            last edited by johnpoz Jan 28, 2021, 3:14 PM Jan 28, 2021, 3:12 PM

            I don't know the details of how they have this setup.. But I would guess some servers got the new cert on on 1/5 and others have not.. Which is why only specific urls showing the old cert.

            I sent a PM to Steve - sure they will get it fixed up soon enough..

            One of the flaws in having to update every 90 days, and automation - sometimes it doesn't always work as planned/desgined.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            G 1 Reply Last reply Jan 28, 2021, 3:35 PM Reply Quote 0
            • G
              Gertjan @johnpoz
              last edited by Jan 28, 2021, 3:35 PM

              @johnpoz said in files.pfsense.org : Lets Encrypt certificate has expired:

              flawed ..... update every 90 days automation

              90 ....
              More often will create the same problems .... more often ;)
              Less often and people forget how to debug, draw conclusions and repair fast. Also : Letsenscypt also has to deal with the ones that want to 'burn' (revocate) their certs ... at least now they can keep a 90 days max list instead of a classic two years list, reducing browser cert validity checking. Knowing how many certs they have outstanding these days and you'll get the picture.
              And "automation " shouldn't be related to "forgetting about it".

              I've got several 'original' acme script running (several devices) , and two with pfSense using the pfSense package.
              And the unbeatable combination : no DNS registrar on the other side that changes the 'something' some times. The DNS name server of my domains is me using RFC2136.
              It's rock solid. I don't make calendar entries any more (on phone) to check things every 60 days. I just get a mail with "acme => done = > my domain".

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              J 1 Reply Last reply Jan 28, 2021, 4:10 PM Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @Gertjan
                last edited by Jan 28, 2021, 4:10 PM

                @gertjan said in files.pfsense.org : Lets Encrypt certificate has expired:

                I just get a mail with "acme => done = > my domain".

                Well clearly they do not have that setup, or they are not looking at the error emails :)

                This has happened before - same sort of issue..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  stephenw10 Netgate Administrator
                  last edited by Jan 28, 2021, 4:32 PM

                  Looks good now. Anyone still seeing this?

                  J 1 Reply Last reply Jan 28, 2021, 4:37 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @stephenw10
                    last edited by Jan 28, 2021, 4:37 PM

                    @stephenw10

                    Looks good here.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    G 1 Reply Last reply Jan 28, 2021, 11:05 PM Reply Quote 1
                    • G
                      Gertjan @johnpoz
                      last edited by Jan 28, 2021, 11:05 PM

                      It didn't get better for me (was already good).

                      @johnpoz said in files.pfsense.org : Lets Encrypt certificate has expired:

                      do not have that setup

                      The pfSense acme package has the "action" list, where you can set up .... actions.
                      Like send a mail when it's done. But, it strikes me now, it does so when thing went well.
                      I should have something to show up start to go wrong.
                      ( some one behinds me propose me : "use two tv sets and dial into CNN and Fox news", this is french humor as best as it gets).
                      I should be cooking a script that runs one a week that 'reads' a cert, extracts its end date/time, minus the actual date/time and if less then 2 weeks or so : sends a mail.

                      /root: openssl x509 -enddate -noout -in /tmp/acme/my-domain/my-domain/my-domain.cer
                      notAfter=Apr 13 21:55:05 2021 GMT
                      

                      plus some other shell whatever script and done.

                      Anyway, @stephenw10 , @ monotypeTattoo I'll drop a copy here when I get it done.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      J 1 Reply Last reply Jan 28, 2021, 11:28 PM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @Gertjan
                        last edited by Jan 28, 2021, 11:28 PM

                        Keep in mind that cert might of updated just fine, but the service using the cert maybe just didn't update.. Your using some httpd to serve up file, even if you update the cert on the machine - you have prob have to tell whatever httpd your using to reload the new cert..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • G
                          Gertjan
                          last edited by Jan 29, 2021, 7:17 AM

                          echo | openssl s_client -servername domain.tld -connect domain.tld:443 | openssl x509 -noout -enddate | grep 'notAfter' > date.txt
                          

                          The file date.txt should contain a date and time in the future :

                          notAfter=Apr  3 01:17:16 2021 GMT
                          

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          12 out of 12
                          • First post
                            12/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received