repo01.netgate.com TLS cert seems invalid

stephenw10 · Aug 9, 2021, 4:10 PM

Let us know if you're still seeing that.

seanmcb · Aug 10, 2021, 2:18 AM

@stephenw10 my output is quite like yours:

[21.05-RELEASE][admin@pfSense.localdomain]/root: pkg -d update
DBG(1)[42611]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[42611]> PkgRepo: verifying update for pfSense-core
DBG(1)[42611]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/meta.conf
DBG(1)[42611]> opening libfetch fetcher
DBG(1)[42611]> Fetch > libfetch: connecting
DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/meta.conf with opts "i"
DBG(1)[42611]> Fetch: fetcher chosen: https
DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/packagesite.txz
DBG(1)[42611]> opening libfetch fetcher
DBG(1)[42611]> Fetch > libfetch: connecting
DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-core/packagesite.txz with opts "i"
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[42611]> PkgRepo: verifying update for pfSense
DBG(1)[42611]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/meta.conf
DBG(1)[42611]> opening libfetch fetcher
DBG(1)[42611]> Fetch > libfetch: connecting
DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/meta.conf with opts "i"
DBG(1)[42611]> Fetch: fetcher chosen: https
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
DBG(1)[42611]> Request to fetch pkg+https://repo.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/packagesite.txz
DBG(1)[42611]> opening libfetch fetcher
DBG(1)[42611]> Fetch > libfetch: connecting
DBG(1)[42611]> Fetch: fetching from: https://repo01.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/packagesite.txz with opts "i"
DBG(1)[42611]> Fetch: fetcher chosen: https
Fetching packagesite.txz: 100%  129 KiB 131.8kB/s    00:01    
DBG(1)[42611]> PkgRepo: extracting packagesite.yaml of repo pfSense
DBG(1)[43042]> PkgRepo: extracting signature of repo in a sandbox
DBG(1)[42611]> Pkgrepo, reading new packagesite.yaml for '/var/db/pkg/repo-pfSense.sqlite'
Processing entries: 100%
pfSense repository update completed. 464 packages processed.
All repositories are up to date.

Biggest difference is repo00.netgate.com vs repo01.netgate.com and mine has additional output Fetch: fetcher chosen: https.

stephenw10 · Aug 10, 2021, 2:48 PM

repo00 and repo01 should be identical there, that shouldn't matter.

seanmcb · Aug 10, 2021, 2:48 PM

@stephenw10 so do you think the part about Fetch: fetcher chosen: https is the difference that explains the failure I see?

I could always try a magic reboot, but I'm not in a huge rush to update. If there's something more we can troubleshoot to find this bug, I'm game.

stephenw10 · Aug 10, 2021, 3:40 PM

@seanmcb said in repo01.netgate.com TLS cert seems invalid:

Processing entries: 100%
pfSense repository update completed. 464 packages processed.
All repositories are up to date.

It looks to be updating from the repo successfully. What failure are you seeing?

My output also shows it choosing https, I don't think that's an issue.

Steve

seanmcb · Aug 10, 2021, 5:20 PM

@stephenw10 the failure I'm seeing is as per my first message in this thread. The update fails with the error message text I pasted.

stephenw10 · Aug 10, 2021, 5:33 PM

Hmm, OK try running at the command line: pfSense-upgrade -d

seanmcb · Aug 11, 2021, 12:35 AM

@stephenw10 said in repo01.netgate.com TLS cert seems invalid:

pfSense-upgrade -d

[21.05-RELEASE][admin@pfSense.localdomain]/root: pfSense-upgrade -d
>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
Fetching meta.conf: . done
1082880000:error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib:/usr/local/poudriere/jails/pfSense_plus-v21_05_aarch64/usr/src/crypto/openssl/ssl/statem/statem_lib.c:283:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo01.netgate.com
1082880000:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:/usr/local/poudriere/jails/pfSense_plus-v21_05_aarch64/usr/src/crypto/openssl/crypto/asn1/a_verify.c:170:
1082880000:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_plus-v21_05_aarch64/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Child process pid=62247 terminated abnormally: Segmentation fault

mer · Aug 11, 2021, 1:51 PM

@seanmcb What hardware are you doing this on? My reason for asking is I had a very similar issue on a SG2100 (symptom of segfault was the same). Power cycling (not rebooting) cleared the issue. Literally, shutdown the system, removed power for at least 30 secs, then reapplied power. Issue went away. Suspect that openssl is using crypto hardware that can get wedged and the only cure is power cycle.

I have no opinion on the validity of the certificate.

seanmcb · Aug 11, 2021, 1:51 PM

@mer My hardware is a Netgate SG-1100.

I could try a power cycle, but I'm not in a big rush to update, and this bug is reproducible for the moment, so it's a chance to debug it, and maybe solve it.

mer · Aug 11, 2021, 1:58 PM

@seanmcb That's good, but my point is that if the root cause is the hardware itself getting wedged, there's not much debugging that can actually be done. Hopefully the netgate folks may have some commands that would say "yep hardware is wedged, can't get more info".

stephenw10 · Aug 11, 2021, 3:16 PM

Hmm, so it hits that when you try to upgrade but 'pkg-static update' completes successfully?

That's odd. I would expect both to fail.

With that error on an SG-1100 though it's almost certainly the crypto hardware issue. If you power cycle it and it then succeeds that would confirm it.

Steve

seanmcb · Aug 11, 2021, 3:29 PM

@stephenw10 said in repo01.netgate.com TLS cert seems invalid:

Hmm, so it hits that when you try to upgrade but 'pkg-static update' completes successfully?

pkg-static update has not been mentioned in this thread. I did not try it. So far I tried to update in the GUI and with pfSense-upgrade -d. Both have failed.

With that error on an SG-1100 though it's almost certainly the crypto hardware issue. If you power cycle it and it then succeeds that would confirm it.

I'll reboot it when home tonight.

stephenw10 · Aug 11, 2021, 3:46 PM

Mmm, my bad. But pkg -d update succeeded. You might try pkg-static -d update too just for reference before you reboot,

Steve

seanmcb · Aug 12, 2021, 2:05 AM

After a magic reboot, updating from the GUI failed again, but pkg-static -d update worked.

stephenw10 · Aug 12, 2021, 1:47 PM

Hmm, OK. What about pfSense-upgrade -d at the command line?

seanmcb · Aug 12, 2021, 1:47 PM

@stephenw10 That would have been my 3rd try, but after reboot I tried: GUI, then pkg-static -d update and the latter worked. Is there point in still running the other command?

stephenw10 · Aug 12, 2021, 2:14 PM

The update commands just update the package database. The upgrade command will actually try to upgrade to 21.05.1.

Steve

seanmcb · Aug 12, 2021, 2:20 PM

@stephenw10 mmmm, you sure? Because after:

magic reboot
pkg-static -d update
requisitie reboot

The GUI shows me at 21.05.1 and says 'no updates available'.

stephenw10 · Aug 12, 2021, 2:23 PM

Hmm, OK well then I'd suggest it did in fact succeed at some point previously via the GUI.

There is no harm in running the upgrade command from the CLI. It will just show you there are no updates available if it has upgraded already.

Steve