ssl certificate verification failed

jsiverskog

hey,
getting this when trying to perform an update:

Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo00.netgate.com
1082880000:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_plus-v21_05_aarch64/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg-static: https://repo00.netgate.com/pkg/pfSense_plus-v21_05_1_aarch64-pfSense_plus-v21_05_1/All/php74-dom-7.4.20.txz: Authentication error```

now my installation broke half-way through.

what's the issue with that certificate? the local time of my pfsense is correct.

jsiverskog

same with repo01.netgate.com

Rico

SG-1100? Did you power cycle?
Check https://forum.netgate.com/topic/165654/pfsense-21-05-1-upgrade-failed

-Rico

jsiverskog

@rico said in ssl certificate verification failed:

https://forum.netgate.com/topic/165654/pfsense-21-05-1-upgrade-failed

hi,
yes, SG-1100.

a cold restart helped, but it's scary to do that in the middle of an upgrade.

thanks.

Gertjan

@jsiverskog said in ssl certificate verification failed:

a cold restart helped, but it's scary to do that in the middle of an upgrade.

You're right.
But not much of a choice.
Try this first : Open another web brower window, login, and use Diagnostics -> Halt system.

Btw : for the future :
One of the steps needed for a successful upgrade is :
Execute a reboot (or a halt - remove power - add power - boot).

This is actually valid for any device.

stephenw10

What were you upgrading from?

Is it possible that device has not been power cycled since it was running 2.4.X?

That crypro driver issue should be fixed in 21.05.

Steve

jsiverskog

@stephenw10 i believe i was upgrading from 21.05.

it is very likely that the device had not been power cycled for a long time - that's not something you usually have to do with network equipment.

let's hope it works out better in the future.

Gertjan

@jsiverskog said in ssl certificate verification failed:

that's not something you usually have to do with network equipment.

If the device is an ASIC with all 'code' burned into ROM, with a very small 'RAM' scratch pad, like a switch; or somewhat more sophisticated as a ISP router, bit still running out of 'ROM' type of memory, and close to none user-configurable user settings, and no 'Giga bytes of usage stored data', then yes, true. It will be a flash the 'BIOS' and go procedure.

pfSense doesn't look like a 'user desktop PC'. But don't be mistaken, it uses the same FreeBSD kernel, the same file system, big drive storage and has often 4GB - or more - of RAM memory.

As such, it can behave like our desktop 'PC' like devices.
Just think of what happened with Microsoft the last 2, 3 years during the roll-out out Windows 10 : it was not a great experience for all of us. Apple isn't any different here.
It all boils down to : when applying a major system update, some preparation is needed upfront.

Rebooting the device before an major upgrade isn't probably part of the official upgrade handling path, but it surely help you to put all - or at least : more - changes on your side for a successfully upgrade, as it could show issue that existed before the upgrade.

This method worked well for me for the last 10 years (pfSense upgrading).

stephenw10

Yes, rebooting is a good idea before an upgrade to be sure it will return from that.
You should not need to power cycle it normally though. This was a bug in the driver that could put the hardware into a condition it could not recover from. That should have been fixed in 21.05 though.

The only time I would expect to need a power cycle is after updating uboot/coreboot.

Steve