Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.4.5 cannot curl letsencrypt website since DST Root CA X3 Expiration

    Scheduled Pinned Locked Moved
    ACME
    3
    4
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      ypapouin
      last edited by

      Due to the DST Root CA X3 Expiration, I'm not able to curl any sites secured with letsencrypt from pfSense cron task on a pfSense 2.4.5 instance.

      I don't use letsencrypt/ACME at all on this instance.
      I added the --insecure arg temporarily but I would prefer to fix the issue instead of the symptom.

      Lets try with the letsencrypt.org website:

      [2.4.5-RELEASE][admin@my.domain]/usr/local/share/certs: curl -vvI https://letsencrypt.org
*   Trying 206.189.58.26:443...
* TCP_NODELAY set
* Connected to letsencrypt.org (206.189.58.26) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @ypapouin
        last edited by

        @ypapouin

        You posted here : Home > pfSense > Packages > ACME.

        Have a look at the very first message. You'll find a solution.
        Hint : It has "DST Root CA X3 Expiration" as a subject line.

        As you are aware, certificate have a start and end date.
        "End user" certificates have to renewed regularly, like the ones you obtain with the acme package are renew very often.
        'Base' or root certificates, used to 'sign' your certificate, are valid for longer periods, they are often part of the list that the OS, your system, or pfSense, trust.
        You've decide not to upgrade, and are still using "2.4.5", so it's 'list' with trusted certs didn't get updated. Back then, it the past, the old "DST Root CA X3" was still good.
        That changed today.
        Btw : the same thing can happen with any device that uses an OS and uses certs. "Not upgrading" brings the 'security' system to a halt.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Because you have chosen to not update your base OS, you don't have an up-to-date list of root certificates on the firewall for the firewall itself to use when validating certificates.

          You have a few choices:

          1. Update to a current supported version of pfSense.
          2. Hand edit /usr/local/share/certs/ca-root-nss.crt, replace the expired intermediate with the correct certificate
          3. Copy /usr/local/share/certs/ca-root-nss.crt from an up-to-date system to the outdated firewall.

          Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          Y 1 Reply Last reply Reply Quote 1
          • Y
            ypapouin @jimp
            last edited by

            @jimp , thank you for the copy tip.

            Please note that I chose to revert to 2.4.5 for stability because of 2.5.1 dual wan issue or unbound crashes issues (unbound on 2.5.2 is still crashing).

            I though that the 2.4.5 released in 2020 would support the ISRG Root X1 certificate since it was released in 2015 but I also had the issue with Ubuntu 16.04.6 (upgrading to 16.04.7 fixed it).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post