Solved: Can't update bogons on a 2.4.5-p1 (cert expired)
-
Tell fetch what certificate file to use :
/usr/bin/fetch -a -w 600 -T 30 -q --ca-cert=/usr/local/share/certs/ca-root-nss.crt -o /tmp/bogons https://files.pfsense.org/lists/fullbogons-ipv4.txt
All certs in this file will be trusted.
-
@gertjan
That won't work with the "Auto update of bogons"
They don't specify any cert file.You will have to edit the cert file or (imho better) , symlink to the file the other programs uses.
/Bingo
-
@bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
That won't work with the "Auto update of bogons"
They don't specify any cert file.Correct - this won't help the update script'(s).
Far better is correcting the needed files.I posted the extra part "--ca-cert=/usr/local/share/certs/ca-root-nss.crt" so files could get loaded.
The /usr/local/share/certs/ca-root-nss.crt should be corrected manually, as more root certificates will expire in the future.Btw : even when MS updates for Windows XP stopped many years ago, there were still updates : the files with system trusted certs.
-
@gertjan said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
Btw : even when MS updates for Windows XP stopped many years ago, there were still updates : the files with system trusted certs.
Yes, but you would only need that if you would stay in 2.4.5 - which isn't the normal/desired outcome, as - especially with a security product - we should update to the next stable version. So expiration of other CAs would only hit if you'd stay with 2.4.5 which isn't recommended / supported anyways and in 2.5.2 (latest current stable) the CA file should already be correct.
-
I concur with @jegr here - the actual solution to the problem is getting the pfsense current.
While updating the CAs trusted is a temp solution to a specific problem, it is only a stopgap measure at best.
To be honest my bogon being a bit dated is least of my worries on my older pfsense installs, that yes need to be updated when can actually get into the office, etc.
-
@jegr
I'm not planning on staying on 2.4.5-p1 forever.
But given the "first track record" of the 2.5.x systems , i decided to wait a bit.
Ie. the early unbound issues would have been a "killer".I do have one test site running 2.5.2 wo. any issues, it "just upgraded" ....
AKA keeps the L2L connection up wo. any dropouts.
But it doesn't see any load or usage, it's just a "passive system" at my desk.But on the "Job" i have 1 Central pfSense and 6 remote (openvpn) L2L coupled sites.
My sites are spread around the world, and it would be a "Major issue" if they went down.
I have a "Cold spare" on my two most urgent sites, but they "never" found the time to upgrade the pfSense OS with me, o the "secondary". That is purely "manager politics", that i try to get around, but haven't succeeded yet.
So the failover systems aren't up to it.My central unit has 1:1 (alias) NAT to several public "outside" IP's , and i'm a bit worried about that. I read that there was some NAT issues with 2.5.x , but maybe 2.5.2 has solved it , i don't know yet.
Any hints here ?.I have a "Central Cold spare" i could wipe & install 2.5.2 on , and then give it the 2.4.5-p1 config. But i will "Not get a prize" if it doesn't work, even if it's just for 4..6 hours.
/Bingo
-
@bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
But i will "Not get a prize" if it doesn't work, even if it's just for 4..6 hours.
haha - I hear ya.. But you might be finding a new job ;)
While your solution is good - I personally would of just disabled bogon if was having issues with it. While sure its the "right" thing to do blocking it, in the big picture is not high on the list of security things to make sure your blocking..
-
@johnpoz
Bogon's was for my own 2 pfSenses
And a ... I'm not giving up kinda moment.
I haven't even bothered implementing that "trick" on the Job ones ....I have 2 x 240GB Samsung EVO-870 SSD disks , just waiting for me to install in the "home/summerhouse" pfSenses, along w. ZFS & 2.5.2.
I chose 240G because i plan to use ZFS snapshots for real, on 2.5.2.I just have to find the right time, we're streaming TV here ....
And if you thought i was nervous of the "Job Boss" ...
That's nothing compared to the "Real BOSS"And when done "home" , the the one in the summerhouse is next.
-
@bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
And a ... I'm not giving up kinda moment.
I haven't even bothered implementing that "trick" on the Job ones ....I appreciate it! I have some 2.4.5 systems in the wild myself that customers aren't able to update right now and those had rising numbers of dead/zombie processes (dying bogon procs) that we were able to fix that way - so thumbs up from me for the fact finding mission
-
@jegr said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
rising numbers of dead/zombie processes (dying bogon procs)
Hmmm - interesting.. Curious bogon believe is only suppose to update every 30 days.. How many did they have? I wonder if it fails it start hammering looking to work more often than once every 30 days.
I just looked at 1 of my older installs
52 processes: 1 running, 50 sleeping, 1 zombie
-
@johnpoz
They seem to "never die/timeout"
So you'll accumulate foe each month , and if you try to update manual that'll also start an additional.Can't remember if each try starts 3 processes.
The php master + the fetch + "i think another"/Bingo
-
@jegr said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
@bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):
And a ... I'm not giving up kinda moment.
I haven't even bothered implementing that "trick" on the Job ones ....I appreciate it! I have some 2.4.5 systems in the wild myself that customers aren't able to update right now and those had rising numbers of dead/zombie processes (dying bogon procs) that we were able to fix that way - so thumbs up from me for the fact finding mission
Glad to be able to give a little back
And ...
Now i know that to tomorrow on the job for 7 firewalls
Done ....And home fwall
Fresh install w. ZFS , and config restoren only one minor "quirk"
iftop didn't install , but the pkgmgr. was informing about that
/Bingo