Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    upgrade failed: tls_process_server_certificate:certificate verify failed

    Scheduled Pinned Locked Moved
    Problems Installing or Upgrading pfSense Software
    5
    8
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mig39
      last edited by

      Getting this error when attempting to upgrade from 21.05.1 to 22.01 on an SG1100, using the web interface:

      [96/187] Fetching pam_ldap-186_1.pkg: ..... done
[97/187] Fetching p7zip-16.02_3.pkg: .......... done
[98/187] Fetching openvpn-client-export-2.5.2.pkg: .......... done
[99/187] Fetching openvpn-auth-script-1.0.0.3.pkg: . done
[100/187] Fetching openvpn-2.5.4_1.pkg: .......... done
[101/187] Fetching opensc-0.22.0.pkg: .......... done
[102/187] Fetching oniguruma-6.9.7.1.pkg: .......... done
[103/187] Fetching ntp-4.2.8p15_3.pkg: .......... done
1082953728:error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_lib.c:283:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo00.netgate.com
1082953728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Child process pid=49132 terminated abnormally: Segmentation fault
Failed
      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @mig39
        last edited by bmeeks

        @mig39 said in upgrade failed: tls_process_server_certificate:certificate verify failed:

        Getting this error when attempting to upgrade from 21.05.1 to 22.01 on an SG1100, using the web interface:

        [96/187] Fetching pam_ldap-186_1.pkg: ..... done
[97/187] Fetching p7zip-16.02_3.pkg: .......... done
[98/187] Fetching openvpn-client-export-2.5.2.pkg: .......... done
[99/187] Fetching openvpn-auth-script-1.0.0.3.pkg: . done
[100/187] Fetching openvpn-2.5.4_1.pkg: .......... done
[101/187] Fetching opensc-0.22.0.pkg: .......... done
[102/187] Fetching oniguruma-6.9.7.1.pkg: .......... done
[103/187] Fetching ntp-4.2.8p15_3.pkg: .......... done
1082953728:error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_lib.c:283:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/CN=repo00.netgate.com
1082953728:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Child process pid=49132 terminated abnormally: Segmentation fault
Failed

        I believe in the past, when users have hit this error, the recommendation was a power-off reset of the box. The cryto chip inside the SG-1100 can get confused, and the only way to reset it is a power-off and power-on sequence. A simple reboot does not do it.

        So gracefully shutdown the box, and after insuring it is fully halted, remove the power for several seconds and then reapply. It should boot up and then you will be able to upgrade without issue.

        M 1 Reply Last reply Reply Quote 0
        • M
          mig39 @bmeeks
          last edited by

          @bmeeks said in upgrade failed: tls_process_server_certificate:certificate verify failed:

          So gracefully shutdown the box, and after insuring it is fully halted, remove the power for a several seconds and then reapply

          Thanks! Will try to do so this evening.

          M 1 Reply Last reply Reply Quote 0
          • M
            mfld LAYER 8 @mig39
            last edited by

            @mig39 on my SG-1100 the issue was there is not hardware RTC. Had it shelved for a while and when it came up it couldn't syc the time from NTP server via hostname because DNS over TLS was broken due to the time being way off. Chicken/egg thing.

            Check your system clock, if it is off you can set the time manually or hardcode an IP address, not a hostname for NTP. If you aren't using DNS over TLS this won't effect you and won't help. But do check your system clock and NTP status anyway to be sure.

            jimpJ 1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate @mfld
              last edited by

              @mfld said in upgrade failed: tls_process_server_certificate:certificate verify failed:

              @mig39 on my SG-1100 the issue was there is not hardware RTC. Had it shelved for a while and when it came up it couldn't syc the time from NTP server via hostname because DNS over TLS was broken due to the time being way off. Chicken/egg thing.

              FYI- That is handled better on 22.01/2.6.0:
              https://docs.netgate.com/pfsense/en/latest/services/ntpd/bootstrap.html#ntp-bootstrap

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              M 1 Reply Last reply Reply Quote 1
              • M
                mfld LAYER 8 @jimp
                last edited by

                FYI- That is handled better on 22.01/2.6.0:
                https://docs.netgate.com/pfsense/en/latest/services/ntpd/bootstrap.html#ntp-bootstrap

                That's awesome! And as always, great docu. ๐Ÿ‘

                1 Reply Last reply Reply Quote 0
                • M
                  mig39
                  last edited by

                  For anyone finding this thread in the future...

                  Following the advice and halting the system, physically disconnecting power for 30 seconds and then plugging in again did the trick.

                  I've successfully upgraded.

                  Thanks!

                  S 1 Reply Last reply Reply Quote 1
                  • S
                    SteveITS Rebel Alliance @mig39
                    last edited by

                    @mig39 Just to link the doc page on it:
                    https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#segmentation-fault-in-pkg
                    ...which is similar but mentions "SSL routines:ssl3_send_client_verify:internal error" (which is what I recall seeing, last spring) instead of "SSL routines:tls_construct_cert_verify."

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post