SSL certificate subject doesn't match host...
-
I've tried doing updates today and this is the error I'm running into. Is anyone else having this issue?
(Also for giggles, I tried a hard power cycle but I'm still getting this error message when trying to upgrade from console option 13):
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings SSL certificate subject doesn't match host repo01.atx.netgate.com -
@zitstif just ran 13 on my 22.01 install not seeing any such problems
Enter an option: 13 >>> Updating repositories metadata... Updating pfSense-core repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: . done Processing entries: .. done pfSense-core repository update completed. 14 packages processed. Updating pfSense repository catalogue... Fetching meta.conf: . done Fetching packagesite.pkg: .......... done Processing entries: .......... done pfSense repository update completed. 539 packages processed. All repositories are up to date. Your packages are up to dateI tried a hard power cycle
I sure hope you didn't just pull the power, that is never a good idea.
-
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus_v22_01/packagesite.txz: Authentication error Unable to update repository pfSense Error updating repositories! ERROR: Unable to compare version of pfSense-repoAs far as I know, I haven't done anything custom to my pfsense setup, with maybe an exception of having pfblocker-dev setup (which has been running fine for a while now.)
Here's fetch:
fetch -v https://www.google.com/ resolving server address: www.google.com:443 SSL options: 82004854 Peer verification enabled Using CA cert file: /usr/local/etc/ssl/cert.pem Verify hostname TLSv1.3 connection established using TLS_AES_256_GCM_SHA384 Certificate subject: /CN=www.google.com Certificate issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3 requesting https://www.google.com/ fetch: https://www.google.com/: size of remote file is not known local size / mtime: 14653 / 1655254212 fetch.out 14 kB 2466 kBps 00sDoes anyone have any ideas on how to continue to troubleshoot this on my Netgate 1100 appliance? Thanks!
-
This might be related. I saw an error on my Version widget on the Dashboard that it was unable to check for updates so I ran pkg update from the command line and there seem to be some certificate errors. This was working fine earlier today and seems to have happened just in the last few hours (I've been troubleshooting some firewall rules so I've been in and out a lot today). This is an SG1100. I checked a different site and it's doing the same thing so it's Netgate, not me.
[22.01-RELEASE][admin@router.localdomain]/root: pkg update Updating pfSense-core repository catalogue... SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com pkg: https://repo00.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/meta.tx z: Authentication error repository pfSense-core has no meta file, using default settings SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com pkg: https://repo00.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/package site.pkg: Authentication error SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com SSL certificate subject doesn't match host repo00.atx.netgate.com pkg: https://repo00.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/package site.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus _v22_01/meta.txz: Authentication error repository pfSense has no meta file, using default settings SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus _v22_01/packagesite.pkg: Authentication error SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-pfSense_plus _v22_01/packagesite.txz: Authentication error Unable to update repository pfSense Error updating repositories! -
@zitstif said in SSL certificate subject doesn't match host...:
any ideas
Yep : one !
Shut down your 1100 box cleanly, using Diagnostics > Halt System.
Power it down (remove the power).
Cool down 30 seconds.
Power it up.
Re test. -
@ex1580 Yep I'm pretty much getting the same error message any time I try to work with pkg:
Updating pfSense-core repository catalogue... SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/packagesite.pkg: Authentication error SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com SSL certificate subject doesn't match host repo01.atx.netgate.com pkg: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_01_aarch64-core/packagesite.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... -
@gertjan Thanks for the input. I tried this and still no dice.
-
@johnpoz No.. I didn't just pull the power. lol I used the poweroff command then pulled the power. :-)
-
@zitstif yes. I have the same exact issue. Must be something at Netgate.
-
I'm not certain if this is related but if you look at the cert for 'repo01.atx.netgate.com' using your browser, the cert expires Monday, November 17, 2521 at 10:07:17 AM Eastern Standard Time.
Aren't legit SSL certs only supposed to be 13 months max in age?
-
This is what firefox says if you go to the site. I can see the packages just fine in the web browser
-
First picture was from http:// If you put https:// in front of it you get a 400 error
-
@mheidelberger here is the thing, those sorts of tests are not always valid for for stuff like this.
Pretty sure you have to auth with cert from pfsense to be able to access that stuff.
Must be something at Netgate.
If that was the case why is it working fine for me? Now that @Gertjan mentioned complete power down... I do recall some threads where sim sort of issue, and the correction was to do a complete power down reboot. Let me see if can dig up those old thread I think @stephenw10 had supplied info related to the issue in those old thread(s)
-
@johnpoz I halted my system and unplugged my power cable for 5 minutes. Plugged back in power cable and booted up. Problem remains.
-
@johnpoz I think you're thinking of
https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#segmentation-fault-in-pkg which is a different error. And IIRC was fixed after upgrading to either 21.05 or 22.01 (don't recall which).@zitstif What are you upgrading? (to 22.01?)
22.05 RC has been out, it might be possible they are prepping for release... in which case if you're upgrading packages be sure to get them for the correct pfSense version.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
Of the Netgate hardware I can check at the moment I only have a couple of SG1100s running pfSense Plus (22.01-RELEASE) and it is happening on both of them (on different sides of the USA no less). One of those is pretty basic, no packages to speak of. I did also check a test VM I use running pfSense CE (2.6.0-RELEASE) and that one is working fine. This might be one of those really specific issues and I am fairly certain that a reboot is not going to fix it.
-
@steveits yeah prob right, but why I said sim sort of issue ;) hehehe
I don't have a sg1100 to test with.. But your theory of prep for 22.05 release could be on to something.
-
@zitstif I'm getting the same issue as well with a new SG-1100. Just picked it up today.
-
-
S SteveITS referenced this topic on
-
@steveits I'm already on 22.01:
[22.01-RELEASE][admin@firewallname]/root: uname -a
FreeBSD firewallname 12.3-STABLE FreeBSD 12.3-STABLE plus-RELENG_22_01-n202637-97cc5c23e13 pfSense arm64I just check for updates on a regular basis.
I ran into this issue just today and was wondering if there was something wrong with my setup.
