upgrade woes - openssl SSL alert

Reply to upgrade woes - openssl SSL alert on Thu, 03 Nov 2022 13:09:08 GMT

j3hst3r — Thu, 03 Nov 2022 13:09:08 GMT

For those who are still watching...the HOW of the issue is unclear but regardless, i'm just resetting the box to move on with life...

thanks @stephenw10 for the help

thread closed

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:30:02 GMT

stephenw10 — Wed, 02 Nov 2022 22:30:02 GMT

Hmm, no that's actually newer than the 22.05 repo version:

Command history storage is enabled. Clear history with: history -c; history -S.
[22.05-RELEASE][admin@2100-3.stevew.lan]/root: pkg -v
1.17.5
[22.05-RELEASE][admin@2100-3.stevew.lan]/root: pkg-static -v
1.17.5

Checking....

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:25:58 GMT

j3hst3r — Wed, 02 Nov 2022 22:25:58 GMT

@stephenw10
pkg -v is 1.18.3 -- is this accurate?

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:24:47 GMT

stephenw10 — Wed, 02 Nov 2022 22:24:47 GMT

Well I can try to fix your reputation....

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:23:54 GMT

stephenw10 — Wed, 02 Nov 2022 22:23:54 GMT

So fails with both pkg and pkg-static?

Last time I saw this is was due to an older version of pkg-static being incorrectly installed by a package.

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:22:52 GMT

j3hst3r — Wed, 02 Nov 2022 22:22:52 GMT

@stephenw10

pkg -d update:

DBG(1)[5558]> PkgRepo: extracting packagesite.yaml of repo pfSense
DBG(1)[18095]> PkgRepo: extracting signature of repo in a sandbox
pkg: No trusted public keys found
Unable to update repository pfSense
Error updating repositories!

pkg-static -d update throws the same as pfSense-upgrade -d

and this 120 seconds post time restriction due to reputation is lame :)

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:20:46 GMT

j3hst3r — Wed, 02 Nov 2022 22:20:46 GMT

@stephenw10

I've done each one. The initial post was pfSense-upgrade -d but all pkg commands or pfSense-upgrade fails with the same :(

And yes, you're right, I just passed -k and handshake went through

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:19:50 GMT

stephenw10 — Wed, 02 Nov 2022 22:19:50 GMT

Yes, that's expected to fail unless you pass the client cert with the request.

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:18:45 GMT

j3hst3r — Wed, 02 Nov 2022 22:18:45 GMT

For more information, there seems to be a local cert issue? Not sure why, I never changed anything in terms of the certificates in the cert store:

curl -vvv https://repo01.atx.netgate.com

Trying 208.123.73.209:443...
Connected to repo01.atx.netgate.com (208.123.73.209) port 443 (#0)
ALPN: offers h2
ALPN: offers http/1.1
CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Reply to upgrade woes - openssl SSL alert on Wed, 02 Nov 2022 22:18:05 GMT

stephenw10 — Wed, 02 Nov 2022 22:18:05 GMT

Hmm, that was a known issue during 22.05 development but should be fixed in the release images. Has that been running release for some time?

Try running at the command line:

pkg-static -d update

Should show that same error but with more debug output.
Then try:

pkg -d update

That may succeed.

Steve