upgrade woes - openssl SSL alert

j3hst3r · Nov 2, 2022, 9:39 PM

Hey there,

I've gone through old posts and other websites to try and find the answer but nothing seems to work. I am unable to access 'available packages' or even attempt to update via CLI.

Unable to update repository pfSense-core
Updating pfSense repository catalogue...
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_05_aarch64-pfSense_plus_v22_05/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_05_aarch64-pfSense_plus_v22_05/packagesite.pkg: Authentication error
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
1082822656:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 51
pkg-static: https://repo01.atx.netgate.com/pkg/pfSense_plus-v22_05_aarch64-pfSense_plus_v22_05/packagesite.txz: Authentication error

I am running a Netgate 1100 and haven't had an issue before. Anybody hit this issue before?

And yes, I have power cycled the box (unplugged, waited a minute, plugged back in [thus, I have tried turning if off and on again])

Thanks

stephenw10 · Nov 2, 2022, 10:18 PM

Hmm, that was a known issue during 22.05 development but should be fixed in the release images. Has that been running release for some time?

Try running at the command line:

pkg-static -d update

Should show that same error but with more debug output.
Then try:

pkg -d update

That may succeed.

Steve

j3hst3r · Nov 2, 2022, 10:18 PM

For more information, there seems to be a local cert issue? Not sure why, I never changed anything in terms of the certificates in the cert store:

curl -vvv https://repo01.atx.netgate.com

Trying 208.123.73.209:443...
Connected to repo01.atx.netgate.com (208.123.73.209) port 443 (#0)
ALPN: offers h2
ALPN: offers http/1.1
CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

stephenw10 · Nov 2, 2022, 10:19 PM

Yes, that's expected to fail unless you pass the client cert with the request.

j3hst3r · Nov 2, 2022, 10:20 PM

@stephenw10

I've done each one. The initial post was pfSense-upgrade -d but all pkg commands or pfSense-upgrade fails with the same :(

And yes, you're right, I just passed -k and handshake went through

j3hst3r · Nov 2, 2022, 10:22 PM

@stephenw10

pkg -d update:

DBG(1)[5558]> PkgRepo: extracting packagesite.yaml of repo pfSense
DBG(1)[18095]> PkgRepo: extracting signature of repo in a sandbox
pkg: No trusted public keys found
Unable to update repository pfSense
Error updating repositories!

pkg-static -d update throws the same as pfSense-upgrade -d

and this 120 seconds post time restriction due to reputation is lame :)

stephenw10 · Nov 2, 2022, 10:23 PM

So fails with both pkg and pkg-static?

Last time I saw this is was due to an older version of pkg-static being incorrectly installed by a package.

stephenw10 · Nov 2, 2022, 10:24 PM

Well I can try to fix your reputation....

j3hst3r · Nov 2, 2022, 10:25 PM

@stephenw10
pkg -v is 1.18.3 -- is this accurate?

stephenw10 · Nov 2, 2022, 10:30 PM

Hmm, no that's actually newer than the 22.05 repo version:

Command history storage is enabled. Clear history with: history -c; history -S.
[22.05-RELEASE][admin@2100-3.stevew.lan]/root: pkg -v
1.17.5
[22.05-RELEASE][admin@2100-3.stevew.lan]/root: pkg-static -v
1.17.5

Checking....

j3hst3r · Nov 3, 2022, 1:09 PM

For those who are still watching...the HOW of the issue is unclear but regardless, i'm just resetting the box to move on with life...

thanks @stephenw10 for the help

thread closed