• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Issue with SSL Certificates After Update from 2.6 to 2.7

Scheduled Pinned Locked Moved HA/CARP/VIPs
1 Posts 1 Posters 435 Views 1 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W Offline
    wixaw
    last edited by Oct 4, 2023, 11:11 AM

    Hello,

    I'm seeking your assistance following a failed update from version 2.6 to 2.7. I'm using two pfSense instances as HAProxy load balancers for openldap-server: lb1.domain.com (restored from a snapshot) and lb2.domain.com (still running 2.7 for testing purposes). The problem lies with SSL certificates but both servers have identical configurations.

    When I run the command 'openssl s_client -connect lb1.domain.com:636', I get the following result:

    CONNECTED(00000003)
depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
verify return:1
depth=0 C = FR, ST = Occitanie, O = UNIVERSITE TOULOUSE III - PAUL SABATIER, CN = *.domain.com
verify return:1
---
Certificate chain
0 s:/C=FR/ST=Occitanie/O=UNIVERSITE TOULOUSE III - PAUL SABATIER/CN=*.domain.com
 i:/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
1 s:/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
3 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
 i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
---

Start Time: 1696410343
Timeout: 300 (sec)
Verify return code: 0 (ok)

    And when I execute 'openssl s_client -connect lb2.domain.com:636,' I receive the following result:

    CONNECTED(00000003)
depth=0 C = FR, ST = Occitanie, O = UNIVERSITE TOULOUSE III - PAUL SABATIER, CN = *.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = Occitanie, O = UNIVERSITE TOULOUSE III - PAUL SABATIER, CN = *.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=FR/ST=Occitanie/O=UNIVERSITE TOULOUSE III - PAUL SABATIER/CN=*.domain.com
   i:/C=NL/O=GEANT Vereniging/CN=GEANT OV RSA CA 4
---

Start Time: 1696413058
Timeout: 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

    It appears that the distributed chain is different. Your assistance in resolving this issue would be greatly appreciated.

    Thank you in advance.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received