pkg: Certificate verification failed for /CN=*.netgate.com

decibel83 · Apr 19, 2024, 9:09 PM

Hello,
I don't have any package available in the package manager:

So I connected to the console and tried to bootstrap pkg:

[2.6.0-RELEASE][admin@fw]/: pkg bootstrap -f
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64-pfSense_v2_6_0, please wait...
Certificate verification failed for /CN=*.netgate.com
34372542464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-RELENG_2_6_0/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=*.netgate.com
34372542464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-RELENG_2_6_0/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=*.netgate.com
34372542464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-RELENG_2_6_0/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=*.netgate.com
34372542464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-RELENG_2_6_0/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=*.netgate.com
34372542464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-RELENG_2_6_0/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /CN=*.netgate.com
34372542464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-RELENG_2_6_0/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg: Error fetching https://pkg.pfsense.org/pfSense_v2_6_0_amd64-pfSense_v2_6_0/Latest/pkg.txz: Authentication error
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

I tried to rehash the SSL certificates without success:

[2.6.0-RELEASE][admin@fw1.dc.ems.network]/: certctl rehash
Scanning /usr/share/certs/blacklisted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...

I've already read the Troubleshooting Upgrades document.

Could you help me please?
Thank you very much!

nmo · Apr 19, 2024, 9:14 PM

[2.7.2-RELEASE][admin@pfSense.lan]/root: openssl s_client -connect pkg01-atx.netgate.com:443 -verify_quiet
CONNECTED(00000003)
depth=0 CN = *.netgate.com
verify error:num=20:unable to get local issuer certificate
depth=0 CN = *.netgate.com
verify error:num=21:unable to verify the first certificate
Certificate chain

source: https://www.reddit.com/r/PFSENSE/comments/1c84y8b/pkg_an_error_occured_while_fetching_package/

There are issues in netgate's cert chain

decibel83 · Apr 19, 2024, 9:24 PM

@nmo thank you.

So I just have to wait Netgate to fix the issue?

johnpoz · Apr 19, 2024, 9:40 PM

@decibel83 not seeing this on my 23.09.1, but yeah just fired up my 2.7.2 CE vm and is not able to grab packages.

Normally such issues are corrected fairly quickly..

stephenw10 · Apr 19, 2024, 10:05 PM

Hmm, checking...

stephenw10 · Apr 19, 2024, 10:33 PM

Try again now.

johnpoz · Apr 19, 2024, 10:34 PM

@stephenw10 nope I still show it not working on my 2.7.2 box

johnpoz · Apr 19, 2024, 10:42 PM

@stephenw10 ok its working now

I did a bootstrap and still wasn't working

But I then rebooted it and worked, so maybe I was just too fast and would of worked without the reboot, or maybe the reboot did something? Normally I would never reboot, but it running on just a vm, so takes a few seconds to reboot and nothing routing through it, etc.. that I would be worried about loosing connections on.

stephenw10 · Apr 19, 2024, 10:48 PM

Mmm, should not have required boot-strapping as far as I know.

johnpoz · Apr 19, 2024, 11:00 PM

@stephenw10 when it didn't work right away figured couldn't hurt, and still didn't work. Maybe if would of just waited a few minutes it would of been fine without doing anything