I can not upgrade or install any pckage due to Certificate verification failed for /CN=*.netgate.com

zara · Feb 21, 2025, 10:21 AM

Hello,
I'm not able to install any package anymore due to error of 'Certificate verification failed for /CN=*.netgate.com'

from GUI :

or from console :

Logout (SSH only) 9) pfTop
Assign Interfaces 10) Filter Logs
Set interface(s) IP address 11) Restart webConfigurator
Reset webConfigurator password 12) PHP shell + pfSense tools
Reset to factory defaults 13) Update from console
Reboot system 14) Disable Secure Shell (sshd)
Halt system 15) Restore recent configuration
Ping host 16) Restart PHP-FPM
Shell

Enter an option: 13

Certificate verification failed for /CN=*.netgate.com
0080C1EC331C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pfSense-repoc-static: failed to fetch the repo data
failed to read the repo data.
failed to update the repository settings!!!
failed to update the repository settings!!!

Gertjan · Feb 21, 2025, 5:02 PM

@zara

Your pfSense version is 2.7.2, right ?
System time is ok ?

See here for a check list : Troubleshooting Upgrades.

edit : Wait ... ...snapshots... ? 2.7.2 is the "released and stable" version. Not sure if the snapshot version is the right one here. (I'm using 24.11 myself, so can't check / test )
You've set this : System > Update > System Update to what ?

stephenw10 · Feb 21, 2025, 11:47 AM

It's trying to get updates from 2.7.2 but could be running a previous version. If that version is 2.7.0 then first run certctl rehash then retry.

If that allows you see updates then upgrade to 2.7.2 before trying to install pkgs

zara · Feb 21, 2025, 5:03 PM

@Gertjan

I'm using 2.7.2, my time is not correcte it's trange

but I can not fixe it

thanks for you help!

stephenw10 · Feb 21, 2025, 5:42 PM

Try just setting the time at the CLI directly. You're probably in a chicken/egg scenario where it cant resolve the time servers because DNSSec is enabled.

[25.03-RC][admin@8200-2.stevew.lan]/root: date 2502211741
Fri Feb 21 17:41:00 GMT 2025

zara · Feb 21, 2025, 6:13 PM

@stephenw10

after change it manually, the problem of CA is gone but I can not install any package. the list is empty

from cli:

Enter an option: 13

pfSense-repoc-static: failed to fetch the repo data
failed to read the repo data.
failed to update the repository settings!!!
failed to update the repository settings!!!

when reboot the pfsense my time is set again to ... 2030 it's strange

stephenw10 · Feb 21, 2025, 6:20 PM

Do you see the branches in the upgrade settings? If so try re-saving that.

What hardware is that?

zara · Feb 21, 2025, 6:54 PM

@stephenw10
esxi , It was working fine, the boot was crashed after a cut power so I reinstall it and import the config again. so since this wont be work.

stephenw10 · Feb 21, 2025, 7:55 PM

So all good now?

zara · Feb 22, 2025, 12:41 AM

@stephenw10

thanks for your support.

I install it from scratch and import the config and it is working fine know.
I don't know what was wrong.

my advice to everyone is that to make daily or weekly backup at least if you don't change the config a lot to save your life .