Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Various d/l errors since March

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 4 Posters 424 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lohphatL
      lohphat
      last edited by

      I just noticed these errors when the daily script executes. Most d/ls work but afew are having problems.

      I have active subscriptions so not sure what's going on.

      Version 3.2.1_20 on 24.11 SG-3100

      [ Myip_BL6_v6 ]			 Downloading update . cURL Error: 60
      SSL certificate problem: unable to get local issuer certificate Retry [1] in 5 seconds...
      . cURL Error: 60 [ 06/6/25 22:45:33 ]
      SSL certificate problem: unable to get local issuer certificate Retry [2] in 5 seconds...
      . cURL Error: 60 [ 06/6/25 22:45:39 ]
      SSL certificate problem: unable to get local issuer certificate |Myip_BL6_v6|https://www.myip.ms/files/blacklist/csf/latest_blacklist.txt| Retry [3] in 5 seconds...
      .. Unknown Failure Code [0]
      

      And

      [ Talos_BL_v4 ]			 Downloading update .. 403 Forbidden
      
       [ pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL [ 06/6/25 23:45:26 ]
        DNSBL, Firewall, and IDS (Legacy mode only) are not blocking download.
      

      In summary, things mostly broke last month on the 9th.

      ====================[ IPv4/6 Last Updated List Summary ]==============
      
      Jan 3	06:40	Abuse_SSLBL_v4
      May 9	17:45	QUIC_ASN_List_custom_v4
      May 9	17:45	QUIC_CIDR_List_custom_v4
      May 9	17:45	MyBlockedDomains_custom_v4
      May 9	17:46	QUIC_ASN_List_custom_v6
      May 9	17:46	QUIC_CIDR_List_custom_v6
      May 19	07:21	Spamhaus_Drop6_v6
      Jun 4	01:53	Spamhaus_Drop_v4
      Jun 5	08:07	Spamhaus_eDrop_v4
      Jun 6	00:30	ET_Block_v4
      Jun 6	00:44	ISC_Errata_v4
      Jun 6	16:41	ET_Comp_v4
      Jun 6	21:53	CINS_army_v4
      Jun 6	23:30	ISC_Block_v4
      Jun 6	23:40	Abuse_Feodo_C2_v4
      Jun 6	23:45	MyBlockedDomains_custom_v6
      

      SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

      lohphatL johnpozJ 2 Replies Last reply Reply Quote 0
      • M
        Mission-Ghost
        last edited by

        Similar issue here since April but only with the Myip_BL6 feed. My only other IPv6 feed, Spamhaus_Drop6, and all my IPv4 feeds continue to update without error.

        I spent about an hour trying to trouble-shoot this but came up either empty or with suggestions to go about complicated, manual certificate installations. For something that just worked two months ago.

        So I disabled the feed. Wasn't worth the trouble. But if it's happening to others it might be a more widespread problem than just me and one other person.

        Plus v24.11 with pfBlockerNG 3.2.0_16 and all system patches in System_Patches 2.2.20_5 applied. Other packages installed are:

        apcupsd
        Cron
        mailreport
        Status_Traffic_Totals

        Kind of a more or less plain vanilla system.

        1 Reply Last reply Reply Quote 0
        • lohphatL
          lohphat @lohphat
          last edited by

          @lohphat In my custom list I'm just trying to resolve AS and domain to IP4 or IP6 CIDR blocks. That was all working fine.

          Has the internal lookup to resolve domains and AS changed? THe lookup type is still set to "Auto" as the parser should "just work" as it was.

          Is the service used for domain and AS resolution gone away?

          SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @lohphat
            last edited by johnpoz

            @lohphat I don't know about your other errors - but the error with myip.ms is related to issue with their cert, they are not providing the full chain. Your browser can grab it - but curl doesn't do that, so since its not trusted they can not verify it, etc.

            See this thread, and a work around for that one site.

            https://forum.netgate.com/topic/197712/curl-certificate-error

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            S 1 Reply Last reply Reply Quote 1
            • S
              SteveITS Galactic Empire @johnpoz
              last edited by

              Pretty sure the Talos feed is the one that they said was supposed to be a demo/preview and put it behind a login so people would stop using it. Try to download it yourself and see what you get.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              lohphatL 1 Reply Last reply Reply Quote 0
              • lohphatL
                lohphat @SteveITS
                last edited by

                @SteveITS Seems I've been blocked.

                https://talosintelligence.com/documents/ip-blacklist

                My setting were to pull daily. It was working for over a year.

                SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_5)

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @lohphat
                  last edited by

                  @lohphat https://forum.netgate.com/topic/190285/changes-to-snort-org-talos-intel-ip-block-list-affecting-pfblockerng

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.