The package server's SSL certificate could not be verified.



  • After I did the upgrade to 2.2.6 only one package got reinstalled.  So went to install manually I got this warning message:

    System: Package Manager help

    exclamation The package server's SSL certificate could not be verified. The SSL certificate itself may be invalid, its chain of trust may have failed validation, or the server may have been impersonated. Downloaded packages may come from an untrusted source. Proceed with caution.

    Should I be concerned about this?

    I will hold off installing any packages.



  • I wonder if this could be related to the issue I'm seeing with 2 url table aliases no longer able to download via ssl after upgrade from 2.2.5 to 2.2.6.  Even after a fresh full install.

    https://forum.pfsense.org/index.php?topic=104392.0

    USB memstick, i386, VGA



  • That's definitely indicative of a problem of some sort. If you go to a command prompt and run the following, what do you get?

    fetch https://packages.pfsense.org
    

    @NOYB:

    I wonder if this could be related to the issue I'm seeing with 2 url table aliases no longer able to download via ssl after upgrade from 2.2.5 to 2.2.6. 
    https://forum.pfsense.org/index.php?topic=104392.0

    If you'd do what I asked in that thread and post back results there, maybe we could determine that.



  • I get

    
    $ fetch https://packages.pfsense.org
    packages.pfsense.org                                     0  B    0  Bps
    
    

    when I run that command on:

    2.2.6-RELEASE (amd64)
    built on Mon Dec 21 14:50:08 CST 2015
    FreeBSD 10.1-RELEASE-p25

    Carlos



  • @ctirado:

    I get

    
    $ fetch https://packages.pfsense.org
    packages.pfsense.org                                     0  B    0  Bps
    
    

    That's the correct expected output. I presume in your case your interest is re: the IPsec post you made, which is completely unrelated to what this thread is about. IPsec certificates are a completely different, separate component and their verification has no relation to fetch.



  • No, I just thought it might be helpful. I was already remoted into my pfSense box and it only took a minute or two to put together the post.

    Carlos



  • I am getting this when trying to fetch it in the command prompt:

    $ fetch https://packages.pfsense.org
    No server SSL certificate
    fetch: https://packages.pfsense.org: Authentication error



  • @Darkk:

    I am getting this when trying to fetch it in the command prompt:

    $ fetch https://packages.pfsense.org
    No server SSL certificate
    fetch: https://packages.pfsense.org: Authentication error

    That's why. What files do you have in /usr/local/etc/ssl/?



  • Just one file:

    [2.2.6-RELEASE]/usr/local/etc/ssl: ls -l
    total 960
    -rw-r–r--  1 root  wheel  944280 Dec 21 13:20 cert.pem

    Looking inside the pem file it's just a standard CA signed root certs.  Alot of them set to expire around 2020 to 2030



  • That looks correct. Exactly the same file size as it should be.

    -rw-r--r--  1 root  wheel  944280 Dec 21 15:20 cert.pem
    
    

    Guessing it likely matches this SHA.

    : sha256 /usr/local/etc/ssl/cert.pem
    SHA256 (/usr/local/etc/ssl/cert.pem) = 2629766a1e695df07dfcdc86eae7afa562a43f8d6d2a74a8e9eddccf5ece5dd6
    

    Which does work.

    : fetch -v https://packages.pfsense.org
    looking up packages.pfsense.org
    connecting to packages.pfsense.org:443
    SSL options: 81004bff
    Peer verification enabled
    Using CA cert file: /usr/local/etc/ssl/cert.pem
    Verify hostname
    SSL connection established using ECDHE-RSA-AES256-GCM-SHA384
    Certificate subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.pfsense.org
    Certificate issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    requesting https://packages.pfsense.org/
    remote size / mtime: 23 / 1394690197
    packages.pfsense.org                          100% of   23  B  202 kBps 00m00s
    
    


  • I had this same problem. My certificates were also there and the sha256 matched. I finally rebooted and the problem was fixed.