pkg update fails with certificate error

bsafh commented 6 months ago

OPNsense 23.7.10_1-amd64 FreeBSD 13.2-RELEASE-p7 OpenSSL 1.1.1w

root@OPNsense:~ # pkg update Updating OPNsense repository catalogue... OPNsense repository is up to date. Updating SunnyValley repository catalogue... SunnyValley repository is up to date. Updating mimugmail repository catalogue... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Authentication error repository mimugmail has no meta file, using default settings Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: Authentication error Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 35071881216:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921: pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Authentication error Unable to update repository mimugmail Error updating repositories!

mimugmail commented 6 months ago

It works for me:

root@mimu-fw:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating mimugmail repository catalogue...
mimugmail repository is up to date.
Updating ntop repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
Fetching packagesite.pkg: 100%    3 KiB   2.7kB/s    00:01
Processing entries: 100%
ntop repository update completed. 7 packages processed.
All repositories are up to date.

bsafh commented 6 months ago

That's good to see!

But: what can be the cause that it does not work on my OPNsense? Any idea how to debug this?

mimugmail commented 6 months ago

Is this a new activation or does this happen after an update? Do you use ACME locally? System : Settings : General, store intermediate ticked?

bsafh commented 6 months ago

This happened after an update (around June 2023). To be more precise: my firewall hardware died, this is an install done with the option to use a backup config, around 1 month old. Then I updated to the latest version (23.x), installed all plugins I need and I think I did restore the backup again.

Yes, "store intermediate" is ticked.

mimugmail commented 6 months ago

System : Trust : CA, is there a Lets Enctyrpt CA?

bsafh commented 6 months ago

R3 (ACME Client)

mimugmail commented 6 months ago

DST Root is outdated, just remove it.

bsafh commented 6 months ago

done.

did not help:

root@OPNsense:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Authentication error
repository mimugmail has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: Authentication error
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
35089928192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Authentication error
Unable to update repository mimugmail
Error updating repositories!
root@OPNsense:~ #

bsafh commented 6 months ago

works now.

I deleted all Let's encrypt related Authorities under System --> Trust --> Authorities and imported the Root Certificates from the Let's Encrypt Website. (all of them to be sure)

works now:

root@OPNsense:~ # pkg update
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
Updating mimugmail repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01
Fetching packagesite.pkg: 100%   65 KiB  66.6kB/s    00:01
Processing entries: 100%
mimugmail repository update completed. 211 packages processed.
All repositories are up to date.
root@OPNsense:~ #

from: https://letsencrypt.org/de/certificates/

Active ISRG Root X1 (RSA 4096, O = Internet Security Research Group, CN = ISRG Root X1) Self-signed: der, pem, txt Cross-signed by DST Root CA X3: der, pem, txt Active, limited availability ISRG Root X2 (ECDSA P-384, O = Internet Security Research Group, CN = ISRG Root X2) Self-signed: der, pem, txt Cross-signed by ISRG Root X1: der, pem, txt

and

Active Let’s Encrypt R3 (RSA 2048, O = Let's Encrypt, CN = R3) Signed by ISRG Root X1: der, pem, txt Cross-signed by IdenTrust: der, pem, txt (Retired)

and IdenTrust’s “DST Root CA X3” (now called “TrustID X3 Root”)

mimugmail / opn-repo

pkg update fails with certificate error #193