opnsense / update

OPNsense update tools
https://opnsense.org/
BSD 2-Clause "Simplified" License
128 stars 78 forks source link

Bootstrap hangs on fetching base-19.1.4 #49

Closed PixelSupreme closed 5 years ago

PixelSupreme commented 5 years ago

I tried to install opnsense using the bootstrap script. I used a fresh FreeBSD 11.2 install and followed the instructions on the github page. Even then fetch failed to verify any SSL certificate. I set the environment variable SSL_NO_VERIFY_PEER=1 to work around this.

With that the bootstrap script worked, until the installation tries to fetch base-19.1.4 archive. It just seems to try endlessely. I let it run for several hours but no progress.

fichtner commented 5 years ago

You can use -i option for insecure, but it shouldn't stall at the end. Verification is not optional once you have all packages (and cert store installed).

PixelSupreme commented 5 years ago

I did install the ca_root_nss package and verified the symlinks. But fetch couldn't even download from github itself without the 'no verify' workaround.

fichtner commented 5 years ago

There may be a proxy in the way or a firewall. The URL is https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz so can you try this manually?

# fetch https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz
PixelSupreme commented 5 years ago

I'm on a weekend trip right now, so going to take a few days before I have access to the box again.

fichtner commented 5 years ago

Sure, no problem. Happy to debug this further later. Enjoy the trip. :)

PixelSupreme commented 5 years ago

Okay, sorry for the delay but I got back to this issue.

Here's what i got for the fetch command:

# fetch https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz Certificate verification failed for /CN=pkg.opnsense.org 34374371912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: fetch: https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz: Authentication error

This is without the SSL_NO_VERIFY_PEER variable set

fichtner commented 5 years ago

I don't know. Partial chain or time out of sync or worst case MITM (proxy in your network). Is ca_root_nss package still installed?

fichtner commented 5 years ago

You can also try -v option for more debug output in fetch :)

PixelSupreme commented 5 years ago

Now this is a bit embarrassing, but after you mentioned time sync as possible issue I checked my settings. It seems my ntp configuration didn't work, at all and time was way off. After manually updating time it works. Well, freebsd newbie here >.<. Thanks for your time anyway.

fichtner commented 5 years ago

Yay, no worries, happy to help!