fichtner
commented
5 years ago You can use -i option for insecure, but it shouldn't stall at the end. Verification is not optional once you have all packages (and cert store installed).
Closed PixelSupreme closed 5 years ago
fichtner
commented
5 years ago You can use -i option for insecure, but it shouldn't stall at the end. Verification is not optional once you have all packages (and cert store installed).
PixelSupreme
commented
5 years ago I did install the ca_root_nss package and verified the symlinks. But fetch couldn't even download from github itself without the 'no verify' workaround.
fichtner
commented
5 years ago There may be a proxy in the way or a firewall. The URL is https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz so can you try this manually?
# fetch https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txzI'm on a weekend trip right now, so going to take a few days before I have access to the box again.
fichtner
commented
5 years ago Sure, no problem. Happy to debug this further later. Enjoy the trip. :)
PixelSupreme
commented
5 years ago Okay, sorry for the delay but I got back to this issue.
Here's what i got for the fetch command:
# fetch https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz
Certificate verification failed for /CN=pkg.opnsense.org
34374371912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
fetch: https://pkg.opnsense.org/FreeBSD:11:amd64/19.1/sets/kernel-19.1.4-amd64.txz: Authentication error
This is without the SSL_NO_VERIFY_PEER variable set
fichtner
commented
5 years ago I don't know. Partial chain or time out of sync or worst case MITM (proxy in your network). Is ca_root_nss package still installed?
fichtner
commented
5 years ago You can also try -v option for more debug output in fetch :)
PixelSupreme
commented
5 years ago Now this is a bit embarrassing, but after you mentioned time sync as possible issue I checked my settings. It seems my ntp configuration didn't work, at all and time was way off. After manually updating time it works. Well, freebsd newbie here >.<. Thanks for your time anyway.
fichtner
commented
5 years ago Yay, no worries, happy to help!
I tried to install opnsense using the bootstrap script. I used a fresh FreeBSD 11.2 install and followed the instructions on the github page. Even then fetch failed to verify any SSL certificate. I set the environment variable SSL_NO_VERIFY_PEER=1 to work around this.
With that the bootstrap script worked, until the installation tries to fetch base-19.1.4 archive. It just seems to try endlessely. I let it run for several hours but no progress.