Certificate verification failed about opn-repo HOT 14 CLOSED

I tried the above options, nothing seemed to work. I found this and compared what I had in the R3 Cert. It was close, but off in a few places. I replaced my R3 cert with the above, and it now works. Hope this helps.

https://forum.opnsense.org/index.php?topic=24950.msg119873#msg119873

from opn-repo.

Go on my website and search the folder where you fetched the conf, then remove the file and run pkg update

I will check the cert prob over the weekend

from opn-repo.

Fair enough. So just so I understand the processs and don't muck things up can you verify the following?
Step 1 - Go to /usr/local/etc/package/repos and delete mimugmail.conf
Step 2 - Do my OPN updates and wireguard-kmod reinstall
Step 3 - Run the fetch from your website again to re-pull the conf.
Step 4 - Reboot.

Sound right and my Adguardhome will retain the current config without requiring additional rework?

from opn-repo.

Can you replace recheck .. I dont get any errors

from opn-repo.

Hi Michael,

I have the same issue, remove the conf, remove the expired CA from System/Trust/Authorities, update OPNsense, re-add the Repository (with --no-verify-peer), but Repository Update still comes with:
Updating mimugmail repository catalogue... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3 229124571136:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify

The https://opn-repo.routerperformance.net looks okay, but OPNsense use old/cached? DST RootCA X3.
How to remove, or recheck, what you mean.

THX

from opn-repo.

System : Trust : Authorities and remove the old one?

from opn-repo.

from opn-repo.

Only this is configured.
Repo looks fine: https://www.sslshopper.com/ssl-checker.html#hostname=opn-repo.routerperformance.net think it's a OPNsense thing.
@burntoc I remove the Repository, to update to Latest OPNsense (21.7.3_3), hope that the update fix it.

from opn-repo.

from opn-repo.

I am not a security professional... But the way I understand things the CA works as the first level of cert verification and is housed on the client side (which would be you opnsense box). In my case a new CA was present, but just had an inaccurate cert.

That said, I did not add the new CA to my box, and the date on it coresponds with an update I did. So, I am inclined to believe opnsense did this during an update. If so, opnsense sent the wrong CA cert to everyone. I may be way wrong on this, and it may just be me that had this particular issue, I am just trying to piece together what I see.

from opn-repo.

from opn-repo.

Again, not a security pro.... But certs are 3 parts. Ca, public, and private. Yes everything SHOULD work automatically. But in my case the CA cert was off. The CA is stored in opnsense and not usually updated, likely for security/spoofing reasons. I'm just sharing my experience and hoping it helps the community. Maybe not, who knows. 🤣

from opn-repo.

from opn-repo.

I got a reply that this repository has been moved to ZeroSSL to address the client-side CA and OPNsense config issues arising from this. Thought I'd confirm that this has fixed the issue here, with no additional adjustments needed on my part. As the CAs and certs are all valid now, the OPNsense update function completes properly again.

from opn-repo.