I am really new to PfSense, Debian & Co… I watched a few great Videos of Tom on Youtube and thats how I came to this nice place
Also I hope you can help me with my problem.
DNS: DNSBL active, DNS-Resolver of PFSense is active.
The VPN, Pfblocker, etc. works fine for me. From my PC (tunneling all traffic over VPN → Wireguard) I can surf without any problems and the pfblocker doing its job very well.
But what is the problem? 2 of my Virtual Cloud machines (Debian 11 & Ubuntu 22.04 LTS) are driving me a bit crazy now.
If I try to apt update and I get the following error message:
“The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification.”
I tried a few things like:
Checking the settings route, IP, DNS-Nameserver, etc.
Searching in the internet – but (there I found No 3 -6)
Checking time-zone
Clean the cache
update-ca-certificates
Add [trusted=yes] in front of the links in the source list
And after every change a retry after restarting the networking.service and reboot. But nothing solved the problem.
Do you have any idea, what I can try?
Is maybe the self-signed SSL-Certificate of the DNS-Resolver the problem and I need here an “official” one?
Thanks for your feedback in advance!
If you need more (specific) information, please let me know.
Looks like pfblocker is blocking and sending a self signed cert when you do an apt update. Look in the reports tab and find the url that is being blocked and whitelist it or manually whitelist it.
For the first I tried to find the IPs/URLs in logs. Nothing
Then I whitelisted them - complete Reload (Update all) - also here the same
At last I tried to switch off pfBlocker completely. Still the same error with the cert
Sorry for my late reply. Yesterday I was really busy.
For testing I just used the machine with Ubuntu:
The error messages when I try apt update:
Ign:1 https://archive.ubuntu.com/ubuntu jammy InRelease
Ign:4 https://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 https://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:3 https://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:1 https://archive.ubuntu.com/ubuntu jammy InRelease
Ign:4 https://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 https://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:3 https://archive.ubuntu.com/ubuntu jammy-backports InRelease
Ign:1 https://archive.ubuntu.com/ubuntu jammy InRelease
Ign:4 https://security.ubuntu.com/ubuntu jammy-security InRelease
Ign:2 https://archive.ubuntu.com/ubuntu jammy-updates InRelease
Ign:3 https://archive.ubuntu.com/ubuntu jammy-backports InRelease
Err:1 https://archive.ubuntu.com/ubuntu jammy InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.38 443]
Err:4 https://security.ubuntu.com/ubuntu jammy-security InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.39 443]
Err:2 https://archive.ubuntu.com/ubuntu jammy-updates InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.38 443]
Err:3 https://archive.ubuntu.com/ubuntu jammy-backports InRelease
Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.38 443]
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
All packages are up to date.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.38 443]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.38 443]
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.38 443]
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 91.189.91.39 443]
W: Some index files failed to download. They have been ignored, or old ones used instead.
nginx
curl: (6) Could not resolve host: jammy
curl: (6) Could not resolve host: InRelease
myuser@myserver:~# sudo curl -k http://archive.ubuntu.com/ubuntu jammy InRelease
301 Moved Permanently
301 Moved Permanently
nginx
curl: (6) Could not resolve host: jammy
curl: (6) Could not resolve host: InRelease
myuser@myserver:~# sudo curl -k https://archive.ubuntu.com/ubuntu
404 Not Found
Did you enable DoT (Respond to incoming SSL/TLS queries from local clients) in the the DNS resolver → General settings? If so, I would disable that, unless you absolutely need to encrypt your internal DNS traffic for some reason.
And yes, if you are using it, you should probably use a certificate that is signed by an official certificate authority. But I don’t use DoT, so I’m not a 100% sure.
thanks for your post.
The DoT is unchecked and was all the time.
I just enabled it one time, to check if this solves the problem. But this was on Monday.
In DNS Resolver->General:
Enable the DNS-Resolver
Network Interfaces: all
Outgoing Network Interfaces: WAN
Enable DNSSEC Support
Enable Python Module
In DNS Resolver->Advanced Settings
Hide Identity
Hide Version
Harden DNSSEC Data
In DNS Resolver->Access Lists
Wireguard
LAN
And a few minutes ago, I installed and configured acme. I am just waiting for my TXT-Record is taken over by the official DNS-Servers. Just to try out, if a letsencrypt cert solves the Problem.
Small Update: The official cert doesn´t solve the problem.
But in pfTop i checked the internal Resolver and my Server which has the problem:
If I try apt update, there is only traffic in, but no out.
A small extract:
127.0.0.1 local host = internal Resolver
10.200.0.4 = my Server
PR DIR SRC DEST STATE
tcp In 10.200.0.4:60692 127.0.0.1:443 FIN_WAIT_2:FIN_WAIT_2
tcp In 10.200.0.4:60806 127.0.0.1:443 TIME_WAIT:TIME_WAIT
tcp In 10.200.0.4:40924 127.0.0.1:80 FIN_WAIT_2:FIN_WAIT_2
Just to be on the same page… You are trying to run the apt update command in a VM without direct internet access?
If so, how exactly did you achieve this “indirect” internet access for this VM?
Are the HTTP(S) requests going through some proxy like Squid, or does pfBlocker also have the ability to act as a HTTP(S) Proxy? Because, as far as I can tell (not an expert when it comes to Squid or pfBlocker), something is messing with your HTTP(S) requests before they reach the Ubuntu servers. So whatever blocker / proxy you are using, you should probably trying to whtelist ubuntu.com, or let the VM bypass it, and see if the error goes away.
You are trying to run the apt update command in a VM without direct internet access?
Yes. These 2 machnines only have access to the internet trough machine one (which has its own static public IP address).
Are the HTTP(S) requests going through some proxy like Squid, or does pfBlocker also have the ability to act as a HTTP(S) Proxy? Because, as far as I can tell (not an expert when it comes to Squid or pfBlocker), something is messing with your HTTP(S) requests before they reach the Ubuntu servers. So whatever blocker / proxy you are using, you should probably trying to whtelist ubuntu.com, or let the VM bypass it, and see if the error goes away.
Good point. You brought me to some idea.
I checked my Portforwarding in the NAT-Rules again. There was an invert match for my LAN to the internal Resolver with Port 443. Over an Alias together with other ports, so I didn´t see it directly.
So I changed it and now the VMs behind are updating.
I am wondering about myself in what weak moment I did this
But it has shown again - the devil is in the details.
Thanks to all of you for your ideas and Solution approches.
Not sure if the following fits your usecase, but maybe it will help someone else…
If you have air gapped systems and only need to install packages via apt, there is a nice tool called apt-cacher-ng. You can run this on any Debian / Ubuntu based machine that has internet access and then the machines without internet access can connect to this machine and use it as a proxy for installing and upgrading packages via apt.
The configuration is very simple for this purpose. Just install the apt-cacher-ng package on the machine that should act as the proxy. It will automatically start a service that is listening on port 3142.
Thats very interesting. It was not planned, and my machine with direct internet access is running with pfsense. But to set up an additional VM should not be the biggest problem
I will check this out, if I am finished with my Docker “experiments”
