How does Scale update? SSL errors

[m9x3mos]

Hello all,
I was wondering if anyone knew the method that Scale uses to check for updates?
My test environment is behind a Sonicwall router that has DPI SSL.
I added the cert to the system (like for debian or ubuntu) and apt update, wget, and installing applications all work but when I check for updates with the UI I am getting this error message.

"Cannot connect to host update.freenas.org:443 ssl:default [Network is unreachable]: Automatic update check failed. Please check system network settings."
Looking in more /var/log/messages really didn't show anything.

 

[Kris Moore]

Couple things to check:

Can you run 'wget https://update.freenas.org/FreeNAS/trains.txt' and does that download?

Is the system clock in sync properly?

 

[m9x3mos]

Hello Kris,
wget does work

This was the content it downloaded

From what I can tell in the UI, the time does look correct.

 

[Kris Moore]

Is this on RC2? What happens if you try to check for updates via the CLI tool?

 

[m9x3mos]

Is this on RC2? What happens if you try to check for updates via the CLI tool?

View attachment 52395

I get this as an error

If I use wget to https://update.freenas.org, that does go through.

It really seems that what ever is trying to get updates in the background for TrueNAS Scale, it isn't using the ca-bundle that includes my dpi-ssl cert.
This is RC2 clean install that I am testing with.

As an extra point of reference, my main test machine is running TrueNAS core and after putting in the CA cert there (FreeBSD styles) that one is able to pull updates.

 

[Kris Moore]

Ahh, so you customized the system with your dpi-ssl cert? How did you apply that? Did you restart middleware afterwards?

# systemctl restart middlewared

 

[m9x3mos]

Ahh, so you customized the system with your dpi-ssl cert? How did you apply that? Did you restart middleware afterwards?

# systemctl restart middlewared

Converted CER cert to crt
openssl x509 -inform DER -in path/to/dell.cer -out dell.crt

added to this location
/etc/ssl/certs

ran this to update ssl bundles
update-ca-certificates --fresh

I then tested with apt update command and checking app list (instalable) in the UI and both were working (weren't before)
Then when I check for updates updates and I get that error:

Cannot connect to host update.freenas.org:443 ssl:default [Network is unreachable]: Automatic update check failed. Please check system network settings.

I have tried restarting middlewared and the system multiple times while testing this to see if I can get it working.

 

[Kris Moore]

Ok, please do me a favor and create a ticket on https://jira.ixsystems.com with these details. I'm guessing there is a bug in the updater / middleware somewhere that we can take a look at fixing for RELEASE.

 

[m9x3mos]

Ok, please do me a favor and create a ticket on https://jira.ixsystems.com with these details. I'm guessing there is a bug in the updater / middleware somewhere that we can take a look at fixing for RELEASE.

Thank you Kris. I will go ahead and get that submitted then. I appreciate the help on this.