Unable to update because of ssl error

Status
Not open for further replies.

captain118

Dabbler
Joined
Oct 1, 2014
Messages
21
When I go to get an update I get the error:
Unable to connect to url https://update-master.ixsystems.com/FreeNAS/trains.txt: Automatic update check failed. Please check system network settings.

When I run "freenas-update -v check" I get:
[freenasOS.Configuration:606] TryGetNetworkFile(['https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST'])
[urllib3.connectionpool:959] Starting new HTTPS connection (1): update-master.ixsystems.com:443
[freenasOS.Configuration:692] Unable to connect to url https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST: HTTPSConnectionPool(host='update-master.ixsystems.com', port=443): Max retries exceeded with url: /FreeNAS/FreeNAS-11.3-STABLE/LATEST (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))
[freenasOS.Configuration:709] Unable to load ['https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST']: Unable to connect to url https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST
[freenas-update:195] Unable to connect to url https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST
Traceback (most recent call last):
...

That seems to imply that it is looking for an SSL3 certificate. I'm guessing my root certificates may be out of date???
I'm running FreeNAS-11.3-U4.1

Any assistance would be greatly appreciated.
 

junkting

Cadet
Joined
Oct 4, 2021
Messages
2
Same problem here.

I get the same message in webgui in the "update" tab:
Unable to connect to url https://update-master.ixsystems.com/FreeNAS/trains.txt: Automatic update check failed. Please check system network settings.

Pinging update-master.ixsystems.com from shell works fine.
root@freenas:~ # ping -c 3 update-master.ixsystems.com
PING update-master.freenas.org (38.126.124.199): 56 data bytes
64 bytes from 38.126.124.199: icmp_seq=0 ttl=49 time=127.764 ms
64 bytes from 38.126.124.199: icmp_seq=1 ttl=49 time=128.660 ms
64 bytes from 38.126.124.199: icmp_seq=2 ttl=49 time=127.743 ms
--- update-master.freenas.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 127.743/128.056/128.660/0.427 ms
root@freenas:~ #

Checking update from shell (my underlining, bold and red color):
root@freenas:~ # freenas-update -v check
[freenasOS.Configuration:606] TryGetNetworkFile(['https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST'])
[urllib3.connectionpool:959] Starting new HTTPS connection (1): update-master.ixsystems.com:443
[freenasOS.Configuration:692] Unable to connect to url https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST: HTTPSConnectionPool(host='update-master.ixsystems.com', port=443): Max retries exceeded with url: /FreeNAS/FreeNAS-11.3-STABLE/LATEST (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))
[freenas-update:195] Unable to connect to url https://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST
Traceback (most recent call last):
File "/usr/local/bin/freenas-update", line 169, in DoDownload
rv = Update.DownloadUpdate(train, cache_dir, pkg_type=pkg_type, ignore_space=ignore_space)
File "/usr/local/lib/freenasOS/Update.py", line 961, in DownloadUpdate
latest_mani = conf.FindLatestManifest(train, require_signature=True)
File "/usr/local/lib/freenasOS/Configuration.py", line 1104, in FindLatestManifest
reason="GetLatestManifest",
File "/usr/local/lib/freenasOS/Configuration.py", line 710, in TryGetNetworkFile
raise url_exc
freenasOS.Exceptions.UpdateNetworkConnectionException: Unable to connect to urlhttps://update-master.ixsystems.com/FreeNAS/FreeNAS-11.3-STABLE/LATEST
Received exception during download phase, cannot update
root@freenas:~ #
 

itworks

Cadet
Joined
Sep 30, 2021
Messages
3
I'm having the same problem, trying to upgrade from 11.2-U7 to 11.3... (and then eventually to TrueNAS), but I keep running into the same SSL error message...

HTTPSConnectionPool(host='update-master.ixsystems.com', port=443): Max retries exceeded with url: /FreeNAS/trains.txt (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),)): Automatic update check failed. Please check system network settings.

I am using a self-signed certificate... Google Chrome does not seem to like it. I did get a green lock icon in Firefox, but still got the SSL error when I tried the upgrade there, too.

I can ping google.com from inside the Freenas shell...so I don't think there is a DNS problem, like they mentioned on another forum post relating to this issue.

I also tried to manually update via the GUI, but got Validation Errors (see below)...


Error: Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/update.py", line 573, in do_update
ApplyUpdate(dest_extracted)
File "/usr/local/lib/freenasOS/Update.py", line 1248, in ApplyUpdate
new_manifest.RunValidationProgram(directory)
File "/usr/local/lib/freenasOS/Manifest.py", line 682, in RunValidationProgram
subprocess.check_output(valid_script, preexec_fn=PreExecHook, stderr=subprocess.STDOUT)
File "/usr/local/lib/python3.6/subprocess.py", line 356, in check_output
**kwargs).stdout
File "/usr/local/lib/python3.6/subprocess.py", line 423, in run
with Popen(*popenargs, **kwargs) as process:
File "/usr/local/lib/python3.6/subprocess.py", line 729, in __init__
restore_signals, start_new_session)
File "/usr/local/lib/python3.6/subprocess.py", line 1364, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
PermissionError: [Errno 13] Permission denied: './ValidateUpdate'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 333, in run
await self.future
File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 364, in __run_body
rv = await self.method(*([self] + args))
File "/usr/local/lib/python3.6/site-packages/middlewared/schema.py", line 664, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/update.py", line 577, in file
await self.middleware.run_in_thread(do_update)
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1009, in run_in_thread
raise result
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1015, in _run_in_thread_wrap
return f(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/update.py", line 575, in do_update
raise CallError(str(e))
middlewared.service_exception.CallError: [EFAULT] [Errno 13] Permission denied: './ValidateUpdate'



I'm a total noob when it comes to FreeNAS/TrueNAS. So I'm not sure I'm even doing the manual update correctly. I can't seem to find a guide on how to do it using a 'tar' file via the GUI. I've only been able to find how to update using an ISO file, so I guess that's what I will try next. I was hoping to avoid those extra steps, but I can't seem to get the update working via the GUI at all.
 

itworks

Cadet
Joined
Sep 30, 2021
Messages
3

itworks

Cadet
Joined
Sep 30, 2021
Messages
3
Update: I was able to solve the Permission/Validation Error problem when trying to manually update using the GUI and I was able to successfully update from FreeNAS11.2-U7 to 11.2-U8, but unfortunately the update to U8 did not solve the SSL error. It still persists.
My permission/Validation problem was solved by adding the 'root' user to the same group that I had my Pool in. I guess during the manual update process, the Pool is used as temporary storage during the update and my 'root' user was not part of the Pool's group.

Still trying to solve the SSL problem. I am also able to ping 'update-master.ixsystems.com' from the shell.
 

masterzen

Cadet
Joined
Oct 5, 2021
Messages
3
Update: I was able to solve the Permission/Validation Error problem when trying to manually update using the GUI and I was able to successfully update from FreeNAS11.2-U7 to 11.2-U8, but unfortunately the update to U8 did not solve the SSL error. It still persists.
My permission/Validation problem was solved by adding the 'root' user to the same group that I had my Pool in. I guess during the manual update process, the Pool is used as temporary storage during the update and my 'root' user was not part of the Pool's group.

Still trying to solve the SSL problem. I am also able to ping 'update-master.ixsystems.com' from the shell.

I believe the SSL issue is coming from the Let's Encrypt root certificate being phased out:

I have the same issue, and I'm going to see if it's possible to update the CA certificate locally to "know" the new LE root.
 

masterzen

Cadet
Joined
Oct 5, 2021
Messages
3
I believe the SSL issue is coming from the Let's Encrypt root certificate being phased out:

I have the same issue, and I'm going to see if it's possible to update the CA certificate locally to "know" the new LE root.

The new root certificate is already present in the CA certificates, the problem is the version of Openssl as explained in the article I've linked:

If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.

Unfortunately I'm now stuck on a version with openssl 1.0.2 :(
 

captain118

Dabbler
Joined
Oct 1, 2014
Messages
21
After I posted the messing I had wondered if the issue was related to the expiration of the root cert but hadnt been able to get back and add that to the discussion. It appears I'm not the only one with that thought. So the question is how do I/We move forward from here?
 

masterzen

Cadet
Joined
Oct 5, 2021
Messages
3
After I posted the messing I had wondered if the issue was related to the expiration of the root cert but hadnt been able to get back and add that to the discussion. It appears I'm not the only one with that thought. So the question is how do I/We move forward from here?

I guess the only remaining option is to perform an iso upgrade...
 

captain118

Dabbler
Joined
Oct 1, 2014
Messages
21
I'm hoping thats not the case but it might be.
 

awasb

Patron
Joined
Jan 11, 2021
Messages
402
 

fang

Cadet
Joined
Oct 7, 2021
Messages
1
hi guys, did you find a solution? Is it better to wait for the certificate to be fixed? I would like to use automatic update and not manual one.
tnks
 

captain118

Dabbler
Joined
Oct 1, 2014
Messages
21
You can simply remove the old root certificate:
 

vulzscht

Cadet
Joined
Oct 9, 2021
Messages
1
I did this to resolve the problem on couple of my freenas (11.3-u4.1 and 11.3-u5)
go to https://curl.se/docs/caextract.html and find latest mozilla version (lets say mine was 2021-09-30)

on freenas box
1. curl -O -k https://curl.se/ca/cacert-2021-09-30.pem
2. cp cacert-2021-09-30.pem /etc/ssl/cert.pem
3. cp cacert-2021-09-30.pem /etc/ssl/truenas_cacerts.pem

not really sure about the difference and steps to reproduce but after this my boxes successfully fetched the updates and updated.
 

Marcoa131

Cadet
Joined
Feb 14, 2017
Messages
1
I did this to resolve the problem on couple of my freenas (11.3-u4.1 and 11.3-u5)
go to https://curl.se/docs/caextract.html and find latest mozilla version (lets say mine was 2021-09-30)

on freenas box
1. curl -O -k https://curl.se/ca/cacert-2021-09-30.pem
2. cp cacert-2021-09-30.pem /etc/ssl/cert.pem
3. cp cacert-2021-09-30.pem /etc/ssl/truenas_cacerts.pem

not really sure about the difference and steps to reproduce but after this my boxes successfully fetched the updates and updated.

i just followed these steps and it worked to get my updates tab working again, thanks.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Ideally you should not be fetching random files from out on the Internet and installing them as your root trust store.

This topic is being covered at


and in the interest of keeping a centralized point of discussion, please continue this there.
 
Status
Not open for further replies.
Top