SOLVED Unable to update/upgrade jails from 11.2 to 11.3 on FreeNAS 1.3-U1

[SlackerDude]

My current system is FreeNAS 11.3-U1. While still on 11.2, I replaced my Warden jails-based plugins with iocage jails-based plugins. They all behaved as expected. After a few weeks, I decided to upgrade the 11.2 iocage jails to 11.3, and found I could not. So, I come to you asking for help getting my jails template to update or upgrade from 11.2 to 11.3. From an SSH connection I ran the "iocage fetch" command. Below is the output:

Code:

root@freenas[~]# iocage fetch
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/local/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 394, in connect
    ssl_context=context,
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='download.freebsd.org', port=443): Max retries exceeded with url: /ftp/releases/amd64 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/iocage", line 10, in <module>
    sys.exit(cli())
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.7/site-packages/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/iocage_cli/fetch.py", line 181, in cli
    ioc.IOCage().fetch(**kwargs)
  File "/usr/local/lib/python3.7/site-packages/iocage_lib/iocage.py", line 1078, in fetch
    **kwargs).fetch_release()
  File "/usr/local/lib/python3.7/site-packages/iocage_lib/ioc_fetch.py", line 215, in fetch_release
    rel = self.fetch_http_release(eol, _list=_list)
  File "/usr/local/lib/python3.7/site-packages/iocage_lib/ioc_fetch.py", line 387, in fetch_http_release
    req = requests.get(f"{self.server}/{self.root_dir}")
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 668, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 668, in <listcomp>
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 247, in resolve_redirects
    **adapter_kwargs
  File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='download.freebsd.org', port=443): Max retries exceeded with url: /ftp/releases/amd64 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])")))
root@freenas[~]#

My system info:

• Case: LIAN LI PC-Q25B
• Power Supply: CORSAIR CX430M 430W 80 PLUS BRONZE
• Motherboard: ASRock FM2A88X-ITX+
• CPU: AMD A6-5400K
• CPU Cooler: ZALMAN CNPS8900
• RAM: 16GB DDR3
• Boot Drive: 2 x SanDisk SDCZ36-016G-B35 16G
• Storage Drive: 6 x WD Red WD40EFRX
• Intel EXPI9301CTBLK 10/100/1000Mbps
• FreeNAS-11.3U-1

Any assistance will be greatly appreciated. :)

 

[Yorick]

Anything in between that FreeNAS and Dar IntarWebbers that's doing SSL inspection? Fortigates, for example, default to a type of inspection that can break SSL handshake.

 

[SlackerDude]

Anything in between that FreeNAS and Dar IntarWebbers that's doing SSL inspection? Fortigates, for example, default to a type of inspection that can break SSL handshake.

Hi Yorick. The only thing between the FreeNAS box and the outside world is a DSL modem in PPPoE configuration, & a pfsense gateway/router. Two rules exist for the IP on the FreeNAS box, one for FTP, & one for SSH, both of which are only turned on when needed for access. I have always had SNORT running on the gateway, and I will review the settings on it.

 

[Yorick]

I'm no Snort guru, but try telling it not to inspect encrypted traffic as per this link, and see what happens. https://www.snort.org/faq/readme-ssl

 

[SlackerDude]

While you may not be a "Snort Guru", you can definitely add "Snort sub-Guru" after your name. That worked a charm! Many thanks!!

 

[SlackerDude]

If a moderator could mark this as "Solved", that would be great. I cannot, as the thread tools do not appear on any of the three browsers I have opened this in.