添加链接
link管理
链接快照平台
  • 输入网页链接,自动生成快照
  • 标签化管理网页链接
Still having issues authenticating to https mirrors...

Some actions:
1. updated all using http mirror (acme version 3.2)
2. removed LE CA and certs
3. rerun acme, get new certs
4. add new cert to webgui

It seems like the correct cert/CA (LE R3, ISRG Root X1) is in place, not sure what is breaking package updater?

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/OpenSSL) at Fri Oct  1 09:44:10 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4599340929024:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig : Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz : Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
1458337177600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz : Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
I removed the old LE authority, and changed my mirror to LeaseWeb/ http . I could get the update to 21.7.3_3 ..

... But i still get this error message :

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/OpenSSL) at Fri Oct  1 11:39:17 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
6526875459584:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 767 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (1 candidates): . done
Processing candidates (1 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Great catch, Tupsi!
Works for me, too!

How to get package updates to work:

- Remove the Let's Encrypt's R3 cert from System -> Trust -> Authorities.
- Add a new Authority Certificate and paste both R3 and ISRG Root X1 into the "Certificate data" field.

Or download them directly from the Let's Encrypt links that I pasted above.

After you updated, re-issue any of your LE certificates (or all of them, to fix your services like HAproxy).
This will load the correct Authority from LE again and replace your just added custom Authority and the system should be good to go again.

When I do these steps, secure (https) updates work again, but only until the next reboot. After this reboot the errors are back again. Can I do something to make these 'stick'?
Sadly this still doesn't fix the problem - after reboot it comes back from the grave:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/OpenSSL) at Fri Oct  1 13:27:05 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4522656063488:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2029010690048:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

No use in trying to hack the /conf/config.xml as outlined by @mfedv at the top of this thread. After fully patching the CA reference all point to the correct LE R3 Cert. Something is deeply broken in the repository config.
@chemlud

Switched to LibreSSL, rebooted and:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/OpenSSL) at Fri Oct  1 13:53:06 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
2368641363968:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/sets/changelog.txz.sig: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4369107513344:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Made absolutely no difference. Suspect that something is deeply broken in the repository config. Although it seems I need to update the firmware first but cannot as I cannot connect to the repository.

I've ordered a Chicken and an Egg from Amazon, I'll let you know...
@chemlud

Thanks for your suggestion but it didn't help.

Recreated the LE Fullchain R3 Intermediate X1 Authority Cert as outlined earlier, and deleted the LE R3 Cert. Recreated the Web GUI Cert to reprime ACME.SH. Was then able to update the firmware to the LibreSSL Flavour.

Rebooted and tried another firmware update and:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 21.7.3_3 (amd64/LibreSSL) at Fri Oct  1 14:07:17 CEST 2021
Fetching changelog information, please wait... Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
4034015752192:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
fetch: transfer timed out
Updating OPNsense repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
455974096896:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1915:
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.7/libressl/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

it made absolutely no difference. Again suspect something is deeply wrong with the repository configuration. Starting to dig into that. Setting back to OpenSSL as changing to LibreSSL made no difference.

By the way, found that repriming ACME.SH was not needed as I was able to check config status without repriming the authority certificates.

After reverting back to the OpenSSL Flavour and then resetting one of the ACME.SH certs to reprime the Authority Certificates and rebooting, the issue still comes back. Why on earth the repository seems to fall back on a long-dead cert that relies on the dead X3 Intermediate Authority is beyond my understanding at the moment. Very, very, very perplexed.
The certificate chain of pkg.opnsense.org changed recently.
They are now using a Sectigo Wildcard Certificate, so I'm wondering if you still have these issues.

OpenSSL Log:
openssl s_client -showcerts -connect pkg.opnsense.org:443


CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.opnsense.org
verify return:1
---
Certificate chain
0 s:CN = *.opnsense.org
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGMzCCBRugAwIBAgIRAKql/zLP5nCsBkX7C2AJZVQwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMDAxMjIwMDAwMDBaFw0yMjAxMjkyMzU5NTlaMBkxFzAVBgNVBAMMDiou
b3Buc2Vuc2Uub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0uOP
ZAoPfLMLew26Jbck9pppvQhHkWlXiz1pOV+YP446zMLJfJhoOOSSb74kf3vdXLdb
vM1Nxmdu2+G409pjfj+KUWEIN6eqZzRQ/ti4H9Xx2utuuENJ4kOrEFLWu+GH9Kfk
A36Pig20/M9PUvam6FB2y/oS3eOioCl9BkitfJsv5TC7PdaPYx5jqUmWP7Exe6pE
vvxPFU6lHlN6eGElW5BZClFtsQdt71SMOEK+fVpuKtSCpmkMxZR7VU9N50gp4u26
CWDEOSdAZEazDZCLMqLLeGr4fI0bxAp2+tjqtPccuywQzyoxTgjjhfvOY5fDHx03
FIQJ8fvSZDtyfcw/KQIDAQABo4IC/TCCAvkwHwYDVR0jBBgwFoAUjYxexFStiuF3
6Zv5mwXhuAGNYeEwHQYDVR0OBBYEFI5agxXurWZ4TCnFaLt9BJVrE3fwMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEW
F2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEE
eDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29S
U0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzAB
hhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAnBgNVHREEIDAegg4qLm9wbnNlbnNl
Lm9yZ4IMb3Buc2Vuc2Uub3JnMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgBG
pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAW/OOTUcAAAEAwBHMEUC
IQCqpQuVnJWhzFFonCzybDP+Dfm3VUQJ/OiLP7a9I3eO7AIgP0dyeUsY0SBavzy1
l+uXu/xbcumKSKz4MbYBI0S9TUkAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG
jbIImjfZEwAAAW/OOTVpAAAEAwBHMEUCIQCv5mW+Y/ptu+eU4mrA/BYg8AzH2ex3
kSy+FBXQE9K/GAIgJJOvwRuu1YP24A++Peis50x4H80dG92gYbX7oC76KUkAdQAi
RUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAW/OOTULAAAEAwBGMEQC
IBSdWWClPXY7OPNOLkGIdPPrIXlX5cWq0j+cF2qgd/6BAiBX9JHarLhnS6ApPfYm
22nR2s3PILUQFZYCluVdBkJV4jANBgkqhkiG9w0BAQsFAAOCAQEAKftaKWepNIbZ
+1HFSIpucjukG54xlEM+jsOPweVP89P85Oskb5o3PtsiT+Cw2tAgXPiRXdxA1i1E
s5U1VPx7AFDag7SlMU+Te+eG3d206LNTbjZkTRO5KpeagZMaVa+Cq4jzvZx0riue
XTWKdtF/HNXzGXWla8Nx1w8Z9a28ZJSIGhXS0M08Od0RcESDyxiB5YTOQd6Y/TGJ
ZydNocV5piavM0ZQpoKL20ux5K4lcq0c0w+IBu0Jg2SBXMM0aM0LA+lka9QGeuI6
phO9dHuN1yPbSpeQPyyZ1SVzKtIRywb8nnhMBzpb2Z46ADt+ZS+ONQDyXCTbQUE8
YdFGtsVZ4A==
-----END CERTIFICATE-----
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
3 s:CN = *.opnsense.org
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGMzCCBRugAwIBAgIRAKql/zLP5nCsBkX7C2AJZVQwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0yMDAxMjIwMDAwMDBaFw0yMjAxMjkyMzU5NTlaMBkxFzAVBgNVBAMMDiou
b3Buc2Vuc2Uub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0uOP
ZAoPfLMLew26Jbck9pppvQhHkWlXiz1pOV+YP446zMLJfJhoOOSSb74kf3vdXLdb
vM1Nxmdu2+G409pjfj+KUWEIN6eqZzRQ/ti4H9Xx2utuuENJ4kOrEFLWu+GH9Kfk
A36Pig20/M9PUvam6FB2y/oS3eOioCl9BkitfJsv5TC7PdaPYx5jqUmWP7Exe6pE
vvxPFU6lHlN6eGElW5BZClFtsQdt71SMOEK+fVpuKtSCpmkMxZR7VU9N50gp4u26
CWDEOSdAZEazDZCLMqLLeGr4fI0bxAp2+tjqtPccuywQzyoxTgjjhfvOY5fDHx03
FIQJ8fvSZDtyfcw/KQIDAQABo4IC/TCCAvkwHwYDVR0jBBgwFoAUjYxexFStiuF3
6Zv5mwXhuAGNYeEwHQYDVR0OBBYEFI5agxXurWZ4TCnFaLt9BJVrE3fwMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEW
F2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEE
eDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29S
U0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzAB
hhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAnBgNVHREEIDAegg4qLm9wbnNlbnNl
Lm9yZ4IMb3Buc2Vuc2Uub3JnMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgBG
pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAW/OOTUcAAAEAwBHMEUC
IQCqpQuVnJWhzFFonCzybDP+Dfm3VUQJ/OiLP7a9I3eO7AIgP0dyeUsY0SBavzy1
l+uXu/xbcumKSKz4MbYBI0S9TUkAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG
jbIImjfZEwAAAW/OOTVpAAAEAwBHMEUCIQCv5mW+Y/ptu+eU4mrA/BYg8AzH2ex3
kSy+FBXQE9K/GAIgJJOvwRuu1YP24A++Peis50x4H80dG92gYbX7oC76KUkAdQAi
RUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAW/OOTULAAAEAwBGMEQC
IBSdWWClPXY7OPNOLkGIdPPrIXlX5cWq0j+cF2qgd/6BAiBX9JHarLhnS6ApPfYm
22nR2s3PILUQFZYCluVdBkJV4jANBgkqhkiG9w0BAQsFAAOCAQEAKftaKWepNIbZ
+1HFSIpucjukG54xlEM+jsOPweVP89P85Oskb5o3PtsiT+Cw2tAgXPiRXdxA1i1E
s5U1VPx7AFDag7SlMU+Te+eG3d206LNTbjZkTRO5KpeagZMaVa+Cq4jzvZx0riue
XTWKdtF/HNXzGXWla8Nx1w8Z9a28ZJSIGhXS0M08Od0RcESDyxiB5YTOQd6Y/TGJ
ZydNocV5piavM0ZQpoKL20ux5K4lcq0c0w+IBu0Jg2SBXMM0aM0LA+lka9QGeuI6
phO9dHuN1yPbSpeQPyyZ1SVzKtIRywb8nnhMBzpb2Z46ADt+ZS+ONQDyXCTbQUE8
YdFGtsVZ4A==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.opnsense.org

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6925 bytes and written 393 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 4FD5FC0C24454A7799ACBEA546CF350C8F2BBF4084410D9E232E0908038D0EF7
Session-ID-ctx:
Master-Key: DDCFC5E40810A4CA39C66382D6DB3767BEEE1C41D805AA8DFD8478B5504679CD5BBA0B3C5AEC0D4F3694B23B7A4F5141
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 63 b7 9d 71 18 42 88 62-e5 51 46 c7 db de 4f f3   c..q.B.b.QF...O.
0010 - b3 0e 27 66 65 03 be a2-35 fd 3f d8 3c fb b8 75   ..'fe...5.?.<..u
0020 - ae 07 88 96 ab 4f 26 a3-67 cb 4d d5 62 3c e0 74   .....O&.g.M.b<.t
0030 - 73 a3 47 9f 6f 16 9d 30-44 17 26 d0 24 8c 69 91   s.G.o..0D.&.$.i.
0040 - 95 c9 94 41 10 33 0f 53-02 e2 37 f2 fb 20 37 1e   ...A.3.S..7.. 7.
0050 - a1 3f f1 fa 2a 26 3c 72-7e bb 0a 99 1a e5 50 ba   .?..*&<r~.....P.
0060 - 3c 4b 5c 4c ab f2 ff ac-5c 16 b1 8b 4a c8 9c e1   <K\L....\...J...
0070 - 50 0b 13 ce ea f3 82 14-8d ac 9c e7 b5 45 7d ee   P............E}.
0080 - 35 28 df a3 7f f8 31 38-a1 90 3e 54 c0 05 96 2b   5(....18..>T...+
0090 - 47 b1 48 d4 31 fc 61 19-b9 0d 7c d2 52 b6 5b fe   G.H.1.a...|.R.[.
00a0 - 71 78 c4 81 ee 8b 18 eb-19 43 b3 ce 4f ad 84 ac   qx.......C..O...
00b0 - bd fc 01 bd 2d 61 93 e4-e3 62 07 b2 0e b2 22 18   ....-a...b....".
00c0 - b2 eb f9 fc fb 63 8c 2f-b1 92 35 cc d9 52 1a 6c   .....c./..5..R.l

Start Time: 1633093579
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---

Renewing their Let's Encrypt Certificate using the new Chain (not the android-compatible cross-signed one) would've worked too, but using a completely different Authority should fix this, too, of course.
@chemlud and Everyone,

Found my, self-inflicted, issue! :D

Had my own copy of acme.sh installed as /root/.acme.sh. As I was the developer for the acme.sh DNS01 MailinaBox DNSAPI, I used this copy during development of both the DNSAPI and the OPNsense glue code and content. Looks like that old configuration was being used instead of the OPNsense configured acme.sh.

Oh well, no good deed goes unpunished. Simply deleted this old directory at /root/.acme.sh and everything was right with the world.

For everyone else having issues after updating the Authority Certs to include a Fullchain Cert, then only to find the problem is resurrected after a reboot:

Check for and kill any stray copies of acme.sh you find and verify the Let's Encrypt config through OPNsense Web GUI.