Support Center > Search Results > SecureKnowledge Details
Blade update fails with "Could not establish SSL connection to secureupdates.checkpoint.com. Problem with local certificate" on versions lower than R80 Technical Level
Symptoms
  • Blade updates show Could not establish SSL connection to "secureupdates.checkpoint.com". Problem with local certificate.
  • The following certificate error appears when the tries to reach "secureupdates.checkpoint.com":
    # curl_cli -v --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com
    * About to connect() to updates.checkpoint.com port 443 (#0)
    * Trying 23.41.185.155... connected
    * Connected to updates.checkpoint.com (23.41.185.155) port 443 (#0)
    * successfully set certificate verify locations:
    * CAfile: /opt/CPshrd-R76/conf/ca-bundle.crt
    CApath: none
    * *** Current date is: Mon Jun 15 15:08:15 2020
    * SSLv3, TLS handshake, Client hello (1):
    * err is -1, detail is 2
    * *** Current date is: Mon Jun 15 15:08:15 2020
    * SSLv3, TLS handshake, Server hello (2):
    * err is -1, detail is 2
    * *** Current date is: Mon Jun 15 15:08:15 2020
    * SSLv3, TLS handshake, CERT (11):
    * SSLv3, TLS alert, Server hello (2):
    * err is -1, detail is 1
    * errdetail=0x14090086
    ERR_lib_error_string: SSL routines
    ERR_func_error_string: SSL3_GET_SERVER_CERTIFICATE
    ERR_reason_error_string: certificate verify failed
    ERR_error_string: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    * SSL certificate problem, verify that the CA cert is OK.
    Verify that current date is correctly configured and matches the certificate's dates.
    Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    * Closing connection #0
    curl: (60) SSL certificate problem, verify that the CA cert is OK.
    Verify that current date is correctly configured and matches the certificate's dates.
    Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bun
                    
                
  • The "GlobalSign Root CA - R3" root CA is not present in the CA bundle. This can be confirmed with the following command: # grep "GlobalSign Root CA - R3" $CPDIR/conf/ca-bundle.crt

Cause
The certificate of "updates.checkpoint.com" was changed in May 2020, and is by default not trusted by Gateways running versions lower than R80.


Solution
Note: To view this solution you need to Sign In .