Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved: Can't update bogons on a 2.4.5-p1 (cert expired)

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 5.4k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B Offline
      bingo600 @Gertjan
      last edited by

      @gertjan
      That won't work with the "Auto update of bogons"
      They don't specify any cert file.

      You will have to edit the cert file or (imho better) , symlink to the file the other programs uses.

      /Bingo

      If you find my answer useful - Please give the post a 👍 - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

      GertjanG 1 Reply Last reply Reply Quote 1
      • GertjanG Offline
        Gertjan @bingo600
        last edited by

        @bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

        That won't work with the "Auto update of bogons"
        They don't specify any cert file.

        Correct - this won't help the update script'(s).
        Far better is correcting the needed files.

        I posted the extra part "--ca-cert=/usr/local/share/certs/ca-root-nss.crt" so files could get loaded.
        The /usr/local/share/certs/ca-root-nss.crt should be corrected manually, as more root certificates will expire in the future.

        Btw : even when MS updates for Windows XP stopped many years ago, there were still updates : the files with system trusted certs.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        JeGrJ 1 Reply Last reply Reply Quote 0
        • JeGrJ Offline
          JeGr LAYER 8 Moderator @Gertjan
          last edited by

          @gertjan said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

          Btw : even when MS updates for Windows XP stopped many years ago, there were still updates : the files with system trusted certs.

          Yes, but you would only need that if you would stay in 2.4.5 - which isn't the normal/desired outcome, as - especially with a security product - we should update to the next stable version. So expiration of other CAs would only hit if you'd stay with 2.4.5 which isn't recommended / supported anyways and in 2.5.2 (latest current stable) the CA file should already be correct.

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          johnpozJ bingo600B 2 Replies Last reply Reply Quote 2
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @JeGr
            last edited by

            I concur with @jegr here - the actual solution to the problem is getting the pfsense current.

            While updating the CAs trusted is a temp solution to a specific problem, it is only a stopgap measure at best.

            To be honest my bogon being a bit dated is least of my worries on my older pfsense installs, that yes need to be updated when can actually get into the office, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • bingo600B Offline
              bingo600 @JeGr
              last edited by bingo600

              @jegr
              I'm not planning on staying on 2.4.5-p1 forever.
              But given the "first track record" of the 2.5.x systems , i decided to wait a bit.
              Ie. the early unbound issues would have been a "killer".

              I do have one test site running 2.5.2 wo. any issues, it "just upgraded" ....
              AKA keeps the L2L connection up wo. any dropouts.
              But it doesn't see any load or usage, it's just a "passive system" at my desk.

              But on the "Job" i have 1 Central pfSense and 6 remote (openvpn) L2L coupled sites.

              My sites are spread around the world, and it would be a "Major issue" if they went down.
              I have a "Cold spare" on my two most urgent sites, but they "never" found the time to upgrade the pfSense OS with me, o the "secondary". That is purely "manager politics", that i try to get around, but haven't succeeded yet.
              So the failover systems aren't up to it. 😠

              My central unit has 1:1 (alias) NAT to several public "outside" IP's , and i'm a bit worried about that. I read that there was some NAT issues with 2.5.x , but maybe 2.5.2 has solved it , i don't know yet.
              Any hints here ?.

              I have a "Central Cold spare" i could wipe & install 2.5.2 on , and then give it the 2.4.5-p1 config. But i will "Not get a prize" if it doesn't work, even if it's just for 4..6 hours.

              /Bingo

              If you find my answer useful - Please give the post a 👍 - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @bingo600
                last edited by johnpoz

                @bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

                But i will "Not get a prize" if it doesn't work, even if it's just for 4..6 hours.

                haha - I hear ya.. But you might be finding a new job ;)

                While your solution is good - I personally would of just disabled bogon if was having issues with it. While sure its the "right" thing to do blocking it, in the big picture is not high on the list of security things to make sure your blocking..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                bingo600B 1 Reply Last reply Reply Quote 0
                • bingo600B Offline
                  bingo600 @johnpoz
                  last edited by

                  @johnpoz
                  Bogon's was for my own 2 pfSenses 😊
                  And a ... I'm not giving up kinda moment.
                  I haven't even bothered implementing that "trick" on the Job ones ....

                  I have 2 x 240GB Samsung EVO-870 SSD disks , just waiting for me to install in the "home/summerhouse" pfSenses, along w. ZFS & 2.5.2.
                  I chose 240G because i plan to use ZFS snapshots for real, on 2.5.2.

                  I just have to find the right time, we're streaming TV here ....
                  And if you thought i was nervous of the "Job Boss" ...
                  That's nothing compared to the "Real BOSS" 👰 😧

                  And when done "home" , the the one in the summerhouse is next.

                  If you find my answer useful - Please give the post a 👍 - "thumbs up"

                  pfSense+ 23.05.1 (ZFS)

                  QOTOM-Q355G4 Quad Lan.
                  CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                  LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                  JeGrJ 1 Reply Last reply Reply Quote 2
                  • JeGrJ Offline
                    JeGr LAYER 8 Moderator @bingo600
                    last edited by

                    @bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

                    And a ... I'm not giving up kinda moment.
                    I haven't even bothered implementing that "trick" on the Job ones ....

                    I appreciate it! I have some 2.4.5 systems in the wild myself that customers aren't able to update right now and those had rising numbers of dead/zombie processes (dying bogon procs) that we were able to fix that way - so thumbs up from me for the fact finding mission 😄

                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    johnpozJ bingo600B 2 Replies Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @JeGr
                      last edited by johnpoz

                      @jegr said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

                      rising numbers of dead/zombie processes (dying bogon procs)

                      Hmmm - interesting.. Curious bogon believe is only suppose to update every 30 days.. How many did they have? I wonder if it fails it start hammering looking to work more often than once every 30 days.

                      I just looked at 1 of my older installs

                      52 processes: 1 running, 50 sleeping, 1 zombie

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      bingo600B 1 Reply Last reply Reply Quote 0
                      • bingo600B Offline
                        bingo600 @johnpoz
                        last edited by bingo600

                        @johnpoz
                        They seem to "never die/timeout"
                        So you'll accumulate foe each month , and if you try to update manual that'll also start an additional.

                        Can't remember if each try starts 3 processes.
                        The php master + the fetch + "i think another"

                        /Bingo

                        If you find my answer useful - Please give the post a 👍 - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        1 Reply Last reply Reply Quote 0
                        • bingo600B Offline
                          bingo600 @JeGr
                          last edited by bingo600

                          @jegr said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

                          @bingo600 said in Solved: Can't update bogons on a 2.4.5-p1 (cert expired):

                          And a ... I'm not giving up kinda moment.
                          I haven't even bothered implementing that "trick" on the Job ones ....

                          I appreciate it! I have some 2.4.5 systems in the wild myself that customers aren't able to update right now and those had rising numbers of dead/zombie processes (dying bogon procs) that we were able to fix that way - so thumbs up from me for the fact finding mission 😄

                          Glad to be able to give a little back 😊

                          And ...
                          Now i know that to tomorrow on the job for 7 firewalls 😕
                          Done ....

                          And home fwall 😊
                          Fresh install w. ZFS , and config restoren only one minor "quirk"
                          iftop didn't install , but the pkgmgr. was informing about that 👍

                          0cae61d6-e22b-46aa-b42e-6eaa8ab59577-image.png
                          /Bingo

                          If you find my answer useful - Please give the post a 👍 - "thumbs up"

                          pfSense+ 23.05.1 (ZFS)

                          QOTOM-Q355G4 Quad Lan.
                          CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                          LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.