+ Upgrade - no trusted public key found

SIdefix

Re: No trusted public keys found

I updated CE 2.6.0 to plus 22.01 just now and all looked like it worked fine.
The system shows 22.01

Issue:

• Dashboard shows: Unable to check for update
• Update page shows: only CE editions (2.6, downgrade and nightgly) as well as Unable to check for upgrades

Running the upgrade in shell throws the "no trusted public key found" error.
I followed the description here:

https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors

only way it could fix the error is to pull the keys from git with this:

fetch -qo /usr/local/share/pfSense/keys/pkg/trusted/ \
https://raw.githubusercontent.com/pfsense/pfsense/RELENG_2_4_5/src/usr/local/share/pfSense/keys/pkg/trusted/pkg.pfsense.org.20160406

Updates for CE now show again but it does not show any 22.xx updates.
I assume that something still points to the old CE repo and that pulling the CE keys simply helped connect back to it again.

Is there a way I can point it to the right repo?
How do I load the correct keys (assuming the + repo has a different key)?

Thanks a lot !

stephenw10

Hmm, after upgrading to 22.01 it should have pulled in the 22.01 pkgs including the pfSense-repo pkg with the Plus repo data in it. You should not see the CE branches listed.
Do you see that pkg being install in the upgrade logs?

Does it still show the Plus Upgrade branch?

SIdefix

@stephenw10 thanks for the reply.
The plus upgrade branch did not show post upgrade to plus. Only the CE branch.
Pulling the key from git only fixed the "can't check for updates error" but it did nothing to change the branches.

Somehow the upgrade worked but the branch was not changed. Question is how I can change the branch via Shell and apply the correct keys.

Any idea anyone?
(would like to avoid having to reinstall the entire FW )

stephenw10

What do you see from?:

pkg -d update

pkg info -x pfSense

SIdefix

@stephenw10 Thanks for the reply.

Here is the output:

pkg -d update
DBG(1)[81836]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[81836]> PkgRepo: verifying update for pfSense-core
DBG(1)[81836]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[81836]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64                                          -core/meta.conf
DBG(1)[81836]> opening libfetch fetcher
DBG(1)[81836]> Fetch > libfetch: connecting
DBG(1)[81836]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_6_                                          0_amd64-core/meta.conf with opts "i"
DBG(1)[81836]> Fetch: fetcher chosen: https
DBG(1)[81836]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64                                          -core/packagesite.pkg
DBG(1)[81836]> opening libfetch fetcher
DBG(1)[81836]> Fetch > libfetch: connecting
DBG(1)[81836]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_6_                                          0_amd64-core/packagesite.pkg with opts "i"
DBG(1)[81836]> Fetch: fetcher chosen: https
DBG(1)[81836]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64                                          -core/packagesite.txz
DBG(1)[81836]> opening libfetch fetcher
DBG(1)[81836]> Fetch > libfetch: connecting
DBG(1)[81836]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_6_                                          0_amd64-core/packagesite.txz with opts "i"
DBG(1)[81836]> Fetch: fetcher chosen: https
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[81836]> PkgRepo: verifying update for pfSense
DBG(1)[81836]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[81836]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64-pfSense_v2_6_0/meta.conf
DBG(1)[81836]> opening libfetch fetcher
DBG(1)[81836]> Fetch > libfetch: connecting
DBG(1)[81836]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_6_0_amd64-pfSense_v2_6_0/meta.conf with opts "i"
DBG(1)[81836]> Fetch: fetcher chosen: https
DBG(1)[81836]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64-pfSense_v2_6_0/packagesite.pkg
DBG(1)[81836]> opening libfetch fetcher
DBG(1)[81836]> Fetch > libfetch: connecting
DBG(1)[81836]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_6_0_amd64-pfSense_v2_6_0/packagesite.pkg with opts "i"
DBG(1)[81836]> Fetch: fetcher chosen: https
DBG(1)[81836]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_6_0_amd64-pfSense_v2_6_0/packagesite.txz
DBG(1)[81836]> opening libfetch fetcher
DBG(1)[81836]> Fetch > libfetch: connecting
DBG(1)[81836]> Fetch: fetching from: https://pkg01-atx.netgate.com/pfSense_v2_6_0_amd64-pfSense_v2_6_0/packagesite.txz with opts "i"
DBG(1)[81836]> Fetch: fetcher chosen: https
pfSense repository is up to date.
All repositories are up to date.

pkg info -x pfSense
pfSense-2.6.0
pfSense-Status_Monitoring-1.7.11_4
pfSense-base-22.01
pfSense-default-config-22.01
pfSense-kernel-pfSense-22.01
pfSense-pkg-acme-0.7.3
pfSense-pkg-haproxy-0.61_7
pfSense-pkg-openvpn-client-export-1.6_9
pfSense-pkg-pfBlockerNG-devel-3.1.0_11
pfSense-pkg-suricata-6.0.4_1
pfSense-rc-22.01
pfSense-repo-2.6.0_8
pfSense-upgrade-1.0_15
php74-pfSense-module-0.76

FYI, screenshot of the update screen

stephenw10

Hmm, well it hasn't completed the upgrade correctly. There is a mix of 22.01 and 2.6 pkgs there.

Really it would be better to reinstall 2.6 clean and re-upgrade.

However you might be able to force install the 22.01 pfSense-repo pkg:

pkg add -f https://firmware-atx.netgate.com/pkg/pfSense_plus-v22_01_amd64-pfSense_plus_v22_01/All/pfSense-repo-22.01_5.pkg

Then select the 22.01 branch and upgrade any remaining packages.

Steve

SIdefix

@stephenw10
Thanks. The forced upgrade did not work unfortunately

pkg install -f https://firmware-atx.netgate.com/pkg/pfSense_plus-v22_01_amd64-pfSense_plus_v22_01/All/pfSense-repo-22.01_5.pkg
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'https://firmware-atx.netgate.com/pkg/pfSense_plus-v22_01_amd64-pfSense_plus_v22_01/All/pfSense-repo-22.01_5.pkg' have been found in the repositories

SIdefix

Went and re-installed CE 2.6 and upgraded fresh. Works now.
No idea what went wrong (I disabled pfblockerng this time before the upgrade.....not sure if that made the difference)

stephenw10

Nice. That was the better way to do it.

For reference I gave you the wrong command there which is why it failed. For a pkg from outside the configured repo you actually need to use 'pkg add'.

SIdefix

@stephenw10 will remember that for the next time