Pfsense 2.6 to plus. Unable to check
-
@antibiotic said in Pfsense 2.6 to plus. Unable to check:
Please fix this issue as I'm check on forum it happened sometimes. Did install fresh copy of pfsense 2.6 and unlucky now))) , to upgrade. Error:Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg: https://pfsense-plus-pkg01.atx.netgate.com/pfSense_plus-v23_01_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settingsSame.
1 week ago I upgraded a firewall from 2.6 to Plus, then to 23.01.
Today I went to upgrade a 2nd firewall and am encountering this issue...so it cropped up sometime in the last 7 days.
I first factory reset and attempted the update prior to restoring my backup.First "Could not load client certificate...."
I remedied this by copying the cert and KEY from the working firewall.Now I am presented with:
Updating pfSense-core repository catalogue...
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-core/meta.txz: Bad Request
repository pfSense-core has no meta file, using default settings
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-core/packagesite.pkg: Bad Request
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-core/packagesite.txz: Bad Request
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01//meta.txz: Bad Request
repository pfSense has no meta file, using default settings
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01//packagesite.pkg: Bad Request
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01//packagesite.txz: Bad Request
Unable to update repository pfSense
Error updating repositories!If I run "pkg bootstrap -f" I get this back:
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/, please wait...
pkg: Error fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01//Latest/pkg.txz: Bad Request
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.I can't update to Plus, and therefore can't upgrade to 23.01.....very annoying.
-
@barnops what do you get when you do
pfSense-upgrade -c
-
@rcoleman-netgate said in Pfsense 2.6 to plus. Unable to check:
@barnops what do you get when you do
pfSense-upgrade -c
When set to the pfSense Plus Upgrade branch:
>>> Updating repositories metadata... failed.
ERROR: Unable to compare version of pfSense-repoWhen set to the Stable (2.6) branch:
>>> Updating repositories metadata... done.
Your system is up to date -
@barnops Did you try my tip with web configurator certificate renewing?
-
@antibiotic This shouldn't have anything to do with this. The local GUI Cert is not related to repo access.
-
@rcoleman-netgate roger that))))
-
@rcoleman-netgate said in Pfsense 2.6 to plus. Unable to check:
@antibiotic This shouldn't have anything to do with this. The local GUI Cert is not related to repo access.
But for the record, I did.
It didn't solve anything. -
This post is deleted! -
@barnops Also, interesting that the validity dates on this cert are expired.
openssl x509 -in /etc/ssl/pfSense-repo-custom.cert -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:c3:e5:________________________:45:83:59:5a:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Texas, L = Austin, O = "Rubicon Communications, LLC (Netgate)", OU = ProdTrack CA, CN = ProdTrack CA
Validity
Not Before: Mar 10 19:01:29 2023 GMT
Not After : Mar 11 07:01:29 2023 GMT -
Perhaps related: since a reboot this morning I don't get any package repos with the following errors:
...shortened... Updating pfSense repository catalogue... Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: pkg: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/meta.txz: Authentication error repository pfSense has no meta file, using default settings Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: pkg: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/packagesite.pkg: Authentication error Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com 35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921: pkg: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/packagesite.txz: Authentication error Unable to update repository pfSense Error updating repositories!
-
Looks like whatever was going wrong was resolved this morning.
I am now able to pull the update version.But wasn't it a requirement to swap to 22.01 first when upgrading from CE to Plus?
Now 23.01 is listed when going from 2.6.0. -
@barnops said in Pfsense 2.6 to plus. Unable to check:
Looks like whatever was going wrong was resolved this morning.
I am now able to pull the update version.But wasn't it a requirement to swap to 22.01 first when upgrading from CE to Plus?
Now 23.01 is listed when going from 2.6.0.Seems like it updated properly to 23.01 with no ill effects:
Removing unnecessary packages... done.
Cleanup pkg cache... done.
pfSense 23.01-RELEASE amd64 Fri Feb 10 20:06:33 UTC 2023
Bootup completeSo what ended up being the issue?
-
Again unable to check available packages. Please fix it!
Updating pfSense-core repository catalogue...
pkg: pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-core/meta.txz: Bad Request
repository pfSense-core has no meta file, using default settings. Trying entering to https://pfsense-plus-pkg00.atx.netgate.com/ from browser and result: 400 Bad Request
No required SSL certificate was sent
nginx. -
Solution : rm /usr/local/share/pfSense/pkg/repos/pfSense-repo-custom.*
-
@antibiotic said in Pfsense 2.6 to plus. Unable to check:
Solution : rm /usr/local/share/pfSense/pkg/repos/pfSense-repo-custom.*
Randomly deleting repository files isn't really a "solution". That seems more like a thing, that was working for you, but the repos are set from changing/setting the release path in the update screen.
-
@jegr said in Pfsense 2.6 to plus. Unable to check:
Randomly deleting repository files isn't really a "solution". That seems more like a thing, that was working for you, but the repos are set from changing/setting the release path in the update screen.
That is in our redmine, however, as a workaround.
-
same issue... come one netgate, do your job... Just saying PFS+ is supposed to be the payed for tier, and I got customers running it...
-
@siman said in Pfsense 2.6 to plus. Unable to check:
same issue... come one netgate, do your job... Just saying PFS+ is supposed to be the payed for tier, and I got customers running it...
If you're a paying customer have you bothered to open a ticket with TAC?
https://go.netgate.com/ -
@picturetaker Customers haven't called me yet. I run it at home in lab form, if I get called and Im working for them I would open one. Can't do anything if I'm not representing them.
-
I just went through a similar situation. I installed pfSense 2.6 on a new machine and everything looked fine. I then upgraded to pfSense+ v23.01. The upgrade looked fine and the machine was working. However, when I went to install other packages, I received the "no packages available" message. Going into a shell via SSH to update packages did not work and I also got the "bad request" error when trying that.
The work-around solution that worked for me was to clean up the custom repo info in /usr/local/share/pfSense/pkg/. Apparently, the upgrade from 2.6 to 23.01 is leaving some 2.6 info in the folder which then causes authentication/access issues when trying to get to the 23.01 repos.
There is a write-up of the issue (and the manual work-around) at https://redmine.pfsense.org/issues/14137