Pfsense 2.6 to plus. Unable to check

rcoleman-netgate

@antibiotic This shouldn't have anything to do with this. The local GUI Cert is not related to repo access.

Antibiotic

@rcoleman-netgate roger that))))

barnops

@rcoleman-netgate said in Pfsense 2.6 to plus. Unable to check:

@antibiotic This shouldn't have anything to do with this. The local GUI Cert is not related to repo access.

But for the record, I did.
It didn't solve anything.

barnops

This post is deleted!

barnops

@barnops Also, interesting that the validity dates on this cert are expired.

openssl x509 -in /etc/ssl/pfSense-repo-custom.cert -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:c3:e5:________________________:45:83:59:5a:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Texas, L = Austin, O = "Rubicon Communications, LLC (Netgate)", OU = ProdTrack CA, CN = ProdTrack CA
Validity
Not Before: Mar 10 19:01:29 2023 GMT
Not After : Mar 11 07:01:29 2023 GMT

JeGr

Perhaps related: since a reboot this morning I don't get any package repos with the following errors:

...shortened...

Updating pfSense repository catalogue...
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
35160031232:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBSD-src-plus-RELENG_23_01/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-pfSense_plus_v23_01/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!

barnops

Looks like whatever was going wrong was resolved this morning.
I am now able to pull the update version.

But wasn't it a requirement to swap to 22.01 first when upgrading from CE to Plus?
Now 23.01 is listed when going from 2.6.0.

barnops

@barnops said in Pfsense 2.6 to plus. Unable to check:

Looks like whatever was going wrong was resolved this morning.
I am now able to pull the update version.

But wasn't it a requirement to swap to 22.01 first when upgrading from CE to Plus?
Now 23.01 is listed when going from 2.6.0.

Seems like it updated properly to 23.01 with no ill effects:
Removing unnecessary packages... done.
Cleanup pkg cache... done.
pfSense 23.01-RELEASE amd64 Fri Feb 10 20:06:33 UTC 2023
Bootup complete

So what ended up being the issue?

Antibiotic

Again unable to check available packages. Please fix it!
Updating pfSense-core repository catalogue...
pkg: pkg00.atx.netgate.com/pfSense_plus-v23_01_amd64-core/meta.txz: Bad Request
repository pfSense-core has no meta file, using default settings. Trying entering to https://pfsense-plus-pkg00.atx.netgate.com/ from browser and result: 400 Bad Request
No required SSL certificate was sent
nginx.

Antibiotic

Solution : rm /usr/local/share/pfSense/pkg/repos/pfSense-repo-custom.*

JeGr

@antibiotic said in Pfsense 2.6 to plus. Unable to check:

Solution : rm /usr/local/share/pfSense/pkg/repos/pfSense-repo-custom.*

Randomly deleting repository files isn't really a "solution". That seems more like a thing, that was working for you, but the repos are set from changing/setting the release path in the update screen.

rcoleman-netgate

@jegr said in Pfsense 2.6 to plus. Unable to check:

Randomly deleting repository files isn't really a "solution". That seems more like a thing, that was working for you, but the repos are set from changing/setting the release path in the update screen.

That is in our redmine, however, as a workaround.

Siman

same issue... come one netgate, do your job... Just saying PFS+ is supposed to be the payed for tier, and I got customers running it...

rcoleman612

@siman said in Pfsense 2.6 to plus. Unable to check:

same issue... come one netgate, do your job... Just saying PFS+ is supposed to be the payed for tier, and I got customers running it...

If you're a paying customer have you bothered to open a ticket with TAC?
https://go.netgate.com/

Siman

@picturetaker Customers haven't called me yet. I run it at home in lab form, if I get called and Im working for them I would open one. Can't do anything if I'm not representing them.

CuOptik

I just went through a similar situation. I installed pfSense 2.6 on a new machine and everything looked fine. I then upgraded to pfSense+ v23.01. The upgrade looked fine and the machine was working. However, when I went to install other packages, I received the "no packages available" message. Going into a shell via SSH to update packages did not work and I also got the "bad request" error when trying that.

The work-around solution that worked for me was to clean up the custom repo info in /usr/local/share/pfSense/pkg/. Apparently, the upgrade from 2.6 to 23.01 is leaving some 2.6 info in the folder which then causes authentication/access issues when trying to get to the 23.01 repos.

There is a write-up of the issue (and the manual work-around) at https://redmine.pfsense.org/issues/14137

86b

I just wanted to pop in and say that I was also running into a "Bad Request" issue just now on 23.01 when trying to run pkg update and I was able to resolve this by plopping in my Register key via the UI. I was going through some troubleshooting last week with pfSense support and during the re-issuing of Plus certs it must have wiped the Registration key somewhere along the way. I was upgrading from 2.7.x CE to 23.01 Plus.