To 23.05 or not ? that is the question :)

mvikman

Non-Netgate hardware updated first from 23.01 to 23.05 RCs up to 23.05.r.20230519.0600.
After seeing some problems with r.20230522.1252 changed branch back to "Current Stable 23.01" and waited for "Current Stable 23.05" to become available.
No problems updating to 23.05 Release, though I'm not running any special packages.

4o4rh

@mvikman create a backup and download a local copy in case you have to do a full reinstall.

when you kick off, go have coffee. the rebooting in 10s is way understated in my experience. needed 2-3min before the reboot, and then you still have a minute or so for the update to run

mvikman

@gwaitsi I save the config file to my pc everytime I make changes.
I always do a reboot before upgrade and I follow reboots/upgrades from console(display).
I also have a backup pfsense box that I can swap in to use if the main one dies.

RobbieTT

Updated my 6100 Max:

• Backed-up config
• Set a ZFS Boot Environment snapshot
• Pre-booted
• Clicked on the update icon
• Auto rebooted with zero issues

So yes, I left all packages in place and other than setting backups (thankfully not needed) and the pre-booting I did nothing more than allow pfSense to sort it all out. Which it did.

️

psp

Upgraded successfully here, XG-1537 in HA. First the backup unit, then the master.
Using pfBlockerNG and zabbix-agent6.

SteveITS

@chudak One patch so far, for the bleeding-edgers :)
https://forum.netgate.com/topic/180313/firewall-alias-import-bug-after-upgrade-to-23-05-release-amd64

tman222

Successfully upgraded two systems (one Xeon D based Supermicro unit and one Intel i3 custom build) from 23.01 to 23.05. Overall, the upgrade went smooth and was fairly quick on both systems.

A minor issue was that both systems ran into the certificate error the first time when trying to upgrade (as has been documented in other threads already), but flipping the Branch back to 23.01 and then forward to 23.05 again under System -> Update allowed the upgrade to proceed the second time.

Very excited to see IPsec Multi-Buffer (IPsec-MB) Cryptographic Acceleration being added in this release as well as a formal pfSense package for udpbroadcastrelay.

A big Thank You to everyone who contributed to this release for all hard work and effort.

JonathanLee

@chudak pull the trigger . . . upgrade, it was so smooth for me.

Cylosoft

We did about a dozen boxes. Went great. No issues at all. Hoping the syslog-ng issue gets sorted out soon so we can do a bunch more.

JonathanLee

@Cylosoft I updated my little SG-2100MAX I got to learn with in school with and it was like a hot knife in butter in a butter bell. Just smooth. I was impressed versus the 21.01 update that one well it had some problems.

sgw

Any 7100 done already?

And yes: thanks to everyone who contributed to this new release!

chudak

@keyser

That was very useful, thx!
I got that too

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_05_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_05_amd64-core/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_05_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_05_amd64-pfSense_plus_v23_05/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_05_amd64-pfSense_plus_v23_05/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.atx.netgate.com
34938040320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-Plus-snapshots-master-main/sources/FreeBSD-src-plus-devel-main/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg-static: https://pfsense-plus-pkg00.atx.netgate.com/pfSense_plus-v23_05_amd64-pfSense_plus_v23_05/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!
ERROR: It was not possible to determine pfSense-upgrade remote version
ERROR: It was not possible to determine pfSense-upgrade remote version
>>> Upgrading pfSense-upgrade... failed.

johan333

Updated from 23.01 to 23.05 on two model 2100 units. One went smooth and the other I got the certificate failure, so I followed @keyser post and successfully upgraded the other. It may be premature as the upgrade happened only 6 hours ago, but it looks like the memory leak issue has been resolved.

Note: upgraded to 23.01 on 4-13-23

mer

@Gertjan said in To 23.05 or not ? that is the question :):

pfSense 23.05 on a 4100 : it was a click, a coffee, and done.

This made me laugh and think "The way all upgrades should be. No issues but long enough to have a coffee"

PhlMike

I had gotten hit with the cert issues on my SG3100 running 23.01 when I first tried. So I found a quick ssh fix on here and I upgraded just fine. No issues so far. I have a fairly complex config.

That was my home firewall.

The other triple digit worth of work firewalls, I'm going to wait a little bit. we'll see if there is a 23.05.1 or something.

terryzb

On my home 2100 I saved a config locally, pre-booted, then via the console attempted to update but was stopped by the certificate error. Searching in the Upgrades forum here I followed the advice to swap the update branch back and forth. Did another pre-boot, then updated via console went fine. Less than 10 minutes on the 2100. Did a post-install reboot for good measure. I did not uninstall pfBlockerNG or Avahi first. So far so good.

johnpoz

I just ran into that "SSL routines:tls_process_server_certificate:certificate verify failed" error as well updating my sg4860.. A toggle in the update from 23.05 to 23.01 and then back cleared the error and update worked without issue.

I would always suggest if on a netgate appliance you get the new image from them just in case when doing an upgrade. They took 1 whole minute to answer my ticket and provide a link to download..

if not appliance then make sure you have a copy of the CE you can use if the worse case scenario happens..

Always better to be prepared then getting caught with pants down, and your router being down makes it kind of hard to download images ;)

Had my install media just in case
Took my config backups - again just in case
Connected to serial so could watch progress.
Clicked confirm on update - approx 13 minutes latter I was logging in to gui.
So far all looks good.. All packages updated, I didn't uninstall them before hand.
My HE tunnel is up, my vpn tunnel is up, I show vpn server running, my tailscale shows good.. Still need to test connections for those - but don't foresee any issues.

Packages like pfblocker, haproxy, freerad all seem to be working just fine.

Other then the slight little blimp with the verify cert thing, looks like another smooth and simple upgrade. I like the new package capture features - those will come in handy for sure. And will have to test the new L2 filtering - that seems interesting, and a long wished for option from many users.

Gertjan

@johnpoz
Except for the haproxy, I had exactly that experience.
I saw the "SSL routines:tls_process_server_certificate:certificate verify failed" thing, but, thanks, forum, that was gone after forcing a branch switch twice.

And thanks to the gigabit fiber connection, downloading was way faster as upgrading.
The entire processes took a cope of minutes.

@johnpoz said in To 23.05 or not ? that is the question :):

pants down

I was trusting plan Zfs (snapshot).

RobbieTT

@johnpoz said in To 23.05 or not ? that is the question :):

I would always suggest if on a netgate appliance you get the new image from them just in case when doing an upgrade. They took 1 whole minute to answer my ticket and provide a link to download..

Always better to be prepared then getting caught with pants down...

The Netgate support is quick for sure but they probably would not be if all the 'worried well' hit them for images as a matter of routine come update time.

I'd be concerned that Netgate Tac Team could become overwhelmed just when we need them to be at their best.

I appreciate that this is coming from someone who experienced a flawless update with my 6100 and that things always feel very different when you have an unexpected issue.

️

johnpoz

@RobbieTT said in To 23.05 or not ? that is the question :):

if all the 'worried well' hit them for images as a matter of routine come update time.

true - I ran into this once, new update had just dropped.. And took them like 23 minutes ;)

That is why you don't plan on asking for the image 5 minutes before you plan on doing the update.. I knew I wasn't going to run the update til this weekend.. So had plenty of time to get the image.. Even if they took awhile..

Kind of miss the days where you could just login and grab image any time you wanted to be honest.. But I am a self help sort of person, and don't really like having to count on someone else to get stuff done ;)

btw - just checked my phone vpn in both openvpn and tailscale - both working just fine using cell network as connection.