Upgrade to 2.7 cerificate error
-
I attempted to upgrade from 2.6 to 2.7 via ssh and the gui no longer works. My box is remote so its a bit hard to re-install / restore. Was hoping to be able to fix this without having to get the router shipped to me to fix and then shipped back!:
tried to run "pfsense-upgrade -dc" and i get the following error
pfSense-upgrade -dc Certificate verification failed for /CN=pfj-ca/C=GB/ST=sur/L=camb/O=j 34930339840:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-RELENG_2_7_0/crypto/openssl/ssl/statem/statem_clnt.c:1921: pfSense-repoc-static: failed to fetch the repo data failed to read the repo data. failed to update the repository settings!!! failed to update the repository settings!!!I run:
pkg-static updateUpdating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date.pkg-static upgrade
Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (0 candidates): 100% Processing candidates (0 candidates): 100% Checking integrity... done (0 conflicting) Your packages are up to date.- At the moment the firewall seems to be working fine, al connections and vpn. BUT i can't access the webgui - i just get a blank page.
Is there anything i can do to reinstall the webgui? or how can i debug/fix the issue?
i run "pkg-static upgrade -f" - which updated me to 2.7 (from 2.6) - that seems to have worked but it seems to have broken something in the webgui in the process!
-
@jagradang You can check the upgrade log.
A blank page on a PHP site is likely to be a fatal PHP error which usually means PHP couldn't parse the code. Which implies incorrect code, or incorrect PHP version. On a web server that usually shows up in the PHP error log, or web server error log, not actually sure where those are on disk in pfSense.
One possibility is if it installed a package that requires PHP 8 (hence upgrading PHP) but didn't actually upgrade pfSense to 2.7 then it's got the wrong PHP version.
It might be fastest and/or best to reinstall (to get to a known good state) and restore your config file.
-
@SteveITS Thank you. I think it wil have to be a re-install then. I'm waiting for the weekend to see if i can get the router shipped out to be to fix it over the weekend and then get it delivered back onsite for next week. Hopefully it'll be a straight forward process.
-
I did a full reinstall but i'm still getting this certificate error so pfsense won't install any packages after restore. Any ideas?
-
Sorry to sound glib, but have you checked the certificate? Does your web browser give you a certificate error when going to the WebUI?
-
@Finger79 I think the issue is with the default webcert I checked its expiry and validity. I also tried creating a new certificate but i still seem to get this error. Not sure if there is a guide on how to create a fresh cert and set it up?
-
@jagradang there have been a few posts about cert errors in recent weeks but I can’t seem to find any on my phone. I highly doubt it has to do with your web GUI cert, that’s just for your access.
Try https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors -
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
You can generate a new web cert from the php shell, or directly with:
pfSsh.php playback generateguicertSteve
-
I had an absolute nightmare fixing this issue. In the end i rebuilt the entire config from scratch. I'm still convinced there is an issue with 2.7 and certificates. I had to rebuild this around 6 times as every time i altered the certificates it broke un-repairablly. Meaning i had to start from scratch again. (even creating a certificate for openvpn totally broke the firewall!!!!)
I eventually gave in and didn't create a custom certificate - leaving the default web configurator one in just to get the damn thing working before monday!! It now seems to be playing ball and working but I'm not touching the certificates until i can get on site and attempt a rebuild again.
Looking through the forum there seems to be all sorts of issues around the certs so not surprised this is breaking! I have another 3 sites running this version, so of the 4 sites, 3 are broken with certificates and one seemed to go through cleanly.
Hope Netgate get there act together and create a patch to fix this!
-
Hmm, not seen that. You have the most basic steps to replicate it?
-
@stephenw10 I will try and reproduce this again on my virtual machine when i get home.
But essentially all i did was:- create a CA authority,
- add a CERT under the CA authority
- Change the admin page and DNS to use this newly created cert.
- Delete the original Cert
- Go to the command line and try and run pfSense-upgrade - and it all breaks. Can't update, and WAN all went down.
-
Hmm, I can't replicate that directly. Maybe something to do with the steps ordering. Did you have SSL/TLS enabled in Unbound before starting?
-
Did you have other certs or CAs already defined and/or in use?
