Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade pfsense CE 2.7.0 to 2.7.1

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    89 Posts 24 Posters 29.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cclarsen @stephenw10
      last edited by

      @stephenw10

      [2.7.0-RELEASE][admin@pfSense.here]/root: pkg-static upgrade pkg
      No active remote repositories configured.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by stephenw10

        You set the branch to 2.7.0 first?

        Oh you might need to run pfSense-repo-setup

        C 1 Reply Last reply Reply Quote 0
        • C
          cclarsen @stephenw10
          last edited by

          @stephenw10 said in Upgrade pfsense CE 2.7.0 to 2.7.1:

          pfSense-repo-setup

          I did. Looks like maybe a rebuild is in order?

          [2.7.0-RELEASE][admin@pfSense.here]/root: pfSense-repo-setup
          ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "php"
          ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "php"
          cp: /usr/local/etc/pkg/repos/.conf: No such file or directory
          /usr/local/sbin/pfSense-repo-setup: /usr/local/sbin/-repoc-static: not found
          failed to update the repository settings!!!

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Might be easiest/quickest.

            What does cat /etc/platform show?

            If that doesn't show pfSense you can try setting it to that.

            You could also try: pfSense-repoc-static

            C 1 Reply Last reply Reply Quote 0
            • C
              cclarsen @stephenw10
              last edited by

              @stephenw10 said in Upgrade pfsense CE 2.7.0 to 2.7.1:

              pfSense-repoc-static

              [2.7.0-RELEASE][admin@pfSense.here]/root: cat /etc/platform
              pfSense
              [2.7.0-RELEASE][admin@pfSense.here]/root: pfSense-repoc-static
              ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "php"
              pfSense-repoc-static: cannot read pfSense pkg prefix
              failed to collect the system information.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Hmm, I'd love to know how it's got into that state but installing 2.7.1 directly and restoring the config is going to be the fastest way back I think. If you're able to do that.

                C R D 3 Replies Last reply Reply Quote 0
                • C
                  cclarsen @stephenw10
                  last edited by

                  @stephenw10

                  I will rebuild (already have 2.71 downloaded). I can tell you the steps I took to see if that sheds any light for you. Everything was working well prior to attempting the upgrade. Before I attempted the 2.7.1 upgrade, I updated all the packages that showed they were out of date. That included:

                  nmap
                  openvpn-clinet-export
                  pfBlockerNG
                  snort
                  LightSquid

                  after the upgrades, I attempted the 2.7.1 upgrade and it failed just like you've seen above, but then I started getting a bunch of php failures (specifically having to do with the LightSquid package). It seemed like one of the package upgrades impacted the php install and caused all of the problems we're seeing now. At least that is what it appears like to me. Thank you for your assistance.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @cclarsen
                    last edited by

                    @cclarsen said in Upgrade pfsense CE 2.7.0 to 2.7.1:

                    Before I attempted the 2.7.1 upgrade, I updated all the packages that showed they were out of date

                    That will break things, never do that. See my sig. Uninstall packages as suggested per the upgrade guide, or just upgrade and the upgrade will uninstall/reinstall for you.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 1
                    • R
                      reberhar @stephenw10
                      last edited by reberhar

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • R
                        reberhar @Patch
                        last edited by

                        @Patch Thanks Patch ... I will try that. It has been somewhat frustrating to get some images placed on this site. If necessary I will just past a link.

                        1 Reply Last reply Reply Quote 0
                        • S saidin referenced this topic on
                        • R
                          reberhar @stephenw10
                          last edited by

                          @stephenw10 Hi Stephen,

                          So my update problem with my secondary servers appears to be DNS. In the unbound DNS resolver, If I include either WAN or localhost in the outgoing DNS window I get resolution on my secondary. I am including localhost. I had already included localhost in the Interfaces window, as per normal in my understanding, unless of course I got them reversed. pfBlockers windows tend to confuse the isse. I always thought that for the firewall to be able to access the Internet I need to put localhost in Network interfaces. Now I am wondering if I got them switched, that is if I need to put localhost in the outgoing window instead. As localhost is not an Internet port I am a little confused as to what is happening.

                          I have to think about this for a little while, run some tests, reresarch it, and understand it. Understanding is important. Just enabling things because they work is not recommended procedure.

                          Of course your wise input is always appreciated.

                          Roy

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            What did you have selected for outgoing interfaces when it was failing?

                            R 1 Reply Last reply Reply Quote 0
                            • R
                              reberhar @stephenw10
                              last edited by reberhar

                              @stephenw10 Just the virtual wan ip. I did the same thing for Squid.

                              I just did the Squid change recently. Squid is supposed to turn itself off anyway, so I don't really know if the vip is necessary there. Maybe not on the DNS resolver either. Of course we want DNS to work on the secondary unit.

                              I think I just chose those in each of those spots because it seemed appropriate. There is not much posted on using the vip in those packages. I just remember bbcan posting how to setup pfblocker on an early post including suggestions for the DNS resolver. But of course he didn't design pfBlocker for HA although there is a place for a VIP. On some of my equipment I have not been able to use that function. It does not function as expected. On those boxes I had problems with flooding when I tried the VIP on pfblocker. It is a very complex setup though with 4 heads. When I have a chance I will work it out the problems on the 12 to 5 shift.

                              That being said, I am grateful for bbcan's contribution. pfBlocker is an extremely useful package and I am glad for it and his efforts to maintain it.

                              Right now I just want to work on the appropriate DNS setting regardless of what any post might say.

                              Thanks for your suggestions.

                              stephenw10S 1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator @reberhar
                                last edited by

                                @reberhar said in Upgrade pfsense CE 2.7.0 to 2.7.1:

                                Just the virtual wan ip.

                                Ah, well that would explain it. The WAN CARP VIP is only ever valid on the master node so a backup node could not use that to send DNS queries.

                                R 1 Reply Last reply Reply Quote 0
                                • R
                                  reberhar @stephenw10
                                  last edited by reberhar

                                  @stephenw10 Yes of course.

                                  So should I include the wan and/or the localhost? I am assuming the wan.

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    It could be either. If you only have one WAN it doesn't really matter. Using localhost as source allows Unbound to use any interface as long NAT rules exist on it (and not to a CARP VIP!).

                                    R 1 Reply Last reply Reply Quote 0
                                    • R
                                      reberhar @stephenw10
                                      last edited by

                                      @stephenw10 localhost then. I didn't think about localhost being connected to all the wans.

                                      Thanks,

                                      Roy

                                      R 1 Reply Last reply Reply Quote 0
                                      • R
                                        reberhar @reberhar
                                        last edited by reberhar

                                        @reberhar Thanks again Stephen,

                                        It was still a long night fixing these problems at then ends of all my tunnels. The DNS being wrong and the updates being out of sync caused me several unexpected and unanticipated problems with one the pfSense secondary servers, including some certificate errors that the rehash couldn't fix. Some of the udates were interrupted because of the way I had done the DNS and me switching CARP states. I had to wait for the update certificates on the update server to time out. On these distant units I need to be more patient and give time for updates to finish. The latency and the tunnels can cause the update feedback to be lost, eventhough pfSense is still faithfully working along. A server can return, even after a very long wait.

                                        This faithfulness and solidness of pfSense and FreeBSD has always impressed me. The programming must be quite awesome.

                                        Thanks for your help and patience. Would I have figured it out alone? Yes I thinks so, but it is such a help to be able to ask. Research and trial and error work, but it is time consuming. Getting help on key points, however seemingly simple can be a big boost.

                                        Thanks so much. You guys are really great.

                                        R 1 Reply Last reply Reply Quote 2
                                        • R
                                          reberhar @reberhar
                                          last edited by reberhar

                                          @reberhar Hi guys, there is still another issue I am researching.

                                          Automatic backup does not show any items in the list, although they appear when I put the key in other installation.

                                          The following error is from a manual backup, not cron.

                                          An error occurred while uploading the encrypted pfSense configuration to https://acb.netgate.com/save (Failed to connect to acb.netgate.com port 443 after 10108 ms: Couldn't connect to server) @ 2023-12-02 13:20:01


                                          The machine in not able to fetch the repo.

                                          pfSense-repoc: failed to fetch the repo data

                                          The only repo that is available is 2.7.1 and that is selected.

                                          DNS works from the gui and the command line, that is nslookup resolves.

                                          ping fails of acb.netgate.com and at the command line it says ...

                                          PING acb.netgate.com (208.123.73.212): 56 data bytes
                                          ping: sendto: Permission denied
                                          ping: sendto: Permission denied
                                          ping: sendto: Permission denied
                                          ping: sendto: Permission denied
                                          ping: sendto: Permission denied

                                          It can ping other sites.

                                          Static update gives...

                                          [2.7.1-RELEASE][root@srofirewallsecondary.santarosa.sro]/root: pkg-static update -f
                                          Updating pfSense-core repository catalogue...
                                          pkg-static: An error occured while fetching package
                                          pkg-static: An error occured while fetching package
                                          repository pfSense-core has no meta file, using default settings
                                          pkg-static: An error occured while fetching package
                                          pkg-static: An error occured while fetching package
                                          Unable to update repository pfSense-core
                                          Updating pfSense repository catalogue...
                                          pkg-static: An error occured while fetching package
                                          pkg-static: An error occured while fetching package
                                          repository pfSense has no meta file, using default settings
                                          pkg-static: An error occured while fetching package
                                          pkg-static: An error occured while fetching package
                                          Unable to update repository pfSense
                                          Error updating repositories!

                                          Rehashing gives ...

                                          [2.7.1-RELEASE][root@srofirewallsecondary.santarosa.sro]/root: certctl rehash
                                          Scanning /usr/share/certs/untrusted for certificates...
                                          Scanning /usr/share/certs/trusted for certificates...
                                          Skipping untrusted certificate /usr/share/certs/trusted/Cybertrust_Global_Root.pem (/etc/ssl/untrusted/76cb8f92.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/DST_Root_CA_X3.pem (/etc/ssl/untrusted/2e5ac55d.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/GlobalSign_Root_CA_-_R2.pem (/etc/ssl/untrusted/4a6481c9.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem (/etc/ssl/untrusted/1636090b.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/Network_Solutions_Certificate_Authority.pem (/etc/ssl/untrusted/4304c5e5.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/Staat_der_Nederlanden_EV_Root_CA.pem (/etc/ssl/untrusted/03179a64.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/TrustCor_ECA-1.pem (/etc/ssl/untrusted/7aaf71c0.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/TrustCor_RootCert_CA-1.pem (/etc/ssl/untrusted/5d3033c5.0)
                                          Skipping untrusted certificate /usr/share/certs/trusted/TrustCor_RootCert_CA-2.pem (/etc/ssl/untrusted/3e44d2f7.0)
                                          Scanning /usr/local/share/certs for certificates...

                                          I tried this update line from the upgrade problem section of netgate forum. I wonder if it is right for 2.7.1. It failed.

                                          [2.7.1-RELEASE][root@srofirewallsecondary.santarosa.sro]/root: fetch -qo /usr/local/share/pfSense/keys/pkg/trusted/ https://raw.githubusercontent.com/pfsense/pfsense/RELENG_2_4_5/src/usr/local/share/pfSense/keys/pkg/trusted/pkg.pfsense.org.20160406
                                          I fetch: transfer timed out

                                          I am wondering if I need to do a reinstall. The box about 2500 miles from here the way the plane flies. It is a virtual machine.

                                          Thanks for any help you can offer.

                                          stephenw10S 1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator @reberhar
                                            last edited by

                                            @reberhar said in Upgrade pfsense CE 2.7.0 to 2.7.1:

                                            ping: sendto: Permission denied

                                            That implies something locally blocking access. Do you have Snort or Suricata installed with blocking enabled?

                                            Steve

                                            R 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.