Causes for: “pkg: An error occured while fetching package”?

DominikHoffmann

I just ran pkg upgrade in response to a notification email I received for other Netgate appliances I manage, which read

Notifications in this message: 1
================================

09:00:16 Some packages are part of the base system and will not show up in Package Manager. If any such updates are listed below, run `pkg upgrade` from the shell to install them:

isc-dhcp44-relay: 4.4.3P1_3 -> 4.4.3P1_4 [pfSense]
isc-dhcp44-server: 4.4.3P1_3 -> 4.4.3P1_4 [pfSense]
openvpn: 2.6.7_1 -> 2.6.8_1 [pfSense]

The output of pkg upgrade was

[23.09-RELEASE][admin@ak.selfip.net]/root: pkg upgrade
Updating pfSense-core repository catalogue...
pkg: An error occured while fetching package
pkg: An error occured while fetching package
repository pfSense-core has no meta file, using default settings
pkg: An error occured while fetching package
pkg: An error occured while fetching package
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: An error occured while fetching package
pkg: An error occured while fetching package
repository pfSense has no meta file, using default settings
pkg: An error occured while fetching package
pkg: An error occured while fetching package
Unable to update repository pfSense
Error updating repositories!

What could be causes for this? This firewall was just recently upgraded to pfSense+ 23.09.

stephenw10

If you only connected to the CLI run pfSense-repoc first.

If it still fails run pkg-static -d update to see what the actual error is.

Steve

DominikHoffmann

@stephenw10: Thanks for the tip. I rebooted the appliance and now it isn’t an issue. I wish, I had seen your suggestion beforehand.

stephenw10

Oh, it came back up OK after rebooting? Or you had to reinstall?

DominikHoffmann

@stephenw10: A simple reboot allowed me to run pkg upgrade without issues.

DominikHoffmann

@stephenw10: I had my issue occur again on the Netgate 1100 of another client of mine. The upgrade attempt was prompted by the curl update from 8.4.0 to 8.5.0.

Same issue:

[23.09-RELEASE][***@***.***]/root: pkg upgrade
Updating pfSense-core repository catalogue...
pkg: An error occured while fetching package
pkg: An error occured while fetching package
repository pfSense-core has no meta file, using default settings
pkg: An error occured while fetching package
pkg: An error occured while fetching package
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg: An error occured while fetching package
pkg: An error occured while fetching package
repository pfSense has no meta file, using default settings
pkg: An error occured while fetching package
pkg: An error occured while fetching package
Unable to update repository pfSense
Error updating repositories!
[23.09-RELEASE][***@***.***]/root: 

Then, as you suggested, I ran pfSense-repoc. A rerun of pkg upgrade resulted in this:

[23.09-RELEASE][***@***.***]/root: pkg upgrade
Updating pfSense-core repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.pkg: 100%    2 KiB   1.6kB/s    00:01    
Processing entries: 100%
pfSense-core repository update completed. 5 packages processed.
Updating pfSense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
Fetching packagesite.pkg: 100%  185 KiB 189.5kB/s    00:01    
Processing entries: 100%
pfSense repository update completed. 713 packages processed.
All repositories are up to date.
Checking for upgrades (1 candidates): 100%
Processing candidates (1 candidates): 100%
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
	curl: 8.4.0 -> 8.5.0 [pfSense]

Number of packages to be upgraded: 1

1 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching curl-8.5.0.pkg: 100%    1 MiB   1.4MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Upgrading curl from 8.4.0 to 8.5.0...
[1/1] Extracting curl-8.5.0: 100%
[23.09-RELEASE][***@***.***/root: 

In other words, success!

So, my question is what does pfSense-repoc do?

Gertjan

@DominikHoffmann
Be careful, you are breaking the rules.
23.09.1 is out since a week, so you should upgrade pfSense itself first, before upgrading anything else like packages, or OS packages like this "curl: 8.4.0 -> 8.5.0 [pfSense]".

stephenw10

pfSense-repoc is the client program for updating the dynamic repo branches. When you run it a new client cert is pulled and the repo branches are updated.

In your case it allows pkg to access the repos because the client cert had expired. The cert gets updated whenever you visit the gui so usually you would not hit that.

The updated curl version should be fine. It was updated in our repo to address a recent issue.

Steve

netblues

Same issue here
pfSense-repoc
pfSense-repoc: invalid signature
failed to read the repo data.

Tried rebooting, no dice

pkg-static -d update
DBG(1)[51121]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[51121]> PkgRepo: verifying update for pfSense-core
DBG(1)[51121]> PkgRepo: need forced update of pfSense-core
DBG(1)[51121]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[51121]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_09_1_amd64-core/meta.conf
DBG(1)[51121]> curl_open
DBG(1)[51121]> Fetch: fetcher used: pkg+https
DBG(1)[51121]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_09_1_amd64-core/meta.conf

DBG(1)[51121]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; using defaults
*   Trying 208.123.73.207:443...
* Connected to pfsense-plus-pkg00.atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: /etc/ssl/netgate-ca.pem
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=pfSense Plus; CN=pfsense-plus-pkg00.atx.netgate.com
*  start date: Mar 15 20:23:11 2022 GMT
*  expire date: Feb 19 20:23:11 2122 GMT
*  common name: pfsense-plus-pkg00.atx.netgate.com (matched)
*  issuer: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=Netgate CA; CN=Netgate CA
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /pfSense_plus-v23_09_1_amd64-core/meta.conf HTTP/1.1
Host: pfsense-plus-pkg00.atx.netgate.com
User-Agent: pkg/1.20.8
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

< HTTP/1.1 400 Bad Request
< Server: nginx
< Date: Fri, 29 Dec 2023 06:02:45 GMT
< Content-Type: text/html
< Content-Length: 208
< Connection: close
< 
* Closing connection

Time is correct. Any pointers, more than welcome

stephenw10

Send me your NDI in chat and I'll check it.

netblues

@stephenw10 ah, yes.. I added one more interface.. A better message would be nice

netblues

Thanks for resolving this.

However, what comes to mind is that every time an interface is changed one has to go through the process of support.
I understand that this is not happening on a physical device, but on a virtualized is another story.
Do I get the same if running pfsense on aws?

There should be something better than that regarding licensing checks.

i.najmi

Hi Guys

I have a similar issue, not sure if it is the same issue or not. But i am not able to see any packages in available packages.

i ran pkg-static -d update command and below is the update.

DBG(1)[72296]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[72296]> PkgRepo: verifying update for pfSense-core
DBG(1)[72296]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[72296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.conf
DBG(1)[72296]> curl_open
DBG(1)[72296]> Fetch: fetcher used: pkg+https
DBG(1)[72296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.conf

DBG(1)[72296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
*   Trying 208.123.73.209:443...
*   Trying [2610:160:11:18::209]:443...
* Immediate connect fail for 2610:160:11:18::209: No route to host
* Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Mar 21 00:00:00 2023 GMT
*  expire date: Apr 20 23:59:59 2024 GMT
*  subjectAltName: host "pkg01-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /pfSense_v2_7_2_amd64-core/meta.conf HTTP/1.1
Host: pkg01-atx.netgate.com
User-Agent: pkg/1.20.8
Accept: */*
If-Modified-Since: Wed, 06 Dec 2023 21:23:59 GMT

< HTTP/1.1 200 OK
Fetching meta.conf: < Server: nginx
< Date: Sun, 31 Dec 2023 07:22:16 GMT
< Content-Type: application/octet-stream
< Content-Length: 163
< Last-Modified: Wed, 06 Dec 2023 21:23:58 GMT
< Connection: keep-alive
< ETag: "6570e66e-a3"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

DBG(1)[72296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/packagesite.pkg
DBG(1)[72296]> curl_open
DBG(1)[72296]> Fetch: fetcher used: pkg+https
DBG(1)[72296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/packagesite.pkg

DBG(1)[72296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg01-atx.netgate.com was found in DNS cache
*   Trying 208.123.73.209:443...
*   Trying [2610:160:11:18::209]:443...
* Immediate connect fail for 2610:160:11:18::209: No route to host
* Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Mar 21 00:00:00 2023 GMT
*  expire date: Apr 20 23:59:59 2024 GMT
*  subjectAltName: host "pkg01-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /pfSense_v2_7_2_amd64-core/packagesite.pkg HTTP/1.1
Host: pkg01-atx.netgate.com
User-Agent: pkg/1.20.8
Accept: */*
If-Modified-Since: Wed, 06 Dec 2023 21:23:59 GMT

< HTTP/1.1 200 OK
Fetching packagesite.pkg: < Server: nginx
< Date: Sun, 31 Dec 2023 07:22:17 GMT
< Content-Type: application/octet-stream
< Content-Length: 1496
< Last-Modified: Wed, 06 Dec 2023 21:23:59 GMT
< Connection: keep-alive
< ETag: "6570e66f-5d8"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[72296]> PkgRepo: verifying update for pfSense
DBG(1)[72296]> PkgRepo: need forced update of pfSense
DBG(1)[72296]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense.sqlite'
DBG(1)[72296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-pfSense_v2_7_2/meta.conf
DBG(1)[72296]> curl_open
DBG(1)[72296]> Fetch: fetcher used: pkg+https
DBG(1)[72296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-pfSense_v2_7_2/meta.conf

DBG(1)[72296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
*   Trying 208.123.73.207:443...
*   Trying [2610:160:11:18::207]:443...
* Immediate connect fail for 2610:160:11:18::207: No route to host
* Connected to pkg00-atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Mar 21 00:00:00 2023 GMT
*  expire date: Apr 20 23:59:59 2024 GMT
*  subjectAltName: host "pkg00-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /pfSense_v2_7_2_amd64-pfSense_v2_7_2/meta.conf HTTP/1.1
Host: pkg00-atx.netgate.com
User-Agent: pkg/1.20.8
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

< HTTP/1.1 200 OK
Fetching meta.conf: < Server: nginx
< Date: Sun, 31 Dec 2023 07:22:34 GMT
< Content-Type: application/octet-stream
< Content-Length: 163
< Last-Modified: Wed, 20 Dec 2023 18:29:08 GMT
< Connection: keep-alive
< ETag: "65833274-a3"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
. done
* Connection #0 to host pkg00-atx.netgate.com left intact
DBG(1)[72296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-pfSense_v2_7_2/packagesite.pkg
DBG(1)[72296]> curl_open
DBG(1)[72296]> Fetch: fetcher used: pkg+https
DBG(1)[72296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-pfSense_v2_7_2/packagesite.pkg

DBG(1)[72296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Found bundle for host: 0x606222345a0 [serially]
* Re-using existing connection with host pkg00-atx.netgate.com
> GET /pfSense_v2_7_2_amd64-pfSense_v2_7_2/packagesite.pkg HTTP/1.1
Host: pkg00-atx.netgate.com
User-Agent: pkg/1.20.8
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

< HTTP/1.1 200 OK
Fetching packagesite.pkg: < Server: nginx
< Date: Sun, 31 Dec 2023 07:22:34 GMT
< Content-Type: application/octet-stream
< Content-Length: 160728
< Last-Modified: Wed, 20 Dec 2023 18:29:09 GMT
< Connection: keep-alive
< ETag: "65833275-273d8"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
..... done
* Connection #0 to host pkg00-atx.netgate.com left intact
DBG(1)[72296]> PkgRepo: extracting packagesite.yaml of repo pfSense
DBG(1)[4008]> PkgRepo: extracting signature of repo in a sandbox
DBG(1)[72296]> Pkgrepo, reading new packagesite.yaml for '/var/db/pkg/repo-pfSense.sqlite'
Processing entries: .......... done
pfSense repository update completed. 549 packages processed.
All repositories are up to date.

Appreciate all the help i can get. just a word that i am complete noob to pfsense so you may have to treat me as stupid and explain the steps to me.

Thanks
Najmi

stephenw10

@netblues said in Causes for: “pkg: An error occured while fetching package”?:

There should be something better than that regarding licensing checks.

Updates to accommodate that are coming. But until that time, yes, adding NICs to a system is seen as significant hardware change and will change the NDI.

stephenw10

@i-najmi said in Causes for: “pkg: An error occured while fetching package”?:

Processing entries: .......... done
pfSense repository update completed. 549 packages processed.
All repositories are up to date.

That is not an error, it successfully updated the pkg list.
What exactly are you seeing?

i.najmi

@stephenw10 looks like the issue got resolved by itself today

Thanks for your help.