Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to auto-update snapshots

    2.2 Snapshot Feedback and Problems - RETIRED
    6
    26
    4.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Try using https.
      The version file appears to accessible by both http and https though. Could be unrelated, do you have general internet access from the box otherwise?

      Steve

      1 Reply Last reply Reply Quote 0
      • E
        emce
        last edited by

        @stephenw10:

        Try using https.
        The version file appears to accessible by both http and https though. Could be unrelated, do you have general internet access from the box otherwise?

        Steve

        Tried HTTPS but the same problem persists.  I do otherwise have connectivity out of the box.

        Thanks!

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Can you do this?:

          [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version
          /dev/null                                     100% of   29  B  291 kBps 00m00s
          [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version
          /dev/null                                     100% of   29  B  291 kBps 00m00s
          
          

          Steve

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            I split this thread off since it is not related to the other thread in which it was posted.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • E
              emce
              last edited by

              Sorry about that, jimp.

              stephenw10: Upon running the command you provided I received the following error:

              Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
              675211580:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180:
              fetch: http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version: Authentication error
              

              But the following does work:

              fetch --no-verify-peer -o /dev/null http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version
              /dev/null                                     100% of   29  B  103 kBps 00m00s
              
              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Hmm, well that looks bad. Interestingly I can't access that url either any more. Try again:
                https://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/
                Could be there were some changes taking place. I don't know though.

                Steve

                1 Reply Last reply Reply Quote 0
                • E
                  emce
                  last edited by

                  Same issue with: https://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/

                  I was able to fix fetch by creating a symlink for the root cert bundle:

                  sudo ln -sf /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
                  
                  fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version
                  /dev/null                                     100% of   29  B  123 kBps 00m00s
                  

                  Unfortunately, this didn't fix auto-update :)

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, bizzare.  :-\ It's still working here on my test box just fine, all four options. There is a redirect in place for 10 stable to 10.1 releng:

                    [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version
                    /dev/null                                     100% of   29  B  300 kBps 00m00s
                    [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version
                    /dev/null                                     100% of   29  B  298 kBps 00m00s
                    [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/version
                    /dev/null                                     100% of   29  B  307 kBps 00m00s
                    [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null http://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/version
                    /dev/null                                     100% of   29  B  209 kBps 00m00s
                    
                    

                    There have been cert problems before but usually affecting everything. Do you have a bad system date that's rendering the cert invalid?
                    I'd be tempted to re-install at thus point.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • E
                      emce
                      last edited by

                      I just manually installed the latest snapshot.  Perhaps a contributor turned on some additional debugging in the updater widget, but it spit out the following output:

                      2.2-BETA (i386)
                      built on Mon Nov 24 16:50:47 CST 2014
                      FreeBSD 10.1-RELEASE
                      …........ Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 51 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 52 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /etc/inc/config.inc:45) in /etc/inc/auth.inc on line 1362

                      Unable to check for updates.

                      1 Reply Last reply Reply Quote 0
                      • E
                        emce
                        last edited by

                        I think I finally figured it out… I'm using the new unbound DNS Resolver, and had the following option unchecked under System->General Setup:

                        -Do not use the DNS Forwarder as a DNS server for the firewall

                        I noticed I was getting a failed resolution for snapshots.pfsense.org, so I enabled that option and it started working correctly under the System->Firmware->Auto Update tab.  I'm still getting the extra debug output in the System information widget under "Version", but I think that's actually a PHP error in the latest build.

                        I'll report back if it succeeds in finding the next update.  Thanks a lot for your help!

                        1 Reply Last reply Reply Quote 0
                        • E
                          emce
                          last edited by

                          FYI - this did end up fixing the issue.

                          1 Reply Last reply Reply Quote 0
                          • MikeV7896M
                            MikeV7896
                            last edited by

                            Same issue as emce, and unchecking that same box worked to fix it for me as well.

                            The S in IOT stands for Security

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              Did you have any name servers filled in under System > General?

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • E
                                emce
                                last edited by

                                @jimp:

                                Did you have any name servers filled in under System > General?

                                I do.  I'm using Google's servers, followed by those of my ISP.

                                On a related note, I'm continuing to see the erroneous output in the Version section of the System Information widget:

                                2.2-BETA (i386)
                                built on Tue Nov 25 11:51:07 CST 2014
                                FreeBSD 10.1-RELEASE
                                …........ Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 51 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 52 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /etc/inc/config.inc:45) in /etc/inc/auth.inc on line 1362

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  Can you check /etc/resolv.conf to see if the name servers are actually there?

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    emce
                                    last edited by

                                    Sure thing.  Here's the contents:

                                    $ cat /etc/resolv.conf
                                    search <mydomain>.com
                                    nameserver 8.8.8.8
                                    nameserver 8.8.4.4
                                    nameserver 75.75.75.75
                                    nameserver 75.75.76.76</mydomain>
                                    
                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      In that case it should have been able to resolve, unless you can't reach any of those servers

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        emce
                                        last edited by

                                        I've tried toggling the "Do not use the DNS Forwarder as a DNS server for the firewall" option on and off, and can successfully reproduce the issue.  I don't seem to be having any other resolution issues off of this box at the moment.  Definitely odd.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          cmb
                                          last edited by

                                          anything relevant in your resolver log? Status>System logs, Resolver.

                                          What does the output of:

                                          sockstat -4 | grep 53
                                          

                                          run from a command prompt show?

                                          1 Reply Last reply Reply Quote 0
                                          • MikeV7896M
                                            MikeV7896
                                            last edited by

                                            Ok… scratch me from having the problem. I was actually having an issue with unbound (see that thread). I just unchecked that setting and it's still checking for updates.

                                            The S in IOT stands for Security

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.