Unable to auto-update snapshots
-
Try using https.
The version file appears to accessible by both http and https though. Could be unrelated, do you have general internet access from the box otherwise?Steve
-
Try using https.
The version file appears to accessible by both http and https though. Could be unrelated, do you have general internet access from the box otherwise?Steve
Tried HTTPS but the same problem persists. I do otherwise have connectivity out of the box.
Thanks!
-
Can you do this?:
[2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 291 kBps 00m00s [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 291 kBps 00m00s
Steve
-
I split this thread off since it is not related to the other thread in which it was posted.
-
Sorry about that, jimp.
stephenw10: Upon running the command you provided I received the following error:
Certificate verification failed for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 675211580:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/pfSensesrc/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1180: fetch: http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version: Authentication error
But the following does work:
fetch --no-verify-peer -o /dev/null http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 103 kBps 00m00s
-
Hmm, well that looks bad. Interestingly I can't access that url either any more. Try again:
https://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/
Could be there were some changes taking place. I don't know though.Steve
-
Same issue with: https://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/
I was able to fix fetch by creating a symlink for the root cert bundle:
sudo ln -sf /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 123 kBps 00m00s
Unfortunately, this didn't fix auto-update :)
-
Hmm, bizzare. :-\ It's still working here on my test box just fine, all four options. There is a redirect in place for 10 stable to 10.1 releng:
[2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null http://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 300 kBps 00m00s [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_stable/10/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 298 kBps 00m00s [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null https://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 307 kBps 00m00s [2.2-BETA][root@xtm5.localdomain]/root: fetch -o /dev/null http://snapshots.pfsense.org/FreeBSD_releng/10.1/i386/pfSense_HEAD/.updaters/version /dev/null 100% of 29 B 209 kBps 00m00s
There have been cert problems before but usually affecting everything. Do you have a bad system date that's rendering the cert invalid?
I'd be tempted to re-install at thus point.Steve
-
I just manually installed the latest snapshot. Perhaps a contributor turned on some additional debugging in the updater widget, but it spit out the following output:
2.2-BETA (i386)
built on Mon Nov 24 16:50:47 CST 2014
FreeBSD 10.1-RELEASE
…........ Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 51 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 52 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /etc/inc/config.inc:45) in /etc/inc/auth.inc on line 1362Unable to check for updates.
-
I think I finally figured it out… I'm using the new unbound DNS Resolver, and had the following option unchecked under System->General Setup:
-Do not use the DNS Forwarder as a DNS server for the firewall
I noticed I was getting a failed resolution for snapshots.pfsense.org, so I enabled that option and it started working correctly under the System->Firmware->Auto Update tab. I'm still getting the extra debug output in the System information widget under "Version", but I think that's actually a PHP error in the latest build.
I'll report back if it succeeds in finding the next update. Thanks a lot for your help!
-
FYI - this did end up fixing the issue.
-
Same issue as emce, and unchecking that same box worked to fix it for me as well.
-
Did you have any name servers filled in under System > General?
-
Did you have any name servers filled in under System > General?
I do. I'm using Google's servers, followed by those of my ISP.
On a related note, I'm continuing to see the erroneous output in the Version section of the System Information widget:
2.2-BETA (i386)
built on Tue Nov 25 11:51:07 CST 2014
FreeBSD 10.1-RELEASE
…........ Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 48 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 49 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 50 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 51 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 52 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/config.inc:45) in /usr/local/www/guiconfig.inc on line 55 Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /etc/inc/config.inc:45) in /etc/inc/auth.inc on line 1362 -
Can you check /etc/resolv.conf to see if the name servers are actually there?
-
Sure thing. Here's the contents:
$ cat /etc/resolv.conf search <mydomain>.com nameserver 8.8.8.8 nameserver 8.8.4.4 nameserver 75.75.75.75 nameserver 75.75.76.76</mydomain>
-
In that case it should have been able to resolve, unless you can't reach any of those servers
-
I've tried toggling the "Do not use the DNS Forwarder as a DNS server for the firewall" option on and off, and can successfully reproduce the issue. I don't seem to be having any other resolution issues off of this box at the moment. Definitely odd.
-
anything relevant in your resolver log? Status>System logs, Resolver.
What does the output of:
sockstat -4 | grep 53
run from a command prompt show?
-
Ok… scratch me from having the problem. I was actually having an issue with unbound (see that thread). I just unchecked that setting and it's still checking for updates.