Unable to Upgrade 2.4.3-p1 to 2.4.4

MrXirtam

I noticed that the updated 2.4.4 was released a couple weeks back, and logging into my firewall as often as I do, I never noticed the update. My update panel kept saying it was up-to-date with 2.4.3-p1. I rebooted my pfSense and once it came back up, it finally showed an update to 2.4.4 was available. I ran through the upgrade, and it seemed to download and install everything fine, ended with a success message. Once it rebooted and came back up, it still reflects on the main page it is running 2.4.3-p1. Weird...So I ran the upgrade again and same process, reboots, still running 2.4.3-p1.

When I run the following command: pkg info -x pfSense I get this output:

pfSense-2.4.3_1
pfSense-Status_Monitoring-1.7.6
pfSense-base-2.4.3_1
pfSense-default-config-2.4.3_1
pfSense-kernel-pfSense-2.4.3_1
pfSense-rc-2.4.3_1
pfSense-repo-2.4.4
pfSense-upgrade-0.59
php56-pfSense-module-0.61

But when I run this command: cat /usr/local/etc/pkg/repos/pfSense.conf I get the following output:

FreeBSD: { enabled: no }

pfSense-core: {
  url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}

pfSense: {
  url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/local/share/pfSense/keys/pkg",
  enabled: yes
}

Anytime I try to run the update in the console menu, I get the following:

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!

I'm not sure where to go from here. I get the same results when I run the recommended code from NetGate to clear out the cache:
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade

Any ideas? Thanks!

jimp

You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.

MrXirtam

@jimp said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.

I do not utilize any type of proxy. The closest I use is an OpenVPN server and client. The client I use I do not have it pull routes either, I selectively assign certain traffic to go out that VPN. I just tried to disable the client and update again, but it has the same output. The server I run is just a Remote Access (SSL/TLS + auth).

jimp

@mrxirtam said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:

That means somewhere ahead of you is a Cisco device intercepting your SSL. The Netgate servers to not have anything that would use that certificate. It isn't coming from here, or the firewall itself.

MrXirtam

Ah ha. Figured it out. I figured it was some kind of Cisco device when I saw those in the error messages, but I do not have any Cisco equipment in the slightest. I do, however, have OpenDNS servers put in and that is where the interception was happening. Once I pointed them to 8.8.8.8, upgrade happened and after reboot, it now shows on 2.4.4.

Thanks for your input on this!

walchst

Cheers had the same issue using Cloudflare 1.1.1.1.

JeGr

@walchst said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

Cheers had the same issue using Cloudflare 1.1.1.1.

Huh? You want to say that CFs 1.1.1.1 and 1.0.0.1 intercepted your SSL, broke it up and handed you a bad certificate error while contacting the netgate PKG repositories? I can hardly believe that statement as I'm running several production and live setups with CF nameservers as fallback/default for pfSense itself and never ever have I been seeing this. OpenDNS makes sense, as their offer is to filter your DNS with your setup. But CF doesn't filter their public DNS as to my knowledge!