Upgrade from 2.3.3p1 to 2.3.4 failes with repo SSL errors

cardy

Currently running:

2.3.3-RELEASE-p1 (amd64)
built on Thu Mar 09 07:17:41 CST 2017
FreeBSD 10.3-RELEASE-p17

Unable to check for updates

The update status says its unable to check for updates as shown above.

I tried to start an upgrade via System->Update    and get SSL errors about being unable to update from the repository.

Updating repositories metadata…
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Unlocking package pfSense-kernel-pfSense... done.
Downloading upgrade packages...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
SSL certificate subject doesn't match host files01.netgate.com
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
SSL certificate subject doesn't match host files01.netgate.com
pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!
Locking package pfSense-kernel-pfSense... done.
Failed

Not had any issues with this machine before and am not having any now except being unable to update.

Looks like an SSL issue on the repo servers ?

andyhi

Running into similar problems on 3 of 3 vms in a lab that were upgraded to 2.3.3 two or three weeks back.

While this has been best practice for a while, there has been talk of security changes to Chrome that now require a cert used for SSL include the subject name in the Subject Alternate Name list… not sure if similar logic has made it's way into some of the code used in the recently upgraded 2.3.3 packages.

Update 2 - Manually viewing the cert chain in Chrome for https://pkg.pfsense.org/ looks good.  (updates.nyi.pfsense.org)  The SSL/TLS cert, intermediate, and root come back valid.  Also the SSL/TLS cert has *.pfsense.org as the subject and is first in the SAN list.

I also found the instructions for cleaning out packages left over from 2.2.x but this didn't resolve the issue.  "find / -type l -lname '/usr/pbi/*' -delete"

I also found the option to upload the tar.gz upgrade package for offline upgrade is no longer available due to the move to newer modular design.  :(  (Some isolated environments could really use this without having to do a wipe and fresh install from the full install .iso.)

Open to suggestions... have vm snapshot capability and this is a lab...

Update 3 - Problem resolved itself.  All 3 boxes updated successfully from console option 13 after 6 - 10 tries, multiple restarts, a couple of "find / -type l -lname '/usr/pbi/*' -delete" and a "pfSense-upgrade -d" or two thrown in at random times on each host.  Can't prove it but really looks like there were upstream SSL issues... either at one of the hosting repositories or a man in the middle trying to peak into my SSL connections.

empbilly

Try these steps in the below link.
https://forum.pfsense.org/index.php?topic=130054.msg716736#msg716736

cardy

Tha worked for me and has fixed the issue, Thanks.