Upgrade from 2.3.3p1 to 2.3.4 failes with repo SSL errors



  • Currently running:

    2.3.3-RELEASE-p1 (amd64)
    built on Thu Mar 09 07:17:41 CST 2017
    FreeBSD 10.3-RELEASE-p17

    Unable to check for updates

    The update status says its unable to check for updates as shown above.

    I tried to start an upgrade via System->Update    and get SSL errors about being unable to update from the repository.

    Updating repositories metadata…
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pfSense repository is up to date.
    All repositories are up to date.

    Unlocking package pfSense-kernel-pfSense... done.
    Downloading upgrade packages...
    Updating pfSense-core repository catalogue...
    pfSense-core repository is up to date.
    Updating pfSense repository catalogue...
    pkg: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
    SSL certificate subject doesn't match host files01.netgate.com
    pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/meta.txz: Authentication error
    repository pfSense has no meta file, using default settings
    SSL certificate subject doesn't match host files01.netgate.com
    pkg: https://pkg.pfsense.org/pfSense_v2_3_4_amd64-pfSense_v2_3_4/packagesite.txz: Authentication error
    Unable to update repository pfSense
    Error updating repositories!

    Locking package pfSense-kernel-pfSense... done.
    Failed

    Not had any issues with this machine before and am not having any now except being unable to update.

    Looks like an SSL issue on the repo servers ?



  • Running into similar problems on 3 of 3 vms in a lab that were upgraded to 2.3.3 two or three weeks back.

    While this has been best practice for a while, there has been talk of security changes to Chrome that now require a cert used for SSL include the subject name in the Subject Alternate Name list… not sure if similar logic has made it's way into some of the code used in the recently upgraded 2.3.3 packages.

    Update 2 - Manually viewing the cert chain in Chrome for https://pkg.pfsense.org/ looks good.  (updates.nyi.pfsense.org)  The SSL/TLS cert, intermediate, and root come back valid.  Also the SSL/TLS cert has *.pfsense.org as the subject and is first in the SAN list.

    I also found the instructions for cleaning out packages left over from 2.2.x but this didn't resolve the issue.  "find / -type l -lname '/usr/pbi/*' -delete"

    I also found the option to upload the tar.gz upgrade package for offline upgrade is no longer available due to the move to newer modular design.  :(  (Some isolated environments could really use this without having to do a wipe and fresh install from the full install .iso.)

    Open to suggestions... have vm snapshot capability and this is a lab...

    Update 3 - Problem resolved itself.  All 3 boxes updated successfully from console option 13 after 6 - 10 tries, multiple restarts, a couple of "find / -type l -lname '/usr/pbi/*' -delete" and a "pfSense-upgrade -d" or two thrown in at random times on each host.  Can't prove it but really looks like there were upstream SSL issues... either at one of the hosting repositories or a man in the middle trying to peak into my SSL connections.





  • Tha worked for me and has fixed the issue, Thanks.


Log in to reply