Unable to Upgrade 2.4.3-p1 to 2.4.4



  • I noticed that the updated 2.4.4 was released a couple weeks back, and logging into my firewall as often as I do, I never noticed the update. My update panel kept saying it was up-to-date with 2.4.3-p1. I rebooted my pfSense and once it came back up, it finally showed an update to 2.4.4 was available. I ran through the upgrade, and it seemed to download and install everything fine, ended with a success message. Once it rebooted and came back up, it still reflects on the main page it is running 2.4.3-p1. Weird...So I ran the upgrade again and same process, reboots, still running 2.4.3-p1.

    When I run the following command: pkg info -x pfSense I get this output:

    pfSense-2.4.3_1
    pfSense-Status_Monitoring-1.7.6
    pfSense-base-2.4.3_1
    pfSense-default-config-2.4.3_1
    pfSense-kernel-pfSense-2.4.3_1
    pfSense-rc-2.4.3_1
    pfSense-repo-2.4.4
    pfSense-upgrade-0.59
    php56-pfSense-module-0.61
    

    But when I run this command: cat /usr/local/etc/pkg/repos/pfSense.conf I get the following output:

    FreeBSD: { enabled: no }
    
    pfSense-core: {
      url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core",
      mirror_type: "srv",
      signature_type: "fingerprints",
      fingerprints: "/usr/local/share/pfSense/keys/pkg",
      enabled: yes
    }
    
    pfSense: {
      url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4",
      mirror_type: "srv",
      signature_type: "fingerprints",
      fingerprints: "/usr/local/share/pfSense/keys/pkg",
      enabled: yes
    }
    

    Anytime I try to run the update in the console menu, I get the following:

    >>> Updating repositories metadata...
    Updating pfSense-core repository catalogue...
    pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/meta.txz: Authentication error
    repository pfSense-core has no meta file, using default settings
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/packagesite.txz: Authentication error
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/meta.txz: Authentication error
    repository pfSense has no meta file, using default settings
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/packagesite.txz: Authentication error
    Unable to update repository pfSense
    Error updating repositories!
    

    I'm not sure where to go from here. I get the same results when I run the recommended code from NetGate to clear out the cache:
    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade

    Any ideas? Thanks!


  • Rebel Alliance Developer Netgate

    You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.



  • @jimp said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

    You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.

    I do not utilize any type of proxy. The closest I use is an OpenVPN server and client. The client I use I do not have it pull routes either, I selectively assign certain traffic to go out that VPN. I just tried to disable the client and update again, but it has the same output. The server I run is just a Remote Access (SSL/TLS + auth).


  • Rebel Alliance Developer Netgate

    @mrxirtam said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:

    That means somewhere ahead of you is a Cisco device intercepting your SSL. The Netgate servers to not have anything that would use that certificate. It isn't coming from here, or the firewall itself.



  • Ah ha. Figured it out. I figured it was some kind of Cisco device when I saw those in the error messages, but I do not have any Cisco equipment in the slightest. I do, however, have OpenDNS servers put in and that is where the interception was happening. Once I pointed them to 8.8.8.8, upgrade happened and after reboot, it now shows on 2.4.4.

    Thanks for your input on this!