Unable to Upgrade 2.4.3-p1 to 2.4.4



  • I noticed that the updated 2.4.4 was released a couple weeks back, and logging into my firewall as often as I do, I never noticed the update. My update panel kept saying it was up-to-date with 2.4.3-p1. I rebooted my pfSense and once it came back up, it finally showed an update to 2.4.4 was available. I ran through the upgrade, and it seemed to download and install everything fine, ended with a success message. Once it rebooted and came back up, it still reflects on the main page it is running 2.4.3-p1. Weird...So I ran the upgrade again and same process, reboots, still running 2.4.3-p1.

    When I run the following command: pkg info -x pfSense I get this output:

    pfSense-2.4.3_1
    pfSense-Status_Monitoring-1.7.6
    pfSense-base-2.4.3_1
    pfSense-default-config-2.4.3_1
    pfSense-kernel-pfSense-2.4.3_1
    pfSense-rc-2.4.3_1
    pfSense-repo-2.4.4
    pfSense-upgrade-0.59
    php56-pfSense-module-0.61
    

    But when I run this command: cat /usr/local/etc/pkg/repos/pfSense.conf I get the following output:

    FreeBSD: { enabled: no }
    
    pfSense-core: {
      url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core",
      mirror_type: "srv",
      signature_type: "fingerprints",
      fingerprints: "/usr/local/share/pfSense/keys/pkg",
      enabled: yes
    }
    
    pfSense: {
      url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4",
      mirror_type: "srv",
      signature_type: "fingerprints",
      fingerprints: "/usr/local/share/pfSense/keys/pkg",
      enabled: yes
    }
    

    Anytime I try to run the update in the console menu, I get the following:

    >>> Updating repositories metadata...
    Updating pfSense-core repository catalogue...
    pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/meta.txz: Authentication error
    repository pfSense-core has no meta file, using default settings
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/packagesite.txz: Authentication error
    Unable to update repository pfSense-core
    Updating pfSense repository catalogue...
    pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/meta.txz: Authentication error
    repository pfSense has no meta file, using default settings
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/packagesite.txz: Authentication error
    Unable to update repository pfSense
    Error updating repositories!
    

    I'm not sure where to go from here. I get the same results when I run the recommended code from NetGate to clear out the cache:
    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade

    Any ideas? Thanks!


  • Rebel Alliance Developer Netgate

    You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.



  • @jimp said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

    You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.

    I do not utilize any type of proxy. The closest I use is an OpenVPN server and client. The client I use I do not have it pull routes either, I selectively assign certain traffic to go out that VPN. I just tried to disable the client and update again, but it has the same output. The server I run is just a Remote Access (SSL/TLS + auth).


  • Rebel Alliance Developer Netgate

    @mrxirtam said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

    Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
    12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:

    That means somewhere ahead of you is a Cisco device intercepting your SSL. The Netgate servers to not have anything that would use that certificate. It isn't coming from here, or the firewall itself.



  • Ah ha. Figured it out. I figured it was some kind of Cisco device when I saw those in the error messages, but I do not have any Cisco equipment in the slightest. I do, however, have OpenDNS servers put in and that is where the interception was happening. Once I pointed them to 8.8.8.8, upgrade happened and after reboot, it now shows on 2.4.4.

    Thanks for your input on this!



  • Cheers had the same issue using Cloudflare 1.1.1.1.


  • LAYER 8 Moderator

    @walchst said in Unable to Upgrade 2.4.3-p1 to 2.4.4:

    Cheers had the same issue using Cloudflare 1.1.1.1.

    Huh? You want to say that CFs 1.1.1.1 and 1.0.0.1 intercepted your SSL, broke it up and handed you a bad certificate error while contacting the netgate PKG repositories? I can hardly believe that statement as I'm running several production and live setups with CF nameservers as fallback/default for pfSense itself and never ever have I been seeing this. OpenDNS makes sense, as their offer is to filter your DNS with your setup. But CF doesn't filter their public DNS as to my knowledge!


Log in to reply