Unable to Upgrade 2.4.3-p1 to 2.4.4
-
I noticed that the updated 2.4.4 was released a couple weeks back, and logging into my firewall as often as I do, I never noticed the update. My update panel kept saying it was up-to-date with 2.4.3-p1. I rebooted my pfSense and once it came back up, it finally showed an update to 2.4.4 was available. I ran through the upgrade, and it seemed to download and install everything fine, ended with a success message. Once it rebooted and came back up, it still reflects on the main page it is running 2.4.3-p1. Weird...So I ran the upgrade again and same process, reboots, still running 2.4.3-p1.
When I run the following command:
pkg info -x pfSense
I get this output:pfSense-2.4.3_1 pfSense-Status_Monitoring-1.7.6 pfSense-base-2.4.3_1 pfSense-default-config-2.4.3_1 pfSense-kernel-pfSense-2.4.3_1 pfSense-rc-2.4.3_1 pfSense-repo-2.4.4 pfSense-upgrade-0.59 php56-pfSense-module-0.61
But when I run this command:
cat /usr/local/etc/pkg/repos/pfSense.conf
I get the following output:FreeBSD: { enabled: no } pfSense-core: { url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes } pfSense: { url: "pkg+https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/local/share/pfSense/keys/pkg", enabled: yes }
Anytime I try to run the update in the console menu, I get the following:
>>> Updating repositories metadata... Updating pfSense-core repository catalogue... pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/meta.txz: Authentication error repository pfSense-core has no meta file, using default settings Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-core/packagesite.txz: Authentication error Unable to update repository pfSense-core Updating pfSense repository catalogue... pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/meta.txz: Authentication error repository pfSense has no meta file, using default settings Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco 12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269: pkg-static: https://pkg.pfsense.org/pfSense_v2_4_4_amd64-pfSense_v2_4_4/packagesite.txz: Authentication error Unable to update repository pfSense Error updating repositories!
I'm not sure where to go from here. I get the same results when I run the recommended code from NetGate to clear out the cache:
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
Any ideas? Thanks!
-
You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.
-
@jimp said in Unable to Upgrade 2.4.3-p1 to 2.4.4:
You have some kind of proxy between your firewall and the update servers and it's blocking you, intercepting the SSL connection and inserting its own certificate.
I do not utilize any type of proxy. The closest I use is an OpenVPN server and client. The client I use I do not have it pull routes either, I selectively assign certain traffic to go out that VPN. I just tried to disable the client and update again, but it has the same output. The server I run is just a Remote Access (SSL/TLS + auth).
-
@mrxirtam said in Unable to Upgrade 2.4.3-p1 to 2.4.4:
Certificate verification failed for /CN=Cisco Umbrella Primary SubCA/O=Cisco
12541912:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_4_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:That means somewhere ahead of you is a Cisco device intercepting your SSL. The Netgate servers to not have anything that would use that certificate. It isn't coming from here, or the firewall itself.
-
Ah ha. Figured it out. I figured it was some kind of Cisco device when I saw those in the error messages, but I do not have any Cisco equipment in the slightest. I do, however, have OpenDNS servers put in and that is where the interception was happening. Once I pointed them to 8.8.8.8, upgrade happened and after reboot, it now shows on 2.4.4.
Thanks for your input on this!
-
Cheers had the same issue using Cloudflare 1.1.1.1.
-
@walchst said in Unable to Upgrade 2.4.3-p1 to 2.4.4:
Cheers had the same issue using Cloudflare 1.1.1.1.
Huh? You want to say that CFs 1.1.1.1 and 1.0.0.1 intercepted your SSL, broke it up and handed you a bad certificate error while contacting the netgate PKG repositories? I can hardly believe that statement as I'm running several production and live setups with CF nameservers as fallback/default for pfSense itself and never ever have I been seeing this. OpenDNS makes sense, as their offer is to filter your DNS with your setup. But CF doesn't filter their public DNS as to my knowledge!