Solved - Upgrading from 2.6.0 to Plus - Unable to check for updates

bingo600

Thanx ... Didn't even occur to me to try the console

But now i did , and see the same as you


 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) PHP shell + pfSense tools
 4) Reset to factory defaults         13) Update from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 13

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg-static: https://pfsense-plus-pkg00.netgate.com/pfSense_plus-v22_01_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg-static: https://pfsense-plus-pkg00.netgate.com/pfSense_plus-v22_01_amd64-core/packagesite.pkg: Authentication error
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg-static: https://pfsense-plus-pkg00.netgate.com/pfSense_plus-v22_01_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg-static: https://pfsense-plus-pkg00.netgate.com/pfSense_plus-v22_01_amd64-pfSense_plus_v22_01//meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg-static: https://pfsense-plus-pkg00.netgate.com/pfSense_plus-v22_01_amd64-pfSense_plus_v22_01//packagesite.pkg: Authentication error
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
Could not load client certificate /etc/ssl/pfSense-repo-custom.cert
pkg-static: https://pfsense-plus-pkg00.netgate.com/pfSense_plus-v22_01_amd64-pfSense_plus_v22_01//packagesite.txz: Authentication error
Unable to update repository pfSense
Error updating repositories!
ERROR: Unable to compare version of pfSense-repo

/Bingo

rcoleman-netgate

@bingo600 You should be able to do this now -- we have been working on this on the backend to track down the issue and I think we may have taken care of it.

Please let me know.

bingo600

@rcoleman-netgate

Sorry . It was ZZzzzz time in EU land

I just tried again , now it can see the repos

Currently doing an upgrade via ssh console (13)

Success ...

Thank you for the support

Now it reports:

/Bingo

zachtywebb

@rcoleman-netgate

I am having a similar issue trying to update from 2.5.2 to 2.6.0.

I show "Version 2.6.0 is available" on the dashboard.

But, when I go to the updates page I get "Unable to check for updates".

jonlecroy

I'm seeing this problem as initially reported - 2.6.0 update checks succeed, but when changing the branch to Plus the update fails.

Seeing this from the console - looks like cert errors connecting to ntop repo:

[2.6.0-RELEASE][user@host]/home/jon: sudo pfSense-upgrade -d -c
>>> Updating repositories metadata...
Updating ntop repository catalogue...
ntop repository is up to date.
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Your system is up to date

//Change branch in UI from 2.6.0 to Plus

[2.6.0-RELEASE][user@host]/home/jon: sudo pfSense-upgrade -d -c
>>> Updating repositories metadata...
Updating ntop repository catalogue...
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg-static: https://packages.ntop.org/FreeBSD/FreeBSD:12:amd64/latest/meta.txz: Authentication error
repository ntop has no meta file, using default settings
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg-static: https://packages.ntop.org/FreeBSD/FreeBSD:12:amd64/latest/packagesite.pkg: Authentication error
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /C=US/O=Internet Security Research Group/CN=ISRG Root X1
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
pkg-static: https://packages.ntop.org/FreeBSD/FreeBSD:12:amd64/latest/packagesite.txz: Authentication error
Unable to update repository ntop
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
Error updating repositories!
ERROR: Unable to compare version of pfSense-repo

Traveller

@zachtywebb Trying to do exactly the same thing with exactly the same issue.

zachtywebb

@traveller Guess at least I'm not alone...

Traveller

@zachtywebb A post in another thread suggested checking Perfer IPv4 under System->Advanced->Networking.

This allowed me to proceed with my upgrade.

zachtywebb

@traveller Thanks! Will give that a go next time I have a window where internet can be down.

Traveller

@zachtywebb Good luck
I'm doing the upgrade now as I finally have time when I don't need to connect to work, and my wife is away for the weekend.

jonlecroy

@traveller Thanks for the tip - didn't resolve for me (prefer was already checked, disabled ipv6 temporarily to see if that would help, it didn't.)

revengineer

The issue persists and @Traveller provided the temporary solution. Thank you!

zachtywebb

I was able to successfully upgrade from 2.5.2 to 2.6.0 to 22.01 last night without needing to set the prefer IPv4 option. Looks like whatever was going on has been fixed.

jonlecroy

I'm still seeing the problem. If the service side has changed/fixed is there a cache to clear somewhere?

Specifically - still seeing ntop repo SSL validation errors. Pasting the upgrade command output is causing spam errors here :(

A Former User

@traveller Thanks for the advice about preferring IPv4 when IPv6 is enabled I think it is ews.netgate.com that only has an IPv4 address, I also got the following errors when IPv6 was preferred so it looks like a certificate issue as well.

Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.netgate.com
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:
Certificate verification failed for /C=US/ST=Texas/L=Austin/O=Rubicon Communications, LLC (Netgate)/OU=pfSense Plus/CN=pfsense-plus-pkg00.netgate.com
34369339392:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-build-release-tarballs/BUILD_NODE/pkg-amd64-ce/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/crypto/openssl/ssl/statem/statem_clnt.c:1916:

jonlecroy

This fixes the issue if the cert errors are for the ntop repo: https://www.yinfor.com/2022/02/upgrade-pfsense-from-the-community-edition-to-pfsense-plus.html

A Former User

@jonlecroy

I have checked my pfsense install and do not have ntop installed. I am however using IPv6 in a dual stack environment and when I checked my internal DNS server which is used for all DNS queries I noticed that while most DNS queries for A and AAAA records do succceed unfortunately some do not. So if Prefer IPv4 is not selected the upgrade checking process fails, enable it and the Upgrade check works. I have been using dual stack IPv6 for 7 years now, hopefully now this IPv6 issue is highlighted the supporting infrastructure can be updated so Upgrade Check/Upgrade it works correctly

tohil

Hi all

I have the same issue on a fresh 2.6.0 install, which was on 22.01 before. I've reinstalled to get the box to zfs.

I've started this thread thread

any suggestions?

dpseattle

This worked yesterday (April 21) however was not able to run the upgrade from 2.6 to plus. today, getting error:

Retrieving Unable to check for updates

Tried all the suggestions above. No joy. Could someone look at the upgrade server endpoints if there was a change blocking?

Thanks!

tohil

@dpseattle
I had to copy cert files from a running box to the installation with issues and then it worked...

/etc/ssl
-rw-r--r--   1 root  wheel   7544 Feb 15 16:54 pfSense-repo-custom.cert
-rw-------   1 root  wheel   3242 Feb 15 16:54 pfSense-repo-custom.key