Upgrade pfsense CE 2.7.0 to 2.7.1
-
Hello
I have updated my instance of pfSense a few hours ago. It appears that all is working fine now, but I detected that during the upgrade my pfSense VM ran out of memory. And I have a good amount of memory dedicated to it. Maybe on smaller appliances it just isn't able to finish the upgrade process.
-
@pfsense2023 Just a warning, did the upgrade and it killed my wireguard tunnels and my chelsio 10G card.
Noticed it upgraded the chelsio firmware, might be related to that, as for the wireguard, looking into it now. -
This post is deleted! -
@pfsense2023 Interesting observation on memory... I have always had issues with 'upgrading' and usually swap out my configured ssd with a new one and proceed that way. Apply my backup and watch it not install everything, and have to import my settings a second time to have it actually complete installing all the packages. This is the first time ever that I clicked 'update' and it did it and I didn't have to manually reinstall anything, import my settings again or manually set my NIC/VLAN order. I was using a Qotom with 8gigs ram before, now I have a new box with 16gigs (try and find two 4 gig sticks of sodims that isn't about the same price as 2 8gig sodims these days...). Very possible that it takes more to install and configure than it does to run it.
Smoothest update I ever did... thankfully, as I was running it as an upgrade on my existing 2.7 (felt like living dangerously as I didn't have another NVME handy to swap in.)
-
@stephenkwabena same here
-
@coldfire7 With all these 2.7.1 issues being reported, I'm going to leave well enough alone and forgo this update for the time being. 2.7.0 is working just fine as-is anyways. Newer isn't always better...
-
@stephenkwabena
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting
“Due to changes in pkg, the new version of pkg may not be able to properly locate and use the CA trust store when running on the previous version before upgrading.If the firewall is unable to load packages or check for updates after selecting the CE 2.7.1 upgrade branch, run certctl rehash from the console, a root shell prompt, or via Diagnostics > Command Prompt. This will allow pkg to utilize the system certificates until the next reboot.”
-
@SteveITS said in Upgrade pfsense CE 2.7.0 to 2.7.1:
@stephenkwabena
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting
“Due to changes in pkg, the new version of pkg may not be able to properly locate and use the CA trust store when running on the previous version before upgrading.If the firewall is unable to load packages or check for updates after selecting the CE 2.7.1 upgrade branch, run certctl rehash from the console, a root shell prompt, or via Diagnostics > Command Prompt. This will allow pkg to utilize the system certificates until the next reboot.”
Thanks...this worked
-
@ersterhernd I guess I'll do the same. No internet after upgrading to 2.7.1-ce (3.5 hrs upgrade time). I reverted back to 2.7.0.
-
@coldfire7 were you using VLANs or anything? For some reason I had no internet access or GUI access after trying to restore a Plus 23.05.1 backup to either 2.7.0 or 2.7.1 configuration.
However whenever I at least completed the basic setup to return the base LAN to it's original IP range, as opposed to the 192.168.1.X defaults, then that segment of the network began working. Unfortunately my VLAN for IoT is not working at all though so I'm going to have to redo my network I fear from the Plus to CE migration conflicts.
-
-
@Zaf9670 No VLAN, but I have multiple WANs and I can access the GUI.
-
I had error, too.
i had a message in frontend: update available. installed and rebooted.
after this, version was still 2.7.0 and repo was 2.7.1 under update.
Update check allays says (repo 2.70 and 2.71) i am up to date and 2.7.0 is installed
after this i have looked into packages available --> no packages.I have found post, i should run
pkg update
elf.so.1: Shared object "libssl.so.30" not found, required by "pkg"
pkg-static:
An error occured while fetching package
searched for the errors and i runpkg-static bootstrap -f
Installed a newer version than kernel
after thispfSense-upgrade -d
runs the update to 2.7.1 with success. now packages are available to.
Seems to be a broken update routine. no other error occurs
-
This post is deleted! -
None of my secondary HA machines can see the update and rehashing the certificates doesn't help.
I am wondering if it has something to do with my policy routing? So what is the URL for the update server so I can run a test with my alias list? I suppose I can just temporarily disable the policy routing rule on my secondary server, but to fix the problem I would need that URL. ... I just realized that it would have to be done on my primary server I think.
-
@stephenkwabena said in Upgrade pfsense CE 2.7.0 to 2.7.1:
certctl rehash
This worked for us. Thank you.
-
@SteveITS said in Upgrade pfsense CE 2.7.0 to 2.7.1:
@stephenkwabena
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting
“Due to changes in pkg, the new version of pkg may not be able to properly locate and use the CA trust store when running on the previous version before upgrading.If the firewall is unable to load packages or check for updates after selecting the CE 2.7.1 upgrade branch, run certctl rehash from the console, a root shell prompt, or via Diagnostics > Command Prompt. This will allow pkg to utilize the system certificates until the next reboot.”
Monday Afternoon I noticed another "Wrinkle" within my attempts for at upgrading/package installs (within various pfSense CE/Plus Instances, both Real and Virtual):
Attempts to upgrade pkg-1.20.8_1 to pkg-1.20.8_2 were FAILING!!!Later in the Day Netgate released pkg-1.20.8_3, which appears to have "Fixed" this "CA trust store" Issue???
Now I find CE 2.7.0 is NOT as "Useful", without running running "certctl rehash" from the console, a root shell prompt, or via Diagnostics > Command Prompt: Otherwise Access to Updates and/or Packages are NOT be possible (even though pfSense might still be running well)!!! NOTE: "certctl rehash" is "Temporary" and has to run following a Boot/Reboot!!!
Therefore running "certctl rehash" (if required) and upgrading CE 2.7.0 to CE 2.7.1 might be the "Better" Option???
-
This post is deleted! -
@LHoust said in Upgrade pfsense CE 2.7.0 to 2.7.1:
Now I find CE 2.7.0 is NOT as "Useful", without running running "certctl rehash" from the console, a root shell prompt, or via Diagnostics > Command Prompt: Otherwise Access to Updates and/or Packages are NOT be possible (even though pfSense might still be running well)!!! NOTE: "certctl rehash" is "Temporary" and has to run following a Boot/Reboot!!!
If you want to remain on 2.7.0 and have pulled in the newer pkg version you will need to set the repo back to 2.7.0 then rehash the certs and force upgrade pkg back to the version from that:
1.19.1_2
.Then you should be able to pull in other pkgs and will not need to rehash certs again.
-
@reberhar I was able to do the updates by putting the primary server on standby and, when the secondary server was acting as primary server, I could do and did updates to these units as well.
I did make the mistake of trying to do updates of packages from the package manager without doing the system update first, notably NUT. I did set the system back to 2.7.0 to fix that. All the package updates came with the system update, again, including the NUT 2.8.2, which I wanted because of problems with NUT and Cyberpower. It is early, but things seem better now.
-
If only the primary nodes can see the package servers that's often a sign that the outbound NAT rules are over-matching and translating traffic from the firewall itself to the CARP VIP. That breaks connectivity for the the backup node.