Downgrade NUT package vs. remote upgrade of pfSense CE

RyanM

Ok, so I think I know what I did. I have a remote pfSense CE router running 2.7.0. I haven't ugpraded it yet, because it is in another state and I won't be back there until May or June of next year. I was planning to upgrade it then and do a few other things (like looking at moving from OpenVPN to Tailscale).

Regardless, I foolishly last night went into the package manager and saw an update for the NUT package to 2.8.2. I think I had 2.8.0_2 before. The upgrade showed some errors about untrusted SSL certificates. I suspect this is because I haven't upgraded pfSense to 2.7.2, which has newer OpenSSL (and newer CAs?).

Regardless, it means NUT won't start and so my TrueNAS server can't act on my UPS either.

I guess I am looking for guidance on 3 possible paths forward:

1. Remotely upgrade to 2.7.2, keeping in mind that if something goes wrong I won't have physical access to the device for another 5 months or so.
2. "Downgrade" NUT to 2.8.0_2, and hope it goes back to working the way it was.
3. Live with it as-is and fix it in 5 months when I am back there.

Thoughts?

dennypage

@RyanM said in Downgrade NUT package vs. remote upgrade of pfSense CE:

The upgrade showed some errors about untrusted SSL certificates. I suspect this is because I haven't upgraded pfSense to 2.7.2, which has newer OpenSSL

Yep. Packages built for the newer (current) versions of pfSense use a new version of OpenSSL (3.0) which is not present in the prior versions.

SteveITS

@RyanM The good news is the package install didn't break pfSense, since that can happen. Always set the update branch before installing packages (see my sig), however, I don't think 2.7.0 was even selectable anymore since it probably listed 2.7.1 and 2.7.2.

Is this a situation where you can ship a replacement for someone to plug in? (if things go wrong)

At the point that libraries are messed up a reinstall is cleanest...

Per https://redmine.pfsense.org/issues/10464 it's supposed to have been prevented/resolved in 2.7.1/23.09.

RyanM

@dennypage yeah, that is kind of what I figured.

@SteveITS, I do have a backup pfSense box there that someone could plug in if needed, but I am kind of inclined to just wait. Besides, I was lazy and didn't update the backup unit before leaving for the winter.

My router died a year or 2 ago while I was away for the winter, and it was kind of a mess. I couldn't do any of the remote monitoring of my home (water, cameras, thermostat, etc.). A non-technical friend went and did some limited investigation and I just had him ship the box to me. Turned out to be a bad board. I was able to get the board RMA'd, but I also ended up purchasing a replacement. I set it up where I was and then shipped it to my buddy who went to my house and plugged it in and turned it on. Thankfully the dynamic DNS all worked and I could identify the new IP and everything seemed to come back online.

So, I would like to save this option for if the router dies. Wouldn't be awesome because the replacement will have v2.6.x installed, but at least my stuff would work until I got home. I would hate to have to ask my buddy to ship units back and forth again unless it was absolutely dire. For the time being, I will just sit tight. Just wasn't sure if there was an easy way to "downgrade" NUT.

dennypage

@RyanM said in Downgrade NUT package vs. remote upgrade of pfSense CE:

Just wasn't sure if there was an easy way to "downgrade" NUT.

You could go into the old NUT support thread and grab one of the testing builds that was done earlier in the year. If you do, make sure you get the right arch... the amd64 version was in the February timeframe, and the arm version was a couple of months later.