certificate error while running pkg update 2024

badjoodani · Jan 12, 2024, 4:01 PM

Re: certificate error while running pkg update

While running
pkg-static -d update

I get the following:
DBG(1)[44343]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[44343]> PkgRepo: verifying update for pfSense-core
DBG(1)[44343]> PkgRepo: need forced update of pfSense-core
DBG(1)[44343]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[44343]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.conf
DBG(1)[44343]> curl_open
DBG(1)[44343]> Fetch: fetcher used: pkg+https
DBG(1)[44343]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.conf

DBG(1)[44343]> CURL> attempting to fetch from , left retry 3

Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
Trying 208.123.73.207:443...
Connected to pkg00-atx.netgate.com (208.123.73.207) port 443
ALPN: curl offers http/1.1
CAfile: none
CApath: /etc/ssl/certs/
SSL certificate problem: self-signed certificate in certificate chain
Closing connection
DBG(1)[44343]> CURL> attempting to fetch from , left retry 2
Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
Trying 208.123.73.209:443...
Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
ALPN: curl offers http/1.1
CAfile: none
CApath: /etc/ssl/certs/
SSL certificate problem: self-signed certificate in certificate chain
Closing connection
DBG(1)[44343]> CURL> attempting to fetch from , left retry 1
Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
Hostname pkg00-atx.netgate.com was found in DNS cache
Trying 208.123.73.207:443...
Connected to pkg00-atx.netgate.com (208.123.73.207) port 443
ALPN: curl offers http/1.1
CAfile: none
CApath: /etc/ssl/certs/
SSL certificate problem: self-signed certificate in certificate chain
Closing connection
pkg-static: An error occured while fetching package
DBG(1)[44343]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.txz
DBG(1)[44343]> curl_open
DBG(1)[44343]> Fetch: fetcher used: pkg+https
DBG(1)[44343]> curl> fetching https://pkg.pfsense.org/pfSense_v2_7_2_amd64-core/meta.txz

JUST in case I also tried:
pkg-static upgrade -f pfSense-repoc

and got:
Updating pfSense-core repository catalogue...
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
repository pfSense-core has no meta file, using default settings
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
repository pfSense has no meta file, using default settings
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
Unable to update repository pfSense
Error updating repositories!

ANy and ALL help would be appreciated ( I have tried all 3 2.7.0, 2.7.1 and 2.7.2 ) and the gui web portal method doesn't work either.

stephenw10 · Jan 12, 2024, 4:45 PM

Run: certctl rehash Then check again.

badjoodani · Jan 12, 2024, 5:03 PM

@stephenw10

Thank You! THANK YOU!

, ran it and then re-ran:

pkg-static upgrade -f pfSense-repoc

And got:

Updating pfSense-core repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: . done
Processing entries: . done
pfSense-core repository update completed. 4 packages processed.
Updating pfSense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ....... done
Processing entries:
Newer FreeBSD version for package voucher:
To ignore this error set IGNORE_OSVERSION=yes

package: 1400094
running kernel: 1400085
Ignore the mismatch and continue? [y/N]: pkg-static: repository pfSense contains packages for wrong OS version: FreeBSD:14:amd64
Processing entries... done
Unable to update repository pfSense
Error updating repositories!

Then CHecked the gui Web Panel for "update" and got UPDATES WORKING AGAIN!

badjoodani · Jan 12, 2024, 5:25 PM

@stephenw10

The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
pfSense-kernel-pfSense: 2.7.0 -> 2.7.2 [pfSense-core]

Number of packages to be upgraded: 1

The process will require 2 MiB more space.
[1/1] Upgrading pfSense-kernel-pfSense from 2.7.0 to 2.7.2...
[1/1] Extracting pfSense-kernel-pfSense-2.7.2: .......... done
===> Keeping a copy of current kernel in /boot/kernel.old

Removing unnecessary packages... done.
System is going to be upgraded. Rebooting in 10 seconds.
Success

...

Version 2.7.2-RELEASE (amd64)
built on Fri Dec 8 14:55:00 CST 2023
FreeBSD 14.0-CURRENT

The system is on the latest version.
Version information updated at Fri Jan 12 11:17:59 CST 2024

That did the trick!

tknospdr · Feb 19, 2025, 8:42 PM

@badjoodani said in certificate error while running pkg update 2024:

pkg-static -d update

Had the same issue, rehash fixed it for me.
Thanks! But I thought that the latest versions of pfsense did that automatically.

stephenw10 · Feb 20, 2025, 2:40 AM

@tknospdr said in certificate error while running pkg update 2024:

I thought that the latest versions of pfsense did that automatically.

They do! But if you're on 2.7.0 still it doesn't and the rehash may be required.

Also of note is that it only remains valid for one boot, which is why you might see 2.7.2 available and then not be able to upgrade to it.

tknospdr · Feb 20, 2025, 2:40 AM

@stephenw10

Ah ha, I was also being told that I was up to date on my pfSense install until I did this fix. Now it's showing me the 2.7.2 update is available.
Safe to do so or are there any gotcha's I should look out for?

stephenw10 · Feb 20, 2025, 5:26 AM

Should be good to upgrade from 2.7.0 to 2.7.2. Of course always backup the config first.

tknospdr · Feb 20, 2025, 1:39 PM

@stephenw10

Well I tried to upgrade one of my packages and got a 'new major PHP' error, so I went to run the system update and it's gone again.

The rehash is no longer working. I did that, then:

pkg-static -d update

And got a 'no repositories configured' error.

Gertjan · Feb 20, 2025, 1:47 PM

@tknospdr said in certificate error while running pkg update 2024:

Well I tried to upgrade one of my packages

You mean : you've upgraded to 2.7.2 and now you can't upgrade packages ?
That's a new issue then. But nothing really serious. Hundreds of thousands use 2.7.2 right now, and can update install packages just fine.

Or you still on 2.7.0 and tried to install or upgrade packages ? That's 'forbidden', you broke the law ^^ ( Well, you can try, but, as shown, if pfSense uses - example - PHP 8.1 and the packages uses (presumes) PHP 8.2 which is the latest version, it will also update your PHP from 8.1 to 8.2, and that will break the GUI, => break your entire pfSense )
You can only install / upgrade pfSense packages when you are using the latest OS, as packages present on the pfSense Netgate packages are build against the latest avaible FreeBSD OS, PHP version, etc etc.

See it like this : you have Windows 7 and you want to install 'Office 365' : you can't. First upgrade the OS to a supported level, and then do your shopping for programs.

tknospdr · Feb 20, 2025, 2:04 PM

@Gertjan

Yes, I did the second. If it’s gonna break that hard it should stop you, or at a minimum tell you it’s a ‘Really Bad Idea(tm).

So I tried rebooting and now the entire system is down. That seems like it’s a little too fragile a system if it’s that easy to hose the whole thing.

I’ll have to toss a monitor on it and see what’s going on.

stephenw10 · Feb 20, 2025, 2:07 PM

@tknospdr said in certificate error while running pkg update 2024:

Well I tried to upgrade one of my packages

Indeed, don't do that.

If you are seeing 2.7.2 available then you are also seeing packages from 2.7.2 and if you try to install one it may not be compatible with 2.7.0 Here it failed to install because the php version is different.

First thing to try is setting the branch again in the update settings.

tknospdr · Feb 20, 2025, 2:51 PM

Wow, I don't know what happened. Monitor is not seeing any video out from the pf box.
I'm a Mac guy, how do you boot into the bios thing? F2 or something right?

Gertjan · Feb 20, 2025, 3:03 PM

@tknospdr said in certificate error while running pkg update 2024:

or at a minimum tell you it’s a ‘Really Bad Idea(tm).

It's less then that : no hand holding, no pop-upss, just a simple

https://pfsense-docs.netlify.app/install/upgrade-guide#packages

if you can't update 2.7.2 because you are on the latest version, you can have a look at, and use the packet manager.

Things are better these days. In the early days, a simple packet upgrade without upgrading pfSense first could really break everything.
For some reason (what do I know ?) there is no version specific package update upgrade server.

patient0 · Feb 20, 2025, 3:04 PM

@tknospdr what kind of box is it?

If it's a box with HDMI, that often won't work if there was no monitor connected to it when you booted it up (reboot necessary with monitor connected and switched on). If you got a serial console then connect that.

stephenw10 · Feb 20, 2025, 3:11 PM

It shouldn't be possible to break the install by upgrading a pkg like that, I agree.

From 23.09 onwards the new pkg branches are opt-in only to prevent that happening.

tknospdr · Feb 20, 2025, 4:48 PM

My hardware wasn't actually shutting down by holding the button. I pulled the plug and restarted and then it booted to a screen with a yellow "SHELL>" prompt.

So I downloaded the 2.7.2 installer and put it on a stick and reinstalled from scratch.
Then logged in and uploaded my latest backup.
After a restart it got stuck on this screen twice.

I then pulled the plug again expecting to have to start from scratch, but when it powered on the 3rd time I had my config back.

So I'm up and running again with the latest version installed.

Let that be a lesson to everyone. DO BACKUPS. It saved me hours of time, plus I'm sure I've forgotten all the tricks I learned while setting up the first time.