check_upgrade: "Updating repositories metadata" returned error code 1

stephenw10

Those are normal output from pkg update.

Try: pfSense-upgrade -dc

That's what's actually run that generates that error.

If that completes without error then it must be something intermittent. In which case I would check the system logs for errors when that alert is triggered.

PnoT

@stephenw10

[2.8.1-RELEASE][root@pfSense.lab.local]/root: pfSense-upgrade -dc
>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
repository pfSense-core has no meta file, using default settings
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
repository pfSense has no meta file, using default settings
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
pkg-static: An error occured while fetching package
Unable to update repository pfSense
Error updating repositories!
Your system is up to date

stephenw10

OK what's the full output you see from: pkg-static -d update?

PnoT

@stephenw10

[2.8.1-RELEASE][root@pfSense.lab.local]/root: pkg-static -d update
DBG(1)[27296]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[27296]> PkgRepo: verifying update for pfSense-core
DBG(1)[27296]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense-core/db'
DBG(1)[27296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core/meta.conf
DBG(1)[27296]> curl_open
DBG(1)[27296]> Fetch: fetcher used: pkg+https
DBG(1)[27296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core/meta.conf

DBG(1)[27296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Host pkg00-atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::207
* IPv4: 208.123.73.207
*   Trying 208.123.73.207:443...
*   Trying [2610:160:11:18::207]:443...
* Immediate connect fail for 2610:160:11:18::207: No route to host
* ipv4 connect timeout after 19808ms, move on!
* Failed to connect to pkg00-atx.netgate.com port 443 after 30009 ms: Timeout was reached
* Closing connection
DBG(1)[27296]> CURL> attempting to fetch from , left retry 2

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Host pkg01-atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::209
* IPv4: 208.123.73.209
*   Trying 208.123.73.209:443...
* Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Apr 10 00:00:00 2025 GMT
*  expire date: May 11 23:59:59 2026 GMT
*  subjectAltName: host "pkg01-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_v2_8_1_amd64-core/meta.conf HTTP/1.1
Host: pkg01-atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 28 Aug 2025 16:50:33 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching meta.conf:   0%< Server: nginx
< Date: Wed, 15 Oct 2025 16:06:28 GMT
< Content-Type: application/octet-stream
< Content-Length: 179
< Last-Modified: Thu, 28 Aug 2025 16:50:33 GMT
< Connection: keep-alive
< ETag: "68b088d9-b3"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

DBG(1)[27296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core/data.pkg
DBG(1)[27296]> curl_open
DBG(1)[27296]> Fetch: fetcher used: pkg+https
DBG(1)[27296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core/data.pkg

DBG(1)[27296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg00-atx.netgate.com was found in DNS cache
*   Trying 208.123.73.207:443...
* Connected to pkg00-atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Apr 10 00:00:00 2025 GMT
*  expire date: May 11 23:59:59 2026 GMT
*  subjectAltName: host "pkg00-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_v2_8_1_amd64-core/data.pkg HTTP/1.1
Host: pkg00-atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 28 Aug 2025 16:50:33 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching data.pkg:   0%< Server: nginx
< Date: Wed, 15 Oct 2025 16:06:29 GMT
< Content-Type: application/octet-stream
< Content-Length: 1632
< Last-Modified: Thu, 28 Aug 2025 16:50:33 GMT
< Connection: keep-alive
< ETag: "68b088d9-660"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[27296]> PkgRepo: verifying update for pfSense
DBG(1)[27296]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense/db'
DBG(1)[27296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1/meta.conf
DBG(1)[27296]> curl_open
DBG(1)[27296]> Fetch: fetcher used: pkg+https
DBG(1)[27296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1/meta.conf

DBG(1)[27296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Host pkg00-atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::207
* IPv4: 208.123.73.207
*   Trying 208.123.73.207:443...
* Connected to pkg00-atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Apr 10 00:00:00 2025 GMT
*  expire date: May 11 23:59:59 2026 GMT
*  subjectAltName: host "pkg00-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_v2_8_1_amd64-pfSense_v2_8_1/meta.conf HTTP/1.1
Host: pkg00-atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Tue, 30 Sep 2025 15:49:19 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching meta.conf:   0%< Server: nginx
< Date: Wed, 15 Oct 2025 16:06:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 179
< Last-Modified: Tue, 30 Sep 2025 15:49:19 GMT
< Connection: keep-alive
< ETag: "68dbfbff-b3"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

DBG(1)[27296]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1/data.pkg
DBG(1)[27296]> curl_open
DBG(1)[27296]> Fetch: fetcher used: pkg+https
DBG(1)[27296]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1/data.pkg

DBG(1)[27296]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg00-atx.netgate.com was found in DNS cache
*   Trying 208.123.73.207:443...
* Connected to pkg00-atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Apr 10 00:00:00 2025 GMT
*  expire date: May 11 23:59:59 2026 GMT
*  subjectAltName: host "pkg00-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_v2_8_1_amd64-pfSense_v2_8_1/data.pkg HTTP/1.1
Host: pkg00-atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Tue, 30 Sep 2025 15:49:19 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching data.pkg:   0%< Server: nginx
< Date: Wed, 15 Oct 2025 16:06:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 189818
< Last-Modified: Tue, 30 Sep 2025 15:49:19 GMT
< Connection: keep-alive
< ETag: "68dbfbff-2e57a"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

pfSense repository is up to date.
All repositories are up to date.

Gertjan

@PnoT said in check_upgrade: "Updating repositories metadata" returned error code 1:

The requested document is not new enough

... The requested document is not new enough ... Like here ?

stephenw10

The document not new enough message is not an error. It just means it's already up to date.

The only actual error there is:

* ipv4 connect timeout after 19808ms, move on!
* Failed to connect to pkg00-atx.netgate.com port 443 after 30009 ms: Timeout was reached
* Closing connection

That's a problem, it should be able to connect there. But it does successfully connect to the other pkg server. And then later is able to connect to pkg00.

So there could be an intermittent connection issue.

PnoT

@stephenw10
I was finally able to reboot the pfSense box late last night, and since it's back up, I'm not getting the error messages anymore. I'll report back if it pops up again.

bra1nfreez

I know this is months later but I just had this same problem and this guide helped me fix it: https://github.com/pfsense/docs/blob/master/source/install/upgrade-troubleshooting.rst

Arnavisca

@bra1nfreez What exactly did you do?

timecode

Getting a stack of these messages all of a sudden also.

Whats interesting is this and other weirdness only seemed to start when I created a failover WAN setup - prior to that nothing seemed out of place.

I seem to be getting all sorts of strange messages that all seem to 'start' when the main WAN drops and fails over to the secondary WAN. It fails back to primary correctly but then these messages?

ghc88

I've been getting these errors intermittently since upgrading to 2.8 but they were so infrequent they didn't bother me too much. When I ran pkg-static -d update it would work fine. However, over the past couple of days I'm getting a huge amount of these errors. I just ran the command again and got this:

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: pkg-static -d update
DBG(1)[99186]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[99186]> PkgRepo: verifying update for pfSense-core
pkg-static: Repository pfSense-core has a wrong packagesite, need to re-create d                                                                                                                                                                                                                                             atabase
DBG(1)[99186]> PkgRepo: need forced update of pfSense-core
DBG(1)[99186]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense-core/db'
DBG(1)[99186]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64                                                                                                                                                                                                                                             -core/meta.conf
DBG(1)[99186]> curl_open
DBG(1)[99186]> Fetch: fetcher used: pkg+https
DBG(1)[99186]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core/                                                                                                                                                                                                                                             meta.conf

DBG(1)[99186]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Host pkg01-atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::209
* IPv4: 208.123.73.209
*   Trying [2610:160:11:18::209]:443...
* Connected to pkg01-atx.netgate.com (2610:160:11:18::209) port 443
* ALPN: curl offers http/1.1
* could not load PEM client certificate from /usr/local/etc/pfSense/pkg/repos/pf                                                                                                                                                                                                                                             Sense-repo-0000-cert.pem, OpenSSL error error:80000002:system library::No such f                                                                                                                                                                                                                                             ile or directory, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection
DBG(1)[99186]> CURL> attempting to fetch from , left retry 2

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Host pkg00-atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::207
* IPv4: 208.123.73.207
*   Trying [2610:160:11:18::207]:443...
* Connected to pkg00-atx.netgate.com (2610:160:11:18::207) port 443
* ALPN: curl offers http/1.1
* could not load PEM client certificate from /usr/local/etc/pfSense/pkg/repos/pf                                                                                                                                                                                                                                             Sense-repo-0000-cert.pem, OpenSSL error error:80000002:system library::No such f                                                                                                                                                                                                                                             ile or directory, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection
DBG(1)[99186]> CURL> attempting to fetch from , left retry 1

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg01-atx.netgate.com was found in DNS cache
*   Trying [2610:160:11:18::209]:443...
* Connected to pkg01-atx.netgate.com (2610:160:11:18::209) port 443
* ALPN: curl offers http/1.1
* could not load PEM client certificate from /usr/local/etc/pfSense/pkg/repos/pf                                                                                                                                                                                                                                             Sense-repo-0000-cert.pem, OpenSSL error error:80000002:system library::No such f                                                                                                                                                                                                                                             ile or directory, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection
pkg-static: An error occured while fetching package
DBG(1)[99186]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64                                                                                                                                                                                                                                             -core/meta.txz
DBG(1)[99186]> curl_open
DBG(1)[99186]> Fetch: fetcher used: pkg+https
DBG(1)[99186]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core/                                                                                                                                                                                                                                             meta.txz

DBG(1)[99186]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg01-atx.netgate.com was found in DNS cache
*   Trying [2610:160:11:18::209]:443...
* Connected to pkg01-atx.netgate.com (2610:160:11:18::209) port 443
* ALPN: curl offers http/1.1
* could not load PEM client certificate from /usr/local/etc/pfSense/pkg/repos/pf                                                                                                                                                                                                                                             Sense-repo-0000-cert.pem, OpenSSL error error:80000002:system library::No such f                                                                                                                                                                                                                                             ile or directory, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection
DBG(1)[99186]> CURL> attempting to fetch from , left retry 2

* Couldn't find host pkg00-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg00-atx.netgate.com was found in DNS cache
*   Trying [2610:160:11:18::207]:443...
* Connected to pkg00-atx.netgate.com (2610:160:11:18::207) port 443
* ALPN: curl offers http/1.1
* could not load PEM client certificate from /usr/local/etc/pfSense/pkg/repos/pf                                                                                                                                                                                                                                             Sense-repo-0000-cert.pem, OpenSSL error error:80000002:system library::No such f                                                                                                                                                                                                                                             ile or directory, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection
DBG(1)[99186]> CURL> attempting to fetch from , left retry 1

****[REMOVED REPEATED FAILURES DUE TO MAX SIZE OF POST]****

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg01-atx.netgate.com was found in DNS cache
*   Trying [2610:160:11:18::209]:443...
* Connected to pkg01-atx.netgate.com (2610:160:11:18::209) port 443
* ALPN: curl offers http/1.1
* could not load PEM client certificate from /usr/local/etc/pfSense/pkg/repos/pf                                                                                                                                                                                                                                             Sense-repo-0000-cert.pem, OpenSSL error error:80000002:system library::No such f                                                                                                                                                                                                                                             ile or directory, (no key found, wrong pass phrase, or wrong file format?)
* Closing connection
pkg-static: An error occured while fetching package
Unable to update repository pfSense
Error updating repositories!

What's really strange is that last night when I looked at /usr/local/etc/pkg/repos/pfSense.conf it was pointing at pfSense plus repos, then I looked at it again a few moments later and it had changed to CE repos! I've never used pfSense plus, so I have no idea what is going on. This was previously a super intermittent problem (sometimes once a day, sometimes once a week), now it's happening very frequently.

ghc88

I'm now getting this when I run pkg-static -d update:

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: pkg-static -d update
DBG(1)[31694]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[31694]> PkgRepo: verifying update for pfSense-core
pkg-static: Repository pfSense-core has a wrong packagesite, need to re-create database
DBG(1)[31694]> PkgRepo: need forced update of pfSense-core
DBG(1)[31694]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense-core/db'
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/meta.conf
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/meta.conf

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; using defaults
* Host pfsense-plus-pkg00.atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::207
* IPv4: 208.123.73.207
*   Trying [2610:160:11:18::207]:443...
*   Trying 208.123.73.207:443...
* Connected to pfsense-plus-pkg00.atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: /etc/ssl/netgate-ca.pem
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=pfSense Plus; CN=pfsense-plus-pkg00.atx.netgate.com
*  start date: Mar 15 20:23:11 2022 GMT
*  expire date: Feb 19 20:23:11 2122 GMT
*  common name: pfsense-plus-pkg00.atx.netgate.com (matched)
*  issuer: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=Netgate CA; CN=Netgate CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_plus-v25_07_1_amd64-core/meta.conf HTTP/1.1
Host: pfsense-plus-pkg00.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching meta.conf:   0%< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:07 GMT
< Content-Type: application/octet-stream
< Content-Length: 179
< Last-Modified: Fri, 15 Aug 2025 21:11:56 GMT
< Connection: keep-alive
< ETag: "689fa29c-b3"
< Accept-Ranges: bytes
<
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
* Connection #0 to host pfsense-plus-pkg00.atx.netgate.com left intact
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/data.pkg
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/data.pkg

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; using defaults
* Found bundle for host: 0x49882a25870 [serially]
* Re-using existing connection with host pfsense-plus-pkg00.atx.netgate.com
> GET /pfSense_plus-v25_07_1_amd64-core/data.pkg HTTP/1.1
Host: pfsense-plus-pkg00.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching data.pkg:   0%< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:07 GMT
< Content-Type: application/octet-stream
< Content-Length: 1726
< Last-Modified: Fri, 15 Aug 2025 21:11:56 GMT
< Connection: keep-alive
< ETag: "689fa29c-6be"
< Accept-Ranges: bytes
<
Fetching data.pkg: 100%    2 KiB   1.7kB/s    00:01
* Connection #0 to host pfsense-plus-pkg00.atx.netgate.com left intact
DBG(1)[31694]> PkgRepo: extracting data of repo pfSense-core
DBG(1)[31836]> PkgRepo: extracting signature of repo in a sandbox
DBG(1)[31694]> Pkgrepo, reading new metadata
Processing entries: 100%
pfSense-core repository update completed. 5 packages processed.
Updating pfSense repository catalogue...
DBG(1)[31694]> PkgRepo: verifying update for pfSense
DBG(1)[31694]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense/db'
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/meta.conf
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/meta.conf

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg01.atx.netgate.com in the .netrc file; using defaults
* Host pfsense-plus-pkg01.atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::209
* IPv4: 208.123.73.209
*   Trying [2610:160:11:18::209]:443...
*   Trying 208.123.73.209:443...
* Connected to pfsense-plus-pkg01.atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: /etc/ssl/netgate-ca.pem
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=pfSense Plus; CN=pfsense-plus-pkg01.atx.netgate.com
*  start date: Mar 15 20:23:37 2022 GMT
*  expire date: Feb 19 20:23:37 2122 GMT
*  common name: pfsense-plus-pkg01.atx.netgate.com (matched)
*  issuer: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=Netgate CA; CN=Netgate CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/meta.conf HTTP/1.1
Host: pfsense-plus-pkg01.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Fri, 24 Oct 2025 14:38:28 GMT

* Request completely sent off
< HTTP/1.1 304 Not Modified
< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:08 GMT
< Last-Modified: Fri, 24 Oct 2025 14:38:28 GMT
< Connection: keep-alive
< ETag: "68fb8f64-b3"
<
* Connection #0 to host pfsense-plus-pkg01.atx.netgate.com left intact
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/data.pkg
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/data.pkg

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg01.atx.netgate.com in the .netrc file; using defaults
* Found bundle for host: 0x49882b10ad0 [serially]
* Re-using existing connection with host pfsense-plus-pkg01.atx.netgate.com
> GET /pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/data.pkg HTTP/1.1
Host: pfsense-plus-pkg01.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Fri, 24 Oct 2025 14:38:28 GMT

* Request completely sent off
< HTTP/1.1 304 Not Modified
< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:08 GMT
< Last-Modified: Fri, 24 Oct 2025 14:38:28 GMT
< Connection: keep-alive
< ETag: "68fb8f64-3b14f"
<
* Connection #0 to host pfsense-plus-pkg01.atx.netgate.com left intact
pfSense repository is up to date.
All repositories are up to date.

Why is it pointing at pfsense-plus packages? My /usr/local/etc/pkg/repos/pfSense.conf file is currently:

FreeBSD: { enabled: no }

pfSense-core: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

pfSense: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

ghc88

One more: something very strange is going on, you can see here that it is changing the config file from CE to Plus all by itself:

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
FreeBSD: { enabled: no }

pfSense-core: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

pfSense: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
FreeBSD { endabled: no }

pfSense-core: {
    url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core"
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

pfSense: {
    url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

mroles29

In case my situation is relevant, I am having a similar issue.
Of course, it is complicated by the fact that I noticed the notification bell when checking during an outage, however, that outage has been resolved but the notifications continue.

Based on this thread, everything else is functional and I have no errors when attempting to update the repository or check for updates by cli. But I am getting notification entries repeatedly for bursts of time.

Similar to the previous poster, what I found odd was when using the GUI to check for updates, it correctly showed I was using 2.8.1 and that was the most current version. After selecting the tab for repository to check to see that there were more than one option (there were two, one for for PF Sense Plus and one for PF Sense normal) and then returning to the update check, it attempted to tell me that there was an update to 25. I had not selected anything from the drop-down and it was not changed from previously selected which was 2.8.1.

After several refreshes of the page, it returned to telling me the current version was 2.8.1. the current version was 2.8.1. I had not read the previous post yet. However I had read the majority of the posts and was working my way through so unfortunately I did not get an opportunity at that moment to look at either the configuration or the update command response.

It does seem like, whether it's chicken or the egg, something is blocking possibly temporarily the update service from accessing the servers and it might be trying to reset the server list and picking the incorrect repo. Or something is is selecting the incorrect repo and then is unable to get confirmation which would be the case as I do not have a subscription.

What I have checked that no one else mentioned, at least from what I read, was that I did not see any blocked DNS BL or IP blocks from PG blockers logs, so I do not understand or see any reason for even a temporary issue resolving the IP for the update server.

I do suspect it is related to the python version of unbound. I only recently changed that part of the configuration on my home lab when working with PF blocker NG. Any advice on error tracking for that setup would be appreciated.

Being that this is a home lab, I have used resolver with local DNS priority over remote with both DHCP provided DNS servers and 1.1.1.1. Similar to someone else above, the packages PF blocker NG and the use of traffic shaping in my setup maybe related.

mroles29

I do have five or six entries in my DNS blocking logs from localhost 127.0.0.1 pointing to blocks of ns2.parkingcrew.net at times which I believe correspond to the cron update cycle for PF blocker.
However, I don't see any reason to connect that particular entry to netgate or updates. Those are the only blocked names logged from the device itself. There are of course many from other devices on the network. That is the only reason they stand out.

ghc88

I did the same earlier and couldn't see any evidence of DNSBL/IP blocking of pfsense/netgate servers. I have noticed that DNS resolutions to pfsense servers are often significantly slower than other domains though. It can be as high as 200-300ms for pfsense.org whereas other domains are single digits. Could this be a DNS issue on pfSense remote server side?

My setup sounds very similar to yours, I'm also using the unbound Python module. I run dns resolver with forwarding mode enabled, remote servers configured in general setup (cloudflare and quad9), use local DNS only, no remote servers.

stephenw10

Are you still seeing this? There was a backend repo change earlier that could potentially have triggered something. Though it shouldn't have.

ghc88

@stephenw10 I am yes, last one was ~30 mins ago. I'm currently trying changing settings one at a time to see if something is causing it, I've just turned off DoT setting in DNS Resolver, will report back in the morning (early hours of the morning here) if that has solved it. Not had any since but I only did it just after the last one 30 mins ago.

Like I said, I've been having this issue sporadically ever since upgrading but over the past couple of days they've been stacking up. I woke up this morning to a very long list of them.

stephenw10

The check_upgrade error or the wrong repo offered? The offered repo issue should be fixed. The error may still be shown.

ghc88

@stephenw10 Incorrect repo still an issue as well. I just hit the check version from the home page of the GUI and got:

2.8.1-RELEASE (amd64)
built on Tue Sep 9 17:29:00 BST 2025
FreeBSD 15.0-CURRENT

Version 25.07.1 is available.
Version information updated at Sat Nov 8 1:43:02 GMT 2025

Strangely enough that didn't result in the Updating repositories metadata error being logged, so maybe these things aren't related and it's just a coincidence/red herring at the same time I've been trying to resolve the error code 1 being logged.

But yes, something is definitely not right, I've never had it offering me pfSense plus versions before.

EDIT: Just checked for updates again and it's gone back to CE i.e. version is on the latest version. So yes, /usr/local/etc/pkg/repos/pfSense.conf is momentarily changing itself to pfSense plus repos and then back again. That seems to line up with the error code 1 being logged but now I'm not so sure as it didn't do it that time.