check_upgrade: "Updating repositories metadata" returned error code 1

ghc88

I'm now getting this when I run pkg-static -d update:

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: pkg-static -d update
DBG(1)[31694]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[31694]> PkgRepo: verifying update for pfSense-core
pkg-static: Repository pfSense-core has a wrong packagesite, need to re-create database
DBG(1)[31694]> PkgRepo: need forced update of pfSense-core
DBG(1)[31694]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense-core/db'
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/meta.conf
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/meta.conf

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; using defaults
* Host pfsense-plus-pkg00.atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::207
* IPv4: 208.123.73.207
*   Trying [2610:160:11:18::207]:443...
*   Trying 208.123.73.207:443...
* Connected to pfsense-plus-pkg00.atx.netgate.com (208.123.73.207) port 443
* ALPN: curl offers http/1.1
*  CAfile: /etc/ssl/netgate-ca.pem
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=pfSense Plus; CN=pfsense-plus-pkg00.atx.netgate.com
*  start date: Mar 15 20:23:11 2022 GMT
*  expire date: Feb 19 20:23:11 2122 GMT
*  common name: pfsense-plus-pkg00.atx.netgate.com (matched)
*  issuer: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=Netgate CA; CN=Netgate CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_plus-v25_07_1_amd64-core/meta.conf HTTP/1.1
Host: pfsense-plus-pkg00.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching meta.conf:   0%< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:07 GMT
< Content-Type: application/octet-stream
< Content-Length: 179
< Last-Modified: Fri, 15 Aug 2025 21:11:56 GMT
< Connection: keep-alive
< ETag: "689fa29c-b3"
< Accept-Ranges: bytes
<
Fetching meta.conf: 100%    179 B   0.2kB/s    00:01
* Connection #0 to host pfsense-plus-pkg00.atx.netgate.com left intact
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/data.pkg
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core/data.pkg

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg00.atx.netgate.com in the .netrc file; using defaults
* Found bundle for host: 0x49882a25870 [serially]
* Re-using existing connection with host pfsense-plus-pkg00.atx.netgate.com
> GET /pfSense_plus-v25_07_1_amd64-core/data.pkg HTTP/1.1
Host: pfsense-plus-pkg00.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching data.pkg:   0%< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:07 GMT
< Content-Type: application/octet-stream
< Content-Length: 1726
< Last-Modified: Fri, 15 Aug 2025 21:11:56 GMT
< Connection: keep-alive
< ETag: "689fa29c-6be"
< Accept-Ranges: bytes
<
Fetching data.pkg: 100%    2 KiB   1.7kB/s    00:01
* Connection #0 to host pfsense-plus-pkg00.atx.netgate.com left intact
DBG(1)[31694]> PkgRepo: extracting data of repo pfSense-core
DBG(1)[31836]> PkgRepo: extracting signature of repo in a sandbox
DBG(1)[31694]> Pkgrepo, reading new metadata
Processing entries: 100%
pfSense-core repository update completed. 5 packages processed.
Updating pfSense repository catalogue...
DBG(1)[31694]> PkgRepo: verifying update for pfSense
DBG(1)[31694]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense/db'
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/meta.conf
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/meta.conf

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg01.atx.netgate.com in the .netrc file; using defaults
* Host pfsense-plus-pkg01.atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::209
* IPv4: 208.123.73.209
*   Trying [2610:160:11:18::209]:443...
*   Trying 208.123.73.209:443...
* Connected to pfsense-plus-pkg01.atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: /etc/ssl/netgate-ca.pem
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=pfSense Plus; CN=pfsense-plus-pkg01.atx.netgate.com
*  start date: Mar 15 20:23:37 2022 GMT
*  expire date: Feb 19 20:23:37 2122 GMT
*  common name: pfsense-plus-pkg01.atx.netgate.com (matched)
*  issuer: C=US; ST=Texas; L=Austin; O=Rubicon Communications, LLC (Netgate); OU=Netgate CA; CN=Netgate CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/meta.conf HTTP/1.1
Host: pfsense-plus-pkg01.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Fri, 24 Oct 2025 14:38:28 GMT

* Request completely sent off
< HTTP/1.1 304 Not Modified
< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:08 GMT
< Last-Modified: Fri, 24 Oct 2025 14:38:28 GMT
< Connection: keep-alive
< ETag: "68fb8f64-b3"
<
* Connection #0 to host pfsense-plus-pkg01.atx.netgate.com left intact
DBG(1)[31694]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/data.pkg
DBG(1)[31694]> curl_open
DBG(1)[31694]> Fetch: fetcher used: pkg+https
DBG(1)[31694]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/data.pkg

DBG(1)[31694]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg01.atx.netgate.com in the .netrc file; using defaults
* Found bundle for host: 0x49882b10ad0 [serially]
* Re-using existing connection with host pfsense-plus-pkg01.atx.netgate.com
> GET /pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1/data.pkg HTTP/1.1
Host: pfsense-plus-pkg01.atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Fri, 24 Oct 2025 14:38:28 GMT

* Request completely sent off
< HTTP/1.1 304 Not Modified
< Server: nginx
< Date: Fri, 07 Nov 2025 18:36:08 GMT
< Last-Modified: Fri, 24 Oct 2025 14:38:28 GMT
< Connection: keep-alive
< ETag: "68fb8f64-3b14f"
<
* Connection #0 to host pfsense-plus-pkg01.atx.netgate.com left intact
pfSense repository is up to date.
All repositories are up to date.

Why is it pointing at pfsense-plus packages? My /usr/local/etc/pkg/repos/pfSense.conf file is currently:

FreeBSD: { enabled: no }

pfSense-core: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

pfSense: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

ghc88

One more: something very strange is going on, you can see here that it is changing the config file from CE to Plus all by itself:

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
FreeBSD: { enabled: no }

pfSense-core: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-core",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

pfSense: {
    url: "pkg+https://pkg.pfsense.org/pfSense_v2_8_1_amd64-pfSense_v2_8_1",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

[2.8.1-RELEASE][admin@pfsense.home.arpa]/root: cat /usr/local/etc/pkg/repos/pfSense.conf
FreeBSD { endabled: no }

pfSense-core: {
    url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-core"
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

pfSense: {
    url: "pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v25_07_1_amd64-pfSense_plus_v25_07_1",
    mirror_type: "srv",
    signature_type: "fingerprints",
    fingerprints: "/usr/local/share/pfSense/keys/pkg",
    enabled: yes
}

mroles29

In case my situation is relevant, I am having a similar issue.
Of course, it is complicated by the fact that I noticed the notification bell when checking during an outage, however, that outage has been resolved but the notifications continue.

Based on this thread, everything else is functional and I have no errors when attempting to update the repository or check for updates by cli. But I am getting notification entries repeatedly for bursts of time.

Similar to the previous poster, what I found odd was when using the GUI to check for updates, it correctly showed I was using 2.8.1 and that was the most current version. After selecting the tab for repository to check to see that there were more than one option (there were two, one for for PF Sense Plus and one for PF Sense normal) and then returning to the update check, it attempted to tell me that there was an update to 25. I had not selected anything from the drop-down and it was not changed from previously selected which was 2.8.1.

After several refreshes of the page, it returned to telling me the current version was 2.8.1. the current version was 2.8.1. I had not read the previous post yet. However I had read the majority of the posts and was working my way through so unfortunately I did not get an opportunity at that moment to look at either the configuration or the update command response.

It does seem like, whether it's chicken or the egg, something is blocking possibly temporarily the update service from accessing the servers and it might be trying to reset the server list and picking the incorrect repo. Or something is is selecting the incorrect repo and then is unable to get confirmation which would be the case as I do not have a subscription.

What I have checked that no one else mentioned, at least from what I read, was that I did not see any blocked DNS BL or IP blocks from PG blockers logs, so I do not understand or see any reason for even a temporary issue resolving the IP for the update server.

I do suspect it is related to the python version of unbound. I only recently changed that part of the configuration on my home lab when working with PF blocker NG. Any advice on error tracking for that setup would be appreciated.

Being that this is a home lab, I have used resolver with local DNS priority over remote with both DHCP provided DNS servers and 1.1.1.1. Similar to someone else above, the packages PF blocker NG and the use of traffic shaping in my setup maybe related.

mroles29

I do have five or six entries in my DNS blocking logs from localhost 127.0.0.1 pointing to blocks of ns2.parkingcrew.net at times which I believe correspond to the cron update cycle for PF blocker.
However, I don't see any reason to connect that particular entry to netgate or updates. Those are the only blocked names logged from the device itself. There are of course many from other devices on the network. That is the only reason they stand out.

ghc88

I did the same earlier and couldn't see any evidence of DNSBL/IP blocking of pfsense/netgate servers. I have noticed that DNS resolutions to pfsense servers are often significantly slower than other domains though. It can be as high as 200-300ms for pfsense.org whereas other domains are single digits. Could this be a DNS issue on pfSense remote server side?

My setup sounds very similar to yours, I'm also using the unbound Python module. I run dns resolver with forwarding mode enabled, remote servers configured in general setup (cloudflare and quad9), use local DNS only, no remote servers.

stephenw10

Are you still seeing this? There was a backend repo change earlier that could potentially have triggered something. Though it shouldn't have.

ghc88

@stephenw10 I am yes, last one was ~30 mins ago. I'm currently trying changing settings one at a time to see if something is causing it, I've just turned off DoT setting in DNS Resolver, will report back in the morning (early hours of the morning here) if that has solved it. Not had any since but I only did it just after the last one 30 mins ago.

Like I said, I've been having this issue sporadically ever since upgrading but over the past couple of days they've been stacking up. I woke up this morning to a very long list of them.

stephenw10

The check_upgrade error or the wrong repo offered? The offered repo issue should be fixed. The error may still be shown.

ghc88

@stephenw10 Incorrect repo still an issue as well. I just hit the check version from the home page of the GUI and got:

2.8.1-RELEASE (amd64)
built on Tue Sep 9 17:29:00 BST 2025
FreeBSD 15.0-CURRENT

Version 25.07.1 is available.
Version information updated at Sat Nov 8 1:43:02 GMT 2025

Strangely enough that didn't result in the Updating repositories metadata error being logged, so maybe these things aren't related and it's just a coincidence/red herring at the same time I've been trying to resolve the error code 1 being logged.

But yes, something is definitely not right, I've never had it offering me pfSense plus versions before.

EDIT: Just checked for updates again and it's gone back to CE i.e. version is on the latest version. So yes, /usr/local/etc/pkg/repos/pfSense.conf is momentarily changing itself to pfSense plus repos and then back again. That seems to line up with the error code 1 being logged but now I'm not so sure as it didn't do it that time.

tinfoilmatt

@ghc88 The server-side issue appears to be transient. I had your same experience on a CE box today. And it all seems to now be resolved at this point (at least for my system in this moment) without any harm nor foul.

I would strongly suggest not making any more configuration changes related to any of this.

ghc88

@tinfoilmatt Indeed, the only thing I've changed is turning DoT off and since then I've not had any more of the error code 1s. Now I'm aware there has been or is on-going server-side issues, agreed, I won't change anything else for now. This is just in my home lab and I can easily roll back if things go south. I was just trying to resolve the errors, both because they're rather annoying and to try and help others with the same issue, as seems this has been rumbling on for a while. :)

tinfoilmatt

@ghc88 Get that DoT back on! First rule of CE club is we don't talk about CE club. Second rule of CE club is we never make our DNS queries in plaintext!

ghc88

@tinfoilmatt Ha, that provided a good giggle, thank you. I've decided to ditch remote DNS servers altogether and gone back to resolver mode with DNSSEC and other bells and whistles turned on. Not sure why I switched to forwarding mode some time last year, plus it caused a lot of head scratching when Cloudflare had some issues not too long ago (hence adding Quad9 as well). I'm going to stop tinkering now and head to bed before I break things, hopefully I'll wake up to a nice clear pfSense error log...

alnico

I did get this error; could it be related?

Crash report begins.  Anonymous machine information:

amd64
15.0-CURRENT
FreeBSD 15.0-CURRENT #0 plus-RELENG_25_07_1-n256513-49844af35a5d: Fri Aug 15 19:21:04 UTC 2025     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-25_07_1-main/obj/amd64/DZizCvOj/var/jenkins/workspace/pfSense-Plus-snapshots-25_07_1-main/sources

Crash report details:

PHP Errors:
[DATE-TIME-REDACTED] PHP Fatal error:  Uncaught ValueError: gettext(): Argument #1 ($message) is too long in /usr/local/www/pkg_mgr_install.php:444
Stack trace:
#0 /usr/local/www/pkg_mgr_install.php(444): gettext()
#1 {main}
  thrown in /usr/local/www/pkg_mgr_install.php on line 444



No FreeBSD crash data found.

timecode

Have done a reboot and the odd repository messages have subsided which is good.

HOWEVER, it now seems to be flip flopping between needing package updates, and not.

Randomly various packages will show as yellow. Then try and update - system tells me I need to update before installing. I am on latest plus version 25.07.1.

I get the feeling something is happening at home base and its causing us fleeting issues.

Kelpie

Upgraded from 2.8.0 to 2.8.1

a week ago

sometimes in the system update menu goes back commercial version and on the dashboard

Nov 8 15:24:00 php 12152 Standard input code: New alert found: check_upgrade: "Updating repositories metadata" returned error code 1
Nov 8 15:19:52 php 93775 Standard input code: New alert found: check_upgrade: "Updating repositories metadata" returned error code 1
Nov 8 15:17:48 php 28987 Standard input code: New alert found: check_upgrade: "Updating repositories metadata" returned error code 1
Nov 8 15:17:17 php 19559 Standard input code: New alert found: check_upgrade: "Updating repositories metadata" returned error code 1
Nov 8 15:14:12 php 73350 Standard input code: New alert found: check_upgrade: "Updating repositories metadata" returned error code 1
Nov 8 15:03:20 php 32733 Standard input code: New alert found: check_upgrade: "Updating repositories metadata" returned error code 1

got a lot some time today

very random sometimes wont happen for hours.

Home Assistant logs
2025-11-08 02:00:17.161 ERROR (SyncWorker_3) [custom_components.pfsense.pypfsense] Unexpected get_firmware_update_info error err=TimeoutError('timed out'), type(err)=<class 'TimeoutError'>
2025-11-08 02:01:10.448 WARNING (Recorder) [homeassistant.components.recorder.db_schema] State attributes for binary_sensor.XXXXXXX_pending_notices_present exceed maximum size of 16384 bytes. This can cause database performance issues; Attributes will not be stored