check_upgrade: "Updating repositories metadata" returned error code 1

pfpv

@stephenw10
I logged in to the GUI again and there was no delay this time. The dashboard update check was relatively fast. I went to System, Package Manager. And it got stuck there without loading anything for longer than I could have expected, for about a minute. Thinking it will not load anything, I opened the Diagnostics, Command Prompt page in a new tab and executed the command you suggested (pkg -d update). The lengthy output is below. It looks like something was not right ("Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults" and it tried twice, and "The requested document is not new enough") but in the end it concluded "All repositories are up to date."

After that I switched to the Package Manager tab and found that the list of the installed packages that wasn't loading before now loaded. I clicked on the "Available Packages" and the list loaded reasonably fast.

The output of 'pkg -d update':

DBG(1)[64250]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[64250]> PkgRepo: verifying update for pfSense-core
DBG(1)[64250]> Pkgrepo, begin update of '/var/db/pkg/repos/pfSense-core/db'
DBG(1)[64250]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core/meta.conf
DBG(1)[64250]> curl_open
DBG(1)[64250]> Fetch: fetcher used: pkg+https
DBG(1)[64250]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core/meta.conf

DBG(1)[64250]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Host pkg01-atx.netgate.com:443 was resolved.
* IPv6: 2610:160:11:18::209
* IPv4: 208.123.73.209
*   Trying 208.123.73.209:443...
* Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Apr 10 00:00:00 2025 GMT
*  expire date: May 11 23:59:59 2026 GMT
*  subjectAltName: host "pkg01-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_v2_8_0_amd64-core/meta.conf HTTP/1.1
Host: pkg01-atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 22 May 2025 01:27:36 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching meta.conf: < Server: nginx
< Date: Mon, 16 Jun 2025 15:59:53 GMT
< Content-Type: application/octet-stream
< Content-Length: 179
< Last-Modified: Thu, 22 May 2025 01:27:36 GMT
< Connection: keep-alive
< ETag: "682e7d88-b3"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

DBG(1)[64250]> Request to fetch pkg+https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core/data.pkg
DBG(1)[64250]> curl_open
DBG(1)[64250]> Fetch: fetcher used: pkg+https
DBG(1)[64250]> curl> fetching https://pkg.pfsense.org/pfSense_v2_8_0_amd64-core/data.pkg

DBG(1)[64250]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pkg01-atx.netgate.com in the .netrc file; using defaults
* Hostname pkg01-atx.netgate.com was found in DNS cache
*   Trying 208.123.73.209:443...
* Connected to pkg01-atx.netgate.com (208.123.73.209) port 443
* ALPN: curl offers http/1.1
*  CAfile: none
*  CApath: /etc/ssl/certs/
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.netgate.com
*  start date: Apr 10 00:00:00 2025 GMT
*  expire date: May 11 23:59:59 2026 GMT
*  subjectAltName: host "pkg01-atx.netgate.com" matched cert's "*.netgate.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha384WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/1.x
> GET /pfSense_v2_8_0_amd64-core/data.pkg HTTP/1.1
Host: pkg01-atx.netgate.com
User-Agent: pkg/1.21.3
Accept: */*
If-Modified-Since: Thu, 22 May 2025 01:27:36 GMT

* Request completely sent off
< HTTP/1.1 200 OK
Fetching data.pkg: < Server: nginx
< Date: Mon, 16 Jun 2025 15:59:53 GMT
< Content-Type: application/octet-stream
< Content-Length: 1623
< Last-Modified: Thu, 22 May 2025 01:27:36 GMT
< Connection: keep-alive
< ETag: "682e7d88-657"
< Strict-Transport-Security: max-age=31536000; preload
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: all
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Accept-Ranges: bytes
<
* The requested document is not new enough
* Simulate an HTTP 304 response
* Closing connection

pfSense-core repository is up to date.
Updating pfSense repository catalogue...
DBG(1)[64250]> PkgRepo: verifying update for pfSense
Waiting for another process to update repository pfSense
All repositories are up to date.

stephenw10

Hmm, well that's the expected behaviour so perhaps you just hit some temporary connectivity issue somewhere.

If it fails again re-run that command to see where it's failing.

pfpv

@stephenw10
This just happened again. I logged in to the GUI (haven't rebooted pfSense for 8 days). The dashboard check took forever. I left it alone for a few minutes. When I returned to the tab the check was finished normally with "no new version". I went to another page in the GUI and noticed that dreaded error at the top of the page. Then I ran 'pkg -d update' and it returned the output similar to what I posted earlier. I went to the package manager and it loaded the list of installed packages fairly quickly. I went to the dashboard and it loaded quickly with "no new version" check.

It looks like the issue happens after a prolonged time of not checking for updates and on login. Is somebody else having the same issue?

stephenw10

Hmm, so just the alert shown after that? No errors in the system log? Gateway went down?

Marlepou

Same problem here with a PC Engines APU4.
No package installed.

After upgrading from 2.7.2 to 2.8.0, the bell with check_upgrade: "Updating repositories metadata" returned an error code 1

Doesn't come back after marking as read until next reboot AND click on a menu item.

And yes,

• Available Packages can be seen,
• System update status is "Up to date".

stephenw10

Hmm, and that's repeatable after every reboot?

And does it initially show an error in the dashboard widget for updates?

Donny

@stephenw10
Hello stephenw10,
I’ve been trying to find a way to resolve the issue: check_upgrade: "Updating repositories metadata" returned error code 1
an issue that many users seem to be facing, just like me. Unfortunately, I couldn’t solve it through the WebGUI or by accessing the console via option 8 and using commands like pkg -d update, pkg upgrade, or anything similar.

So I ended up leaving the notification bell (next to the top menu bar on the dashboard) as it was—showing that error—for about one or two weeks, if I remember correctly. After that, I tried disabling and re-enabling pfBlockerNG-Devel to refresh its database.
Then I configured and saved new Traffic Shaper settings. At that point, I manually clicked "X – Close and Mark All as Read" on the bell icon to dismiss all notifications.

Later, I rebooted the pfSense system. After logging back in to the dashboard, I noticed that the notification bell no longer showed the message (check_upgrade: "Updating repositories metadata" returned error code 1). not on the Dashboard, nor when navigating through other menu sections like System, Interfaces, Firewall, etc.

To be sure, I rebooted the system two or three more times. Normally, I don’t reboot my firewall unless necessary, but this time I wanted to confirm whether the error would return. Surprisingly, the bell notification never came back, and everything has been running smoothly since then.

I still don’t know whether this resolution is directly related to pfBlockerNG-Devel, Traffic Shaper, or a combination of both—but somehow, after these actions, the error never appeared again.

stephenw10

Hmm, and prior to that the alert was shown after every reboot?

Donny

@stephenw10 Yes, prior to that, after every reboot, a notification bell would appear showing the alert: check_upgrade: "Updating repositories metadata" returned error code 1. This happened every time.

Later, when I clicked “X – Close and Mark All as Read” (without rebooting), the system continued to work normally. However, after rebooting again and logging in to the pfSense Dashboard, the bell notification wouldn't appear initially. It only popped up once I clicked on a menu item—such as System, Interfaces, Firewall, or any other menu—and then the notification would show up immediately. After clicking the bell and selecting “X – Close and Mark All as Read” again, everything continued to work normally. This behavior repeated itself after every reboot.

But now, that no longer happens. After every reboot, the bell alert no longer appears, and I can navigate through all menu items without any issues. This change occurred after I disabled and re-enabled pfBlockerNG-Devel and configured the Traffic Shaper.

So, I'm not sure whether this behavior is somehow related to setting the maximum bandwidth values on the WAN, LAN, and OPT interfaces that are used in conjunction with the Traffic Shaper.

bigdaddy286

Same problem with APU2C4.
Fresh installed 2.8 no packages installed.
Also tested 2.7.2 with update to 2.8, always the same message after rebooting.
Setting and deleting traffic shaping doesn‘t help.

pfpv

@stephenw10 said in check_upgrade: "Updating repositories metadata" returned error code 1:

Hmm, so just the alert shown after that? No errors in the system log? Gateway went down?

Just now I logged in to the pfSense GUI after not doing it since my last post 11 days ago. pfSense has been working fine from the clients side of view. It took a while to load the interface after entering the username and password. I found 3 errors '"Updating repositories metadata" returned error code 1' from 6/18 06:49, 6/20 07:38 and 6/22 19:37. After going to another menu another such error showed up from the time I logged in. That's probably why it took so long to show the interface. Checking packages and reloading the interface was fast after that.

At least, this happens on every login for me.

I looked for errors. I found that my failover Tier 3 Gateway did go down a few times but the times did not correspond to the times of the errors we are discussing here. That gateway goes down sometimes as it is a cell backup. Another problem I found - I did not get notifications through Pushover. I always did before the upgrade. Maybe I will open another thread about this.

Then, I found a few

unbound 	4444 	[4444:0] info: service stopped (unbound 1.22.0). 

lines in the log. 30 milliseconds later I see this

unbound 	4444 	[4444:0] notice: Restart of unbound 1.22.0.

Then, several milliseconds later it stopped again and started again. It did it 3 times in fast succession and then there was a pause for several hours or few days. This doesn't seem to be normal. And again, no notifications through Pushover, although this service is in my Service Watchdog list with notifications. But it seems to recover before the watchdog gets a chance to notice it. Is it normal? Before the upgrade I used DNS Forwarder. Maybe I should go back to it.

Again, the times of unbound stops/starts do not correspond to the time of the errors we are discussing here.

This 2.8.0 update added weirdness but pfSense is working fine otherwise.

aGeekhere

Keep getting check_upgrade: "Updating repositories metadata" returned error code 1 even if i do not reboot, a get a few errors each day after upgrading to 2.8.0

stephenw10

@aGeekhere Do you see anything logged at those times?

@pfpv Seeing Unbound restart is normal if you have anything updating it like dhcp leases resolving or pfBlocker with dnsbl enabled.

However the fact it shows that error at login seems like a clue. I still can't replicate it here though.

aGeekhere

@stephenw10 yeah been getting that error a bit ever since upgrading to 2.8.0, never before.

Gertjan

@pfpv said in check_upgrade: "Updating repositories metadata" returned error code 1:

This doesn't seem to be normal. And again, no notifications through Pushover, although this service is in my Service Watchdog list with notifications. But it seems to recover before the watchdog gets a chance to notice it. Is it normal? Before the upgrade I used DNS Forwarder. Maybe I should go back to it.

Several things here.
It's totally normal that system processes restart.
It could be as simple - but in reality rare - you saving new settings in the GUI : the related process, like unbound will get restarted.
Far more often : if an interface like a LAN or your WAN disconnects, processes that are interface-bound will be restarted. Example : nginx, the GUI web interface, unbound, dhcp, ntp and so on.
Another example : pfBlockerng. This package maintains lists : IP and DNS hostnames (DNSBL). If an IP list changes, a new firewall alias is build, and the firewall rules are reload.
If an DNSBL list changes, they are sorted, doubles are remove, white listed hosts are removed, and unbound gets restart - as it's actually unbound doing the heavy lifting here. pfBlockerng by itself isn't involved in DNSBL filtering.

Do yourself a favor : remove "Service Watchdog" from your system. You don't need it. Process don't die, so don't need to be restarted.
If they get restart by the system - see condition above - they are stopped and started.
Only the admin can actually disable or stop a service / prcoess.
If a process fails to start you have a config - or even hardware ? - error. The "Service Watchdog" won't repair your config errors neither hardware error.
"Service Watchdog" is an excellent tool in making your system less stable.

@pfpv said in check_upgrade: "Updating repositories metadata" returned error code 1:

DNS Forwarder.

Forwarding exists because our initial ISP connection, way back in the past, was very expensive, metered (bytes were counted) and slow. I stall remember my huge upgrade a "USR Robtics sportster 56 Kbit V34 modem". It was a must have, and expensive.
You had to use the 'close by' ISP DNS "server" (more a DNS cache system).
These day, forwarding isn't needed anymore.
These days, you can use Internet as it was meant to be used and designed.
You resolve.
Recently, other DNS super caches (actually : they are resolvers like unbound) came to live : you know thhem : 8.8.8.8 1.1.1.1 etc etc.
They do not exist to make your live faster or better. The one and only reason they exist is : they want you DNS data, as that is worth a lot of money for them. And true, using a nearby copy of 8.8.8.8 is a bit faster, you'll gain several milli seconds.

Let's test with a random host name :

[25.03-BETA][root@pfSense.bhf.tld]/root: dig +trace @127.0.0.1 knmi.nl
....Dd7LgdOqhfK2IJ22a3iyw8ayWsASbITzLE8YM/u5rpiKjA==
;; Received 295 bytes from 192.87.36.2#53(ns2.surfnet.nl) in 29 ms

so resolving took (for me) 29 ms.
And from now on, knmi.nl is present in the unbound cache, and will get auto refreshed when it's TTL reaches zero.
Test again :

[25.03-BETA][root@pfSense.bhf.tld]/root: dig knmi.nl
...
;; ANSWER SECTION:
knmi.nl.                28771   IN      A       13.248.242.218
knmi.nl.                28771   IN      A       76.223.116.179

;; Query time: 1 msec

So from now on, 1 ms.

And resolving (yourself) offers something which will become one day, in a near feature**, a planet economic live saver : it uses DNSSEC. They day you understand why it its usage is enforced - even in the US all official web site use it now - nearly entire Europe, you will be scared.

** I hope to be wrong of course.
Anonymous said ones : "DNS" is our last resort emergency break, on a world level.
But countries (governments) have already voluntary corrupted (spoofed) DNS 'because they could or though they had to'.

Anyway, enough side tracked.

So, conclusion : a couple of "service stopped (unbound 1.22.0)" and "Restart of unbound 1.22.0" isn't harmful.
And its up to you to decide if you don't want this to happen, or to happen more often ^^

Keep in mind that a pfSense with a mostly default configuration and no extra pfSense packages installed won't restart unbound, it will keep on running until you reboot pfSense. And that goes for most other processes also.
So, KIS applies as always : keep pfSense as bare bone as possible, and you can actually forget about it for months if not years, only limited to the not so often upgrades and other power outages.
And be ware : consider your pfSense network interfaces : do what ever is needed so they never 'disconnect' or power down.
That's why, if you see a pfSense and a bunch of connected switches, you see an UPS nearby.
A system (pfSense) admin does everything to reach the ultimate admin goal : he does nothing, and is just observing. If he does something, it's planned. A system or network event is by nature a admin's fail.

I'm not saying you did something wrong.
Just : go back to the basics, and then build up your system, and test (a lot) between each step. Be ready to step back.
If you have an issue, you'll know when and where it happened.
At that moment a solution is nearby.

753951

@stephenw10 I'm getting that error for the last week or so, and I'm still on 24.11. If I try to manually check for an update, the branch drop down is empty.

stephenw10

Ah, that seems like a different issue then; it's actually unable to check.

Try running: pkg -d update

And: pfSense-repoc -ND

See what errors are shown.

753951

@stephenw10
[24.11-RELEASE][root@pfsense.stanar.info]/root: pkg -d update
DBG(1)[92284]> pkg initialized
pkg: Unable to open '/usr/local/etc/pkg/repos//pfSense.conf':No such file or directory
No active remote repositories configured.

As for pfSense-repoc -ND

Messages:
Your device has not been registered for pfSense+. Please purchase a pfSense+ subscription to receive future updates. <a href="https://shop.netgate.com/products/pfsense-software-subscription" target="_blank" rel="noopener noreferrer">Netgate store</a>

Don't get it. I made no changes in months.

stephenw10

Ok send me your NDI in chat and I'll check it.