I tried upgrading cold and got an error... rolled back with bectl

fg

Deleted the failed upgrade with bectl everything stable and fine.

I was going from 25.07.1 to 25.11 I have a Netgate 4200.

Copilot conversation follows. Let us know when we can update w/o errors.
++++++++++++++++++

That’s a smart move — Netgate support will want to see exactly what happened during your upgrade attempt. Here’s how you can prepare and submit a useful report:

What to Include in Your Report

System details
- Appliance: Netgate 4200
- pfSense+ version you were upgrading from and to (shown in System → Update or pkg info pfSense).
- Boot environment list (bectl list) showing the failed upgrade snapshot.

Error messages / logs

The nginx warning:

[warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:30

The PHP fatal error:

PHP Fatal error: Failed opening required '/etc/rc.filter_synchronize' ...

Any crash report snippets (like the one you pasted with 15.0-CURRENT).

Symptoms
- GUI inaccessible after upgrade.
- Firewall routing still functional.
- Restarting webConfigurator service did not restore GUI.
- Rollback via bectl activate restored full functionality.

How to Report

Netgate Support Portal:
Log in at Netgate Support and open a ticket. Attach your error logs and boot environment output.
pfSense Forum:
If you don’t have a support subscription, you can post in the pfSense Forum under Installation and Upgrades. Include the same details.
Crash reports:
You can also attach /var/crash/* files directly if they exist.

Why This Helps

The nginx directive error shows a mismatch between pfSense’s config templates and the newer nginx version.
The missing /etc/rc.filter_synchronize file shows the upgrade snapshot didn’t fully populate system scripts.
Together, these point to a packaging/upgrade bug in pfSense+, not third‑party packages.

If you’d like, I can draft a ready‑to‑send support ticket text that bundles your system info, error messages, and symptoms in a clean format. Would you like me to write that out so you can copy/paste it directly into Netgate’s portal?

=====================

These are the error reports recovered.

Crash report begins. Anonymous machine information:

amd64
15.0-CURRENT
FreeBSD 15.0-CURRENT #0 plus-RELENG_25_07-n256508-719054fb1f90: Mon Jul 28 16:47:59 UTC 2025 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-25_07-main/obj/amd64/KX1V1LAU/var/jenkins/workspace/pfSense-Plus-snapshots-25_07-main/sources/FreeB

Crash report details:

PHP Errors:
[13-Dec-2025 13:53:03 America/New_York] PHP Fatal error: Failed opening required '/etc/rc.filter_synchronize' (include_path='.:/etc/inc:/usr/local/pfSense/include:/usr/local/pfSense/include/www:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg:/usr/local/www/classes:/usr/local/www/classes/Form:/usr/local/share/pear:/usr/local/share/openssl_x509_crl/') in Unknown on line 0

No FreeBSD crash data found.

AND========

[13-Dec-2025 13:53:03 America/New_York] PHP Fatal error: Failed opening required '/etc/rc.filter_synchronize' (include_path='.:/etc/inc:/usr/local/pfSense/include:/usr/local/pfSense/include/www:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg:/usr/local/www/classes:/usr/local/www/classes/Form:/usr/local/share/pear:/usr/local/share/openssl_x509_crl/') in Unknown on line 0

stephenw10

Is it repeatable?

fg

@stephenw10

A repeatable failed upgrade with these particular errors? Haven't taken the time to do so yet. Maybe tomorrow.

Seems reasonable that it wasn't 3rd party package/plugin but a php error of some kind along with something to do with http2.

I'll try again tomorrow if it'll help.

stephenw10

Yes I mean does it fail the same way if you try to upgrade again or is there something random in play.

@fg said in I tried upgrading cold and got an error... rolled back with bectl:

Seems reasonable that it wasn't 3rd party package/plugin

Do you have any 3rd party pks installed?

fg

@stephenw10
I'll try again tonight to repeat the error(s). But these are the installed packages.

fg

Might be cleaner to just post copilot explanation... I don't think the certificate error is pertinent. But I'll try again with a new cert for webconfigurator.

=========================
These logs actually tell two different stories — one is a warning about configuration syntax, the other is a hard failure that prevented nginx (and therefore the pfSense GUI) from starting.

1. Deprecated `http2` directive warnings

[warn] ... the "listen ... http2" directive is deprecated, use the "http2" directive instead

Cause:
Older pfSense templates generate lines like:
```
listen 443 ssl http2;
```
In newer nginx builds, the http2 flag must be on its own line:
```
listen 443 ssl;
http2;
```
Impact:
These are warnings only. nginx still starts, but it complains every time it parses the config.
Fix:
Netgate needs to update their pfSense webConfigurator template to match the newer nginx syntax. You can’t permanently fix it yourself because /var/etc/nginx-webConfigurator.conf is auto‑generated.

2. SSL certificate errors — “ee key too small”

[emerg] SSL_CTX_use_certificate("/var/etc/cert.crt") failed (SSL: error:0A00018F:SSL routines::ee key too small)

Cause:
OpenSSL (used by nginx) now enforces a minimum RSA key size. If your GUI certificate is 1024‑bit RSA (common on older pfSense installs), it is rejected as insecure.
Impact:
This is fatal — nginx refuses to start, so the GUI is completely down.
Fix:
Generate or install a new certificate with a stronger key:
- At least 2048‑bit RSA, or better yet ECC (Elliptic Curve).
- You can do this from the pfSense console menu (option 8 → openssl commands) or via the GUI once you’re back in a working environment.
- Replace /var/etc/cert.crt with the new cert and matching key, then restart the webConfigurator:
```
/etc/rc.restart_webgui
```

Summary

The deprecated http2 warnings are harmless but noisy — pfSense needs to fix their nginx config generator.
The “ee key too small” errors are the real show‑stopper: your GUI cert is too weak for modern OpenSSL, so nginx refuses to load it. That’s why your upgrade left you without a GUI.
Rolling back worked because the older boot environment was still using an acceptable cert/key pair.

Next step: when you’re ready, regenerate your GUI certificate with a stronger key size (≥2048‑bit RSA or ECC). That will prevent this exact failure on future pfSense+ upgrades.

Would you like me to show you the exact openssl commands to generate a new 2048‑bit RSA cert/key pair on the Netgate CLI so you’re ready before the next upgrade?

fg

@stephenw10

It was the longer length certificate that was needed (4096).

So far the GUI is working perfectly. Thanks for the help getting me to fix this. I'd have waited for ages for the update to be fixed. Funny really.

stephenw10

Ah, nice. Are you using an imported cert for the webgui then?