Text only | Text with Images

OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: tbednarz on June 15, 2023, 11:49:13 AM

Title: Firmware update does not work
Post by: tbednarz on June 15, 2023, 11:49:13 AM
Hi everybody

I have two opnSense firewalls, where one is a backup device, just in case one fails. The backup machine I sometimes use for travel, since it is a desktop version and not a rackmout device.

Now I was a bit lazy and did not update the desktop version for more than 6 months. It still has version 22.7.10_2 installed. When I try to update the firmware, I got lots of Certificate errors:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.10_2 (amd64/OpenSSL) at Sun Apr 30 03:03:46 CEST 2017
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34389172224:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Could anybody help me to get the update to the latest version working? Many thanks.
Tom
Title: Re: Firmware update does not work
Post by: tbednarz on June 15, 2023, 12:04:08 PM
Sorry for this request. I tried again after a few minutes after a reboot and I could update to 22.7.11 without any errors. Now it is updating to 23.

Dont know why I got all those errors shown in my post...
Title: Re: Firmware update does not work
Post by: franco on June 15, 2023, 12:40:12 PM
> Currently running OPNsense 22.7.10_2 (amd64/OpenSSL) at Sun Apr 30 03:03:46 CEST 2017

I suppose the certificate on the server wasn't valid yet when you tried it almost 6 years ago. ;)

In all seriousness looks like NTP took a while to kick in.


Cheers,
Franco
Title: Re: Firmware update does not work
Post by: tbednarz on June 15, 2023, 12:44:50 PM
Ohh thats strange. The box was turned off for about 6 MONTHS not years! Maybe I was too fast after the first boot after such a long time. It may first have to sync time with a NTP server and I don't know what else is running in the background. But six YEARS ago I dit not yet own this machine!!!
Title: Re: Firmware update does not work
Post by: franco on June 15, 2023, 01:11:25 PM
Maybe CMOS battery bad or empty and NTP was working on fixing that already but took more time to rush through the decades :)


Cheers,
Franco
Title: Re: Firmware update does not work
Post by: marmot74 on August 10, 2023, 07:28:50 PM
Not sure if the issue has a similar cause, but since yesterday, I cannot perform updates and get the following message :
I struggle to understand what's going on because this weekend it prompted me to upgrade to a more recent version of Opnsense.... now it's not prompting anymore.

I am on 22.7.11_1 and would like to update to 23.1 or later if possible.

Any thoughts ?

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.11_1 (amd64/OpenSSL) at Thu Aug 10 19:23:22 CEST 2023
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 819 packages processed.
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Not Found
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Not Found
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Not Found
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Thanks in advance for your help.
Title: Re: Firmware update does not work
Post by: franco on August 10, 2023, 08:39:56 PM
While this report was solved and totally unrelated your problem simply is that you have a third party repo enabled that is not reachable:

> OPNsense repository update completed. 819 packages processed.

Notice our repository updated ok...

> Updating SunnyValley repository catalogue...
> pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Not Found

I'd recommend removing os-sunnyvalley and that brings update functionality back.


Cheers,
Franco
Text only | Text with Images