Greetings
Still pretty much a noob here!
When I am trying to update using the gui system (under system/firmware/updates) I'm getting
pkg-static: https:// xxxxxx:amd64/23.7/latest/packagesite.pkg: Authentication error
similar except its packagesite.txz: Authenticaiton error
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI . . . done.
Generating RRD graphs . . . done.
***DONE***
What do I do to update my system?
TIA
Hi,
Not sure what " xxxxxx" is but authentication error here means the TLS connection isn't working either indicating a custom untrusted mirror (self-signed?) or a proxy interfering with TLS while connecting to a known good mirror from the list.
Cheers,
Franco
Quote from: franco on April 28, 2024, 08:53:55 AM
Hi,
Not sure what " xxxxxx" is but authentication error here means the TLS connection isn't working either indicating a custom untrusted mirror (self-signed?) or a proxy interfering with TLS while connecting to a known good mirror from the list.
Cheers,
Franco
Originally copied files from mirror to a computer. Then burned those files onto a USB stick. Used that for the install.
So - - - how do I 'fix' this?
Am I stuck with a perpetual download and burn?
TIA
complete line is pkg-static https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error
does that help pinpoint what's not working correctly?
What do I need to do to get the system to update?
(Right now my only option seems to be to reinstall using a newer system - - which I would rather not do.)
I think you hit a proxy or defunct IPv6, whichever comes first.
Or maybe the time of the box is off. There's a reason why posting full logs (like the update log) can help pinpoint this instead of stabbing in the dark. The connectivity audit can reveal problems with IPv6.
Cheers,
Franco
Quote from: franco on April 30, 2024, 04:15:52 PM
I think you hit a proxy or defunct IPv6, whichever comes first.
Or maybe the time of the box is off. There's a reason why posting full logs (like the update log) can help pinpoint this instead of stabbing in the dark. The connectivity audit can reveal problems with IPv6.
Cheers,
Franco
Checked time with the 'date' command - - - system seems to be running about 30 some seconds behind ntp.
I would love to give you the complete update log except I would bet that me typing it from one screen to another is going to add a bunch of errors besides taking about and hour - - - then there are the 10 or so lines that have disappeared as the text scrolled by which I would have no way of copying.
I'm not trying to use ipv6 I'm on ipv4.
So it seems that you're politely saying that I'm sol regarding getting an update to work.
Will admit that this is not overwhelmingly reassuring.
Whyy aren't you using one of the mirrors that host the firmwares, and without a proxy in between (if any)? They have the correct certificates to allow the TLS session to be established. That is the reason it is failing as was explained earlier.
By the way, the messages on screen (a console) also get written to file. But why would you use a screen+keyboard to a console to the system, when you can reach it by ssh and by a UI ?
Back to it though. Are you able to connect via the UI and select a mirror?
Quote from: cookiemonster on April 30, 2024, 11:17:14 PM
Whyy aren't you using one of the mirrors that host the firmwares, and without a proxy in between (if any)? They have the correct certificates to allow the TLS session to be established. That is the reason it is failing as was explained earlier.
By the way, the messages on screen (a console) also get written to file. But why would you use a screen+keyboard to a console to the system, when you can reach it by ssh and by a UI ?
Back to it though. Are you able to connect via the UI and select a mirror?
In Debian I can edit /etc/usr/sources.list and then I can specify a mirror if I so desire.
Absolutely CANNOT find a way to do that here on opensense.
Why would I use a console - - - I'm comfortable using a non-gui updating system - - - definitely no expert but can work my way through most what I need to do and I can most often find some recipe to get to what/where I want.
Tried using # ssh root@192.168.1.1 and - - - well - - nothing happens!
When I go look into /usr/local/etc/pkg/repos I do find OPNsense.conf - - - which reads:
OPNsense: {
fingerprints: "usr/local/etc/pkg/fingerprints/OPNsense",
url: "pkg+https://pkg.opnsense.org/${ABI}/23.7/latest",
signature_tgype: "fingerprints",
mirror_type: "srv",
priority: 11,
enabled: yes
}
That information is as installed where I changed nothing (added nor removed anything only added ip addresses!).
So from what you're saying I'm supposed to be able to choose a mirror - - - where/how?
TIA
You can pick the mirror and perform the update right in the UI. System > Firmware > Settings.
Quote from: Patrick M. Hausen on May 01, 2024, 01:11:45 AM
You can pick the mirror and perform the update right in the UI. System > Firmware > Settings.
So using the gui I went to system: firmware and chase as mirror :ServerBase AG, type: community, subscription: blank
ask for a system update
"Fetching changelog information, please wait . . . fetch" https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz:
Authentication error
lots more info including the line:
pkg: Repository OPNsense cannot be opened. 'pkg update' required
so changing the mirror from 'default' to a specific mirror really didn't achieve anything.
(Changed mirror, saved, rebooted and then reconnected as for process)
You have a proxy upstream.
You can either bypass it or allow access through the proxy to the chosen mirror without authentication.
To expand a little.
Quote from: ajoeiam
"Fetching changelog information, please wait . . . fetch" https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz:
Authentication error
lots more info including the line:
pkg: Repository OPNsense cannot be opened. 'pkg update' required
so changing the mirror from 'default' to a specific mirror really didn't achieve anything.
(Changed mirror, saved, rebooted and then reconnected as for process)
The Authentication error is the important part.
And as franco said earlier
Quote from: franco on April 30, 2024, 04:15:52 PM
I think you hit a proxy or defunct IPv6, whichever comes first.
Or maybe the time of the box is off. There's a reason why posting full logs (like the update log) can help pinpoint this instead of stabbing in the dark. The connectivity audit can reveal problems with IPv6.
Please do the connectivity audit. If the update tries an IPv6 mirror and fails, you have this problem. It can be that you have IPv6 half setup. If you are not using it yourself (and you should know based on your ISP package), then try to disable it in OPN.
Also try different mirrors. Some are easier to reach than others, depending on your location.
And the proxy part is about some proxy (that you might know about or not, depending on where the system is sat or your ISP). Try to investigate if you are behind one.
It might be an idea to add the dump of the SSL information from the main mirror so we can plainly see what's going on in these cases?
(Provided that information is ever given.)
Cheers,
Franco
I actually got a glimpse of that error on a VM I discovered that was off for a few months.
When I turned it on it would keep proposing to update to 24.1.r1 from 24.1.r_3.
Restarted services or rebooting didn't help, so I tried -Vbkr and saw it failing to verify the cert.
Inspected the cert with openssl and found it not valid yet, which ultimately revealed the ntp issue - machine time was in January.
So the previous comment about the FW being 30 seconds behind is a clear indication time is not syncing and causing the update issues for the OP - if there's no proxy upstream.
The time can be set in CLI to get the machine to update, and the NTP issue can be solved after.
The date command for the CLI is this one, two digits for year month day hour minutes .seconds
date yymmddhhmm.ss
Hi,
How do I patch my files for IPSec ?
I'm currently on 24.7.2 and if I check for an update I get
" There are no updates available on the selected mirror. "
The mirror is 'default' and the type is 'community'
Following the upgrade to 24.7.2 my IPSec VPN to my office fails to connect.
Thanks
Perform a health and a connectivity audit, please.
Hi.
Connectivity:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 24.7.12 (amd64) at Sat Jan 18 22:06:12 GMT 2025
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=58 time=17.814 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=58 time=17.352 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=58 time=17.990 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=58 time=17.688 ms
--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.352/17.711/17.990/0.233 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 865 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/24.7
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: pkg.opnsense.org
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***
Heath:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.7.12 (amd64) at Sat Jan 18 22:07:26 GMT 2025
>>> Root file system: /dev/gpt/rootfs
>>> Check installed kernel version
Version 24.7.12 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 24.7.12 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-realtek-re 1.0
os-theme-cicada 1.38
os-udpbroadcastrelay 1.0_5
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 24.7.12 has 69 dependencies to check.
Checking packages: ...................................................................... done
***DONE***
Thanks
I do have IPv6 disabled, but I can ping pkg.opnsense.org without issue.
Any ideas how to resolve this as I'd like to get my VPN working again.
Thanks
Your DNS for the OPNsense system itself is somehow broken:
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Non-recoverable resolver failure
Quote from: Patrick M. Hausen on January 18, 2025, 11:36:33 PMYour DNS for the OPNsense system itself is somehow broken:
pkg: https://pkg.opnsense.org/FreeBSD:14:amd64/24.7/latest/packagesite.pkg: Non-recoverable resolver failure
I can ping the address and browse to it.
Is there any other option to set the upgrade ?
Quote from: TomT on January 18, 2025, 11:41:31 PMI can ping the address and browse to it.
From a shell on OPNsense itself?
Try System > Settings > General and set the DNS to e.g. 8.8.8.8
Ok. I've been an idiot 😞
I'm running 24.7.12 NOT 24.7.2 !
I've restarted my server and now the VPN is up. 🤦