OPNsense Forum

After the update, the mirror is now this:


https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10   


and when searching for an update it will fail.


In the settings, if I try to safe them, I will get this error, even though I have selected business:

Subscription cannot be set for non-subscription firmware mirror

It looks normal but the error is strange.. can you do a health check?

Otherwise look here https://forum.opnsense.org/index.php?topic=43474.0


Cheers,
Franco

I think this is related,  as that error is the top of what is happening here.

I highly recommend pulling back this release before more folx upgrade their production systems

https://forum.opnsense.org/index.php?topic=43474.0

The OP did not post the relevant error. Please stop cross-posting and delivering suggestions on what is certainly a guess here.


Cheers,
Franco

Problem went away, maybe CDN was not ready before.

Ok, glad to hear :)

Hi, I see the same problems as the OP except I can select other mirrors and save settings. Health check returns:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.10_1 at Fri Oct 18 15:25:50 CEST 2024
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 24.7.6 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 24.7.6 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.4_2
os-acme-client 4.6
os-theme-vicuna 1.48
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" has 70 dependencies to check.
Checking packages: ....................................................................... done
***DONE***
And a connectivity check:
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 24.10_1 at Fri Oct 18 15:31:27 CEST 2024
Checking connectivity for host: opnsense-update.deciso.com -> 89.149.211.205
PING 89.149.211.205 (89.149.211.205): 1500 data bytes
1508 bytes from 89.149.211.205: icmp_seq=0 ttl=54 time=16.436 ms
1508 bytes from 89.149.211.205: icmp_seq=1 ttl=54 time=16.817 ms
1508 bytes from 89.149.211.205: icmp_seq=2 ttl=54 time=16.656 ms
1508 bytes from 89.149.211.205: icmp_seq=3 ttl=54 time=16.870 ms

--- 89.149.211.205 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.436/16.695/16.870/0.169 ms
Checking connectivity for repository (IPv4): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10
Updating OPNsense repository catalogue...
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching meta.conf: . done
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
All repositories are up to date.
Checking connectivity for host: opnsense-update.deciso.com -> 2001:1af8:4f00:a005:5::
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10
Updating OPNsense repository catalogue...
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: opnsense-update.deciso.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = opnsense-update.deciso.com
verify return:1
DONE
***DONE***
Any suggestions would be greatly appreciated.

What's the issue? The output looks normal and you can reach the mirror just fine?

IPv6 isn't working on your end. Maybe disable IPv6 on WAN or set general settings to prefer IPv4 over IPv6.


Cheers,
Franco

When I check for updates I get:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10_1 at Fri Oct 18 15:53:08 CEST 2024
Fetching subscription information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
done
Fetching changelog information, please wait... No CRL was provided for /CN=opnsense-update.deciso.com
No CRL was provided for /CN=opnsense-update.deciso.com
done
Updating OPNsense repository catalogue...
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching meta.conf: . done
No CRL was provided for /CN=opnsense-update.deciso.com
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 856 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I don't remember seeing before the lines about "No CRL...". Is this normal behaviour?
Prefer IPv4 over IPv6 is/was set, also IPv6 set to none on WAN IF.

Yes this is expected until we switch away from the Let's Encrypt certificate chain.


Cheers,
Franco

I am also running into this issue:

Error logs when running the update:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 24.10 at Fri Oct 18 10:20:45 PDT 2024
Fetching subscription information, please wait... Could not load CRL file /tmp/libfetch_crl.24101810
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/subscription: Authentication error
Fetching changelog information, please wait... Could not load CRL file /tmp/libfetch_crl.24101810
fetch: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.pkg: Authentication error
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
Could not load CRL file /tmp/libfetch_crl.24101810
pkg: https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***


I can however access the ULR https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:14:amd64/24.10/latest/packagesite.txz with my browser (using my subscription ID instead of the variable).

Using CURL on the router itself to download the file also works and I can see when using update via the SSH menu that the correct URL is being used. Still gets an authentication error:

Fetching change log information, please wait... Could not load CRL file /tmp/libfetch_crl.24101810
fetch: https://opnsense-update.deciso.com/<removed>/FreeBSD:14:amd64/24.10/sets/changelog.txz: Authentication error
done


Quote from: franco on October 17, 2024, 09:17:05 PM
Otherwise look here https://forum.opnsense.org/index.php?topic=43474.0

Thank you. That plus deleting all libfetch_crl. files in /tmp did the trick.
All working now.

@Franco,
Sorry about the delay, but thanks for the speedy response and all the good work. it's appreciated.
cheers

BTW, the certificate chain was switched on the business mirror so now it doesn't print any errors while checking CRL status.


Cheers,
Franco