After updating my OPNsense Business Edition from version 25.4 to 25.10, no packages are available anymore under
System → Firmware → Extensions.
The following error is shown:
The release type "opnsense-business" is not available in this repository.
Additionally, all installed extensions show up as "orphaned", even though they were updated successfully.
Running the usual update commands via shell shows that the repositories themselves are reachable, but the business release type seems to be missing:
root@fw:~ # pkg update
Updating OPNsense repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 256 KiB 262.0kB/s 00:01
Processing entries: 100%
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
root@fw:~ # opnsense-update
Nothing to do.
Environment:
OPNsense Business Edition 25.10
Previous version: 25.4
Default Business repository enabled
No manual changes to repository or mirror configuration
Expected behavior:
Business repository should be automatically recognized after the update
Installed extensions should not appear as "orphaned"
Package and plugin management should continue to function normally
Actual behavior:
Error: "The release type 'opnsense-business' is not available in this repository."
All extensions appear as orphaned
No new plugins or packages can be loaded
This might be a Zenarmor issue, but I don't see the actual evidence. The OPNsense repo updates fine as you can see:
> OPNsense repository update completed. 911 packages processed.
A health audit would make sense.
> root@fw:~ # opnsense-update
> Nothing to do.
Which is correct because it needs an option to proceed. ;)
Cheers,
Franco
I ran a full Health Audit — it completed successfully and no errors or inconsistencies were found.
However, the issue remains:
All extensions are still marked as "orphaned", and no additional packages are listed besides the ones already installed.
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.10 (amd64) at Thu Oct 16 09:30:15 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.6
os-OPNcentral 1.11_2
os-acme-client 4.10
os-apcupsd 1.2_3
os-cpu-microcode-intel 1.1
os-ddclient 1.27_4
os-dmidecode 1.2
os-hw-probe 1.0_1
os-netbird 1.1
os-nginx 1.35_2
os-sensei 2.1
os-sensei-agent 2.1
os-sensei-updater 1.18
os-smart 2.4
os-sunnyvalley 1.5
os-tftp 1.0
os-zabbix7-agent 1.17
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 25.10 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***
Remove os-sunnyvalley repo plugin. I'm quite sure that's the issue. Zenarmor will remain installed, but firmware display should be back to normal.
Cheers,
Franco
Removing os-sunnyvalley immediately resolves the issue — all extensions are shown again.
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?
No, os-sunnyvalley is the repository file only. Since there is a persistent issue with wrong SSL certificates being published by cloudflare backend the repository enabled taints the update process inside the package manager.
You can see this more clearly in this report https://www.reddit.com/r/opnsense/comments/1o7aw84/comment/njpduc1/
Cheers,
Franco
Thanks Franco, that makes sense.
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?
I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.
Thanks again for clarifying!
Yes, their repo URL points via HTTPS to updates.zenarmor.net and strict host checking will not match when an SSL certificate for 85bd57b0.sni.cloudflaressl.com is presented. I've tried to explain this before to them. It's simply how HTTPS works and the check fails for obvious MITM concerns as it should.
Cheers,
Franco