OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: jhh on May 12, 2016, 05:00:39 pm

Title: [SOLVED] update using http fails but works using https
Post by: jhh on May 12, 2016, 05:00:39 pm

Hi,

don't know, if its just with me. Started using OPNsense with 16.1.
Every update I did since then, which included the "opensense-x.y.z.txz" package failed.

WebUI Messages didn't help. Messages I got while upgrading vie shell menu have led to the right direction.

Today I took the time to collect messages and so on, so I want to share this, just in case, anyone else runs into this problem.

End of message in WebUI (which doesn't help):

Code: [Select]

Fetching perl5-5.20.3_12.txz: .......... done
Fetching opnsense-update-16.1.9_1.txz: .. done
Restarting webConfigurator...done.
***DONE***

Update stops here. Nothing gets updated.

End of messages in shell menu:

Code: [Select]

19 MiB to be downloaded.
pkg-static: http://pkg.opnsense.org/FreeBSD:10:i386/16.1/latest/All/opnsense-16.1.13.txz: Operation timed out

It is allways that package, which leeds to timeout.

I do this to work around:

edit /usr/local/etc/pkg/repos/origin.conf
change url from http to https. url looks like this afterwards:
url: "pkg+https://pkg.opnsense.org/${ABI}/16.1/latest"

Now update runs perfectly.
After update content of orign.conf is changed back to http. I assume origin.conf is included in update.

So this is no big deal for me anymore, nevertheless I have following wishes  ;)
- please change messages in WebUI, so that one can see, that download of a certain package fails
- does the repository have some donwload issue? Is it desired, that this package is available by https but not by http?
- maybe change url in origin.conf to https?

Thank you for your great work!
Best regards,

Joerg

Title: Re: update using http fails but works using https
Post by: franco on May 17, 2016, 10:42:18 am

Hi Joerg,

Can you try downloading http://pkg.opnsense.org/FreeBSD:10:i386/16.1/latest/All/opnsense-16.1.13.txz via browser?

Switching to HTTPS only makes you side-step a caching proxy or some other form of web control in your local network.

Not all mirrors support HTTPS, and since all update files are signed it's actually better for the mirror system to run on pure HTTP as the "S" does not offer any more security in this regard.

There are a few mirrors that are HTTPS by default, if you can't side-step your network access control, you can use one of these (System: Settings: General):

o auf-feindgebiet.de (Karlsruhe, DE)
o c0urier.net (Lund, SE) (very fast!)
o Fleximus (Roubaix, FR)


Cheers,
Franco

Title: Re: [SOLVED] update using http fails but works using https
Post by: jhh on May 17, 2016, 11:29:24 am

Hi franco,

thank you for your assistance.
No cache but malware protection could be the reason...
I tried with browser at my first attempt to update (3 month ago or so).
Download via http was not possible. Tried different browsers.
At the end chrome automatically switched to https and download started...
That was the reason to start testing with https and change url in origin.conf.
Since then I updated arround 5 times or so. Everytime same package and solution to download via https.
Since I didn't receive any message from our malware filter i didn't think about that...  :(

But at the end this of minor importance for me.

I think, important is to change messages of failed updates in WebUI.
As you also see in Message "Update failed on ALIX OPNsense" it takes some time to get the idea to change to update via shell to get meaningfull messages.

Can I place this as a whish or feature request somewhere?

Thanks and best regards,

Joerg

Title: Re: [SOLVED] update using http fails but works using https
Post by: franco on May 17, 2016, 11:59:17 am

Hi Joerg,

I am aware of the issue. Upgrading ALIX/Nano is being worked on, currently waiting for FreeBSD. Workarounds are available, I will point you into the right direction if you want.

I think stderr is not piped to the progress window in the GUI, I will fix this with 16.1.15 as we're trying to wrap up 16.1.14 for tomorrow at the moment and don't want to introduce last-minute changes in the firmware subsystem.


Cheers,
Franco

Title: Re: [SOLVED] update using http fails but works using https
Post by: franco on May 17, 2016, 12:27:51 pm

This will be on 16.1.14-devel and 16.1.15 respectively:

https://github.com/opnsense/core/commit/c598f2c8daf21aaa6dd15f3ab3edb5926d0f396c

Title: Re: [SOLVED] update using http fails but works using https
Post by: jhh on June 14, 2016, 05:40:24 pm

just for the records....

Updated to 16.1.15 a while ago.
Tried to go to 16.1.16 using WebUI today, without changing to https.

Operation timed out and I got message in WebUI.

Code: [Select]

Fetching opnsense-update-16.1.16.txz: ... done
pkg-static: http://pkg.opnsense.org/FreeBSD:10:i386/16.1/latest/All/opnsense-16.1.16.txz: Operation timed out
So now expected message is visible in WebUI and troubleshooting of update issues will be easier.  :) :) :)

Thank you again for your great work.

Best regards,

Joerg