OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Durandal on September 18, 2022, 11:14:33 am
-
Hello all,
today i took some time to upgrade my OPNSense firewall.
I had to perform an update first (of the old release, think it must have been 21.x), after that an upgrade to 22.7 and after that another update to 22.7.4
When i checked again for the updates i´m ok now, but there is a revoked certificate used to check for updates:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.4 (amd64/OpenSSL) at Sun Sep 18 11:02:00 CEST 2022
Fetching changelog information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 802 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Found a reddit thread from 7 days ago about that no answer there.
Also i searched the forum here for revoked certificate and especially the string of the certificate but without luck.
Any idea on this one?
Appreciate any tipps.
Best,
Durandal
-
Hi
it is certainly better to wait for @franco, but if I understand the code correctly, the signature file is downloaded only if the checksum of the changelog.txz has changed (that is, if at some point the missigned changelog file was already downloaded, then after creating a new signature file it may not be downloaded if the checksum of the changelog.txz has not changed). you can try deleting changelog.txz and changelog.txz.sig files in /usr/local/opnsense/changelog dir and try checking for updates again
-
I'm getting the same:
Fetching change log information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903
I did maybe sorta kinda run out of disk space because I had A Thing(tm) hammering unbound and filled logs up. So it might be related to that? I also recently upgraded the sensei engine (after my 22.7.4 upgrade). Removing the changelog.txz[.sig] did fix the error. I decided to let it upgade (yolo!) and got some (what I think are) new dependency errors:
>>> Missing package dependencies were detected.
>>> Found 3 issue(s) in the package database.
pkg-static: No packages available to install matching 'php74' have been found in the repositories
pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
*shrug* Happy to do more research. If a package mirror was popped and certs revoked, though, that'd be kinda good to know sooner rather than later. It makes me a little nervous because a cert revocation isn't really a "passive" failure mode that you'd expect as a side effect. It's a pretty deliberate and specific thing, only having one real root cause (someone explicitly revoking the thing).
*edited for formatting because OCD.
-
Hi
it is certainly better to wait for @franco, but if I understand the code correctly, the signature file is downloaded only if the checksum of the changelog.txz has changed (that is, if at some point the missigned changelog file was already downloaded, then after creating a new signature file it may not be downloaded if the checksum of the changelog.txz has not changed). you can try deleting changelog.txz and changelog.txz.sig files in /usr/local/opnsense/changelog dir and try checking for updates again
For what it is worth, this worked for me.
In my case, I blamed the fact that I sidegraded from the Business Edition to the Community Edition -- but that may not have been the reason for the error. I made a backup of the changelog files just in case, then removed them, tried updates, and no longer have the error.
-
> Fetching change log information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903
I see no indication for this in the scripting or files on the mirror.
Can you post the following?
# opnsense-update -M
I assume it still points to "22.1" when it should point to "22.7" in the URL...
Cheers,
Franco
-
@franco
Enter an option: 12
Fetching change log information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903
This will automatically fetch all available updates and apply them.
Proceed with this action? [y/N]: ^C
*** opnsense4.site.business: OPNsense 22.7.4 (amd64/OpenSSL) ***
root@opnsense4:~ # opnsense-update -M
https://pkg.opnsense.org/FreeBSD:13:amd64/22.7
Just got this error myself on my opnsense install. I just upgraded from 22.1 to 22.7.4
-
I'd just try to bootstrap now..
# opnsense-bootstrap -r 22.7
Cheers,
Franco
-
Recently ran across this with a box that was upgraded from 22.1. I think we should just flush the old files when the signature verify fails anyway so that the next download can recover it:
https://github.com/opnsense/core/commit/8d50193182
Cheers,
Franco
-
Hi all,
first tried an update again,same signature error.
As suggested i removed both files under:
/usr/local/opnsense/changelog
File1: changelog.txz -> remove
File2: changelog.txz.sig -> remove
To achieve that i activated ssh access (for the first time). So i never changed anything manually in opnsense.
Now update is running.
@franco, Thanks for the commit
BR
-
Hi,
update worked perfectly - now to 22.7.6:
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.6 (amd64/OpenSSL) at Sun Oct 16 15:37:29 CEST 2022
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 808 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Certificate error is gone after manually removing both files.
Thank you all!
-
Thanks for confirming :)