OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: strahlenopfer on February 02, 2017, 02:17:07 pm

Title: [SOLVED] Upgrade to 17.1 fails due to "bad signature"
Post by: strahlenopfer on February 02, 2017, 02:17:07 pm
I tried to upgrade from 16.7 (latest updates are installed) to 17.1,  but the upgrade process fails after the package is downloaded:

Code: [Select]
----------------------------------------------
|      Hello, this is OPNsense 16.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forums.opnsense.org/ |         @@@///   \\\@@@
| Lists: https://lists.opnsense.org/  |        @@@@         @@@@
| Code: https://github.com/opnsense  |         @@@@@@@@@@@@@@@
----------------------------------------------

  0) Logout                              7) Ping host
  1) Assign Interfaces                   8) Shell
  2) Set interface(s) IP address         9) pfTop
  3) Reset the root password            10) Filter Logs
  4) Reset to factory defaults          11) Restart web interface
  5) Power off system                   12) Upgrade from console
  6) Reboot system                      13) Restore a configuration

Enter an option: 12

This will automatically fetch all available updates, apply them,
and reboot if necessary.

A major firmware upgrade is available for this installation: 17.1

Make sure you have read the release notes and migration guide before
attempting this upgrade.  Around 300MB will need to be downloaded and
require 600MB of free space.  Continue with this major upgrade by
typing the major upgrade version number displayed above.

Minor updates may be available, answer 'y' to run them instead.

Proceed with this action? [17.1/y/N]: 17.1

Fetching packages-17.1-OpenSSL-amd64.tar: ...opnsense-verify: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Signature is not valid
 failed


I tried to upgrade serveral times (yesterday and today), I tried several mirrors (OPNsense / LeaseWeb / c0urier.net), but the signature verification constantly fails:
opnsense-verify: error:04091068:rsa routines:INT_RSA_VERIFY:bad signature
Signature is not valid

The internet connection is fine (200 Mbps down, 50 Mbps up), no packet loss or malformed packets.

Any hint on this?
Title: Re: Upgrade to 17.1 fails due to "bad signature"
Post by: franco on February 02, 2017, 02:47:55 pm
Do you have a local cache that might cache the signature file or reject it?

You could also do an insecure update without the signatures, but the signatures are not only for authenticity, they are also for consistency.

Let's try to verify first...

# fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar.sig
# fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar
# opnsense-verify packages-17.1-OpenSSL-amd64.tar

If this also fails, check the contents of the signature and file sizes:

# ls -lah packages-*
# cat packages-17.1-OpenSSL-amd64.tar.sig


Cheers,
Franco

Title: Re: Upgrade to 17.1 fails due to "bad signature"
Post by: strahlenopfer on February 02, 2017, 07:17:35 pm
Hi franco,
thanks for your reply.

# fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar.sig
# fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar
# opnsense-verify packages-17.1-OpenSSL-amd64.tar
worked like a charm:

Code: [Select]
# opnsense-verify packages-17.1-OpenSSL-amd64.tar
Verifying signature with trusted certificate pkg.opnsense.org.20161210... done

I found out that /var/cache/opnsense-update/ contained ~50 folders, ~20 of them including incomplete packages-17.1-OpenSSL-amd64.tar files. I checked the SSD, no errors so far, strange...

How do I trigger the upgrade with the successfully downloaded packages-17.1-OpenSSL-amd64.tar file?

PS: Thanks for your excellent support, my donation to OPNsense has been a good investment.  :)
Title: Re: Upgrade to 17.1 fails due to "bad signature"
Post by: franco on February 02, 2017, 09:24:18 pm
Alright, let's do this old school...

Clean up the other cache files for cleaned updates:

# opnsense-update -se

Then fetch all sets (skip packages of you will):

# fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar.sig
# fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar
# fetch https://pkg.opnsense.org/sets/kernel-17.1-amd64.txz.sig
# fetch https://pkg.opnsense.org/sets/kernel-17.1-amd64.txz
# fetch https://pkg.opnsense.org/sets/base-17.1-amd64.obsolete.sig
# fetch https://pkg.opnsense.org/sets/base-17.1-amd64.obsolete
# fetch https://pkg.opnsense.org/sets/base-17.1-amd64.txz.sig
# fetch https://pkg.opnsense.org/sets/base-17.1-amd64.txz

Then use local files with verification to do the upgrade (-l is a small "L"):

# opnsense-update -ur 17.1 -l .

If the box tells you to reboot, do it with:

# /usr/local/etc/rc.reboot


Cheers,
Franco
Title: Re: Upgrade to 17.1 fails due to "bad signature"
Post by: strahlenopfer on February 03, 2017, 10:05:20 am
 :)

Code: [Select]
----------------------------------------------
|      Hello, this is OPNsense 17.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forums.opnsense.org/ |         @@@///   \\\@@@
| Lists: https://lists.opnsense.org/  |        @@@@         @@@@
| Code: https://github.com/opnsense  |         @@@@@@@@@@@@@@@
----------------------------------------------

The upgrade was successful! OpenVPN, transparent HTTP and HTTPS proxy with remote acls, Intrusion Detection... everything works as it should.

Platform is PC Engines APU.2C4 with 32GB mSATA.

You and your team did a great job, thanks again for your superb support! :)
Title: Re: Upgrade to 17.1 fails due to "bad signature" [SOLVED]
Post by: franco on February 03, 2017, 10:57:39 am
Thank you for the kind words! Let us know if the error reappears so we look into it in more detail. :)


Cheers,
Franco
Title: Re: [SOLVED] Upgrade to 17.1 fails due to "bad signature"
Post by: skirge01 on February 07, 2017, 08:47:16 pm
I'm having this issue, as well.  However, when I tried "fetch https://pkg.opnsense.org/sets/packages-17.1-OpenSSL-amd64.tar", I received a message that the file appears to be truncated.  I attempted it several times.

Update:  It took 3 hours of retrying to fetch that .tar file, but it finally downloaded completely.  I think I retried more than 50 times over those 3 hours.  After it completed, I was able to do the rest of the commands franco listed and complete the upgrade.