Topics

Update OPNsense from 25.1 => 25.1.1 fails when updating haproxy.
The update procedure tries to update haproxy from 3.0.7 to 3.0.8 but it fails with an error message in th elog window. The rest of the update is OK and the router reboots as expected. However, haproxy service does not start. When I click update again I am presented with an upgrade of haproxy 3.0.7=>3.0.8. Accepting that and the update succeeds but the service does not start. After starting manually everything seems to work.

I have tried this on two different installations with exactly the same behaviour.

I have an old picture widget file that is hanging around. It adds > 1 Mb to every backup file. How can I get rid of this file?

I have an old picture widget file that is hanging around. It adds > 1 Mb to every backup file. How can I get rid of this file?

I have updated a couple of devices to 24.1 without issues. But when I resumed the work this morning the upgrade fails on two units.
After the step where I expected 24.1 to be in place the router restarted with these versions:

Code Select Expand


OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p9
OpenSSL 3.0.12


When I try to upgrade again I get this:

Code Select Expand


***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.12_5 at Wed Jan 31 13:06:23 CET 2024
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 863 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (77 candidates): .......... done
Processing candidates (77 candidates): ... done
Checking integrity... done (1 conflicting)
  - openssl111-1.1.1w conflicts with openssl-3.0.12_2,1 on /usr/local/bin/c_rehash
Checking integrity... done (0 conflicting)
The following 58 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
cpdup: 1.22_1
haproxy28: 2.8.5_4
hostapd: 2.10_9
openssl: 3.0.12_2,1
opnsense: 23.7.12_5
opnsense-installer: 24.1
opnsense-update: 24.1
os-haproxy: 4.2
php82: 8.2.15
php82-ctype: 8.2.15
php82-curl: 8.2.15
php82-dom: 8.2.15
php82-filter: 8.2.15
php82-gettext: 8.2.15
php82-google-api-php-client: 2.4.0
php82-ldap: 8.2.15
php82-mbstring: 8.2.15
php82-pcntl: 8.2.15
php82-pdo: 8.2.15
php82-pear: 1.10.13
php82-pear-Crypt_CHAP: 1.5.0_1
php82-pecl-mcrypt: 1.0.6
php82-pecl-radius: 1.4.0b1_2
php82-phalcon: 5.3.1
php82-phpseclib: 3.0.34
php82-session: 8.2.15
php82-simplexml: 8.2.15
php82-sockets: 8.2.15
php82-sqlite3: 8.2.15
php82-xml: 8.2.15
php82-zlib: 8.2.15
sudo: 1.9.15p5_3

New packages to be INSTALLED:
openssl111: 1.1.1w

Installed packages to be DOWNGRADED:
cyrus-sasl: 2.1.28_4 -> 2.1.28_1
pkcs11-helper: 1.29.0_2 -> 1.29.0_1
python39: 3.9.18_1 -> 3.9.18

Installed packages to be REINSTALLED:
bind-tools-9.18.20_1 (direct dependency changed: openssl111)
curl-8.5.0 (direct dependency changed: openssl111)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl111)
isc-dhcp44-server-4.4.3P1 (direct dependency changed: openssl111)
krb5-1.21.2 (direct dependency changed: openssl111)
ldns-1.8.3 (direct dependency changed: openssl111)
libevent-2.1.12 (direct dependency changed: openssl111)
libfido2-1.14.0 (direct dependency changed: openssl111)
lighttpd-1.4.73 (direct dependency changed: openssl111)
monit-5.33.0 (direct dependency changed: openssl111)
ntp-4.2.8p17_1 (direct dependency changed: openssl111)
openldap26-client-2.6.6 (direct dependency changed: openssl111)
openssh-portable-9.6.p1_1,1 (direct dependency changed: openssl111)
openvpn-2.6.8_1 (direct dependency changed: openssl111)
py39-aioquic-0.9.24 (direct dependency changed: openssl111)
py39-cryptography-41.0.7_2,1 (direct dependency changed: openssl111)
socat-1.8.0.0_2 (direct dependency changed: openssl111)
squid-6.6 (direct dependency changed: openssl111)
strongswan-5.9.13 (direct dependency changed: openssl111)
syslog-ng-4.4.0 (direct dependency changed: openssl111)
unbound-1.19.0 (direct dependency changed: openssl111)
wpa_supplicant-2.10_10 (direct dependency changed: openssl111)

Number of packages to be removed: 32
Number of packages to be installed: 1
Number of packages to be reinstalled: 22
Number of packages to be downgraded: 3

The operation will free 107 MiB.
***DONE***

Pressing Update gives the same result.

After upgrading to 22.1.10 the IPsec tunnel (host-host) has dissapeared both from the dashboard-ipsec widget and from VPN->IPsec->Status Overview.

However, the tunnel itself is working as expected.

Upgraded  some 10 routers last night without reboot. After a few hours, four of the units failed with one or more services stopped.
Found following in the system/general log

Code Select Expand


2021-09-22T23:46:58   configctl[19087]   event @ 1632347211.39 msg:   
.
approx 7000 identical lines within 1 second
.
2021-09-22T23:46:58   configctl[19087]   event @ 1632347211.39 msg:   
2021-09-22T23:46:58   kernel   pid 34492 (unbound), jid 0, uid 59, was killed: out of swap space

Unbound was stopped in three units, unspecified python process in one and syslog-ng in one.
Just restarted the failed processes and everlything looks good after 1 hour.

My api calls for firmware status are not woring properly anymore. Is there any documentation of the changes?

I am using API calls to remind me if my routers have firmware upgrades available.
It worked as expected when 17.7.12_1 became available. The json response contained updates=1, download_size=3MiB etc.

After I installed 17.7.12_1, the json response says that no updates are available even though the GUI shows a yellow panel with EOL message.

It would be useful if the API response included the same information.