[Solved] Stuck on upgrade screen with "... signature invalid"

[fuskadoo]

I have been stuck on this screen for 60 minutes now and it's making me a bit nervous.  Should I expect this to finish?  The dots are still printing across the screen, but it seems too long.

Looks like fetch is still running:

Code Select Expand

root@opnsense:~ # ps ax | grep fetch
78483  -  S      0:00.28 /bin/sh /usr/local/sbin/opnsense-fetch -a -w 1 -T 30 -q -o /var/cache/opnsense-update/65511/packages-24.1-amd64.tar https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/packages-24.1-amd64.tar
79651  -  Is     0:00.00 daemon: fetch[80174] (daemon)
80174  -  I      0:01.27 fetch -a -w 1 -T 30 -q -o /var/cache/opnsense-update/65511/packages-24.1-amd64.tar https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/packages-24.1-amd64.tar


Package doesn't seem to be increasing in size:

Code Select Expand

root@opnsense:~ # ll /var/cache/opnsense-update/65511/
total 283981
-rw-r-----  1 root  wheel  290586624 Feb 14 20:48 packages-24.1-amd64.tar
-rw-r-----  1 root  wheel       1332 Jan 31 05:46 packages-24.1-amd64.tar.sig
root@opnsense:~ #


Anything else I should check?

[fuskadoo]

At nearly 2 hours and I think it's stuck.  :-\

Can anyone provide any guidance to anything I can do in terminal to get it moving?

Thanks

[fuskadoo]

After 3.5 hours it finally gave ".................. failed, signature invalid".

Can anyone suggest a way to manually do the upgrade?

Thanks.

[jp0469]

After 3.5 hours it finally gave ".................. failed, signature invalid".

Can anyone suggest a way to manually do the upgrade?

Thanks.

I would suggest booting the appropriate install media and restoring your config when prompted. That way you can test the upgrade in a live environment. If all is working well, then you can proceed to fresh install with your config by logging in as: user: installer / password: [root password]. I do all upgrades this way now.

[Maurice]

Try a different mirror, e. g. one close to your location.

Cheers
Maurice

[newsense]

There's currently a certificate validation issue on pkg.opnsense.org after the certificate renewal -- should be fixed soon - pinged Franco.

Browsers do the extra validation work, pkg doesn't :)

Code Select Expand

subject=CN = pkg.opnsense.org

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2171 bytes and written 398 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)


[newsense]

Fixed

Code Select Expand

subject=CN = pkg.opnsense.org

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R3 DV TLS CA 2020

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5865 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


[fuskadoo]

Everything worked flawlessly today with the download and no issues with the update to 27.1.1.  Great work everyone!

Regards