Attempting upgrade - failed, signature invalid

Started by arvidj, July 29, 2025, 05:23:39 PM

Previous topic - Next topic
I am attempting to upgrade via the GUI. Have never had any upgrade or update issues. Had just successfully applied the last update to 25.1.12 and then tried to upgrade to 25.7:

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 25.1.12 (amd64) at Tue Jul 29 09:46:57 CDT 2025
Fetching packages-25.7-amd64.tar: ................................................ failed, signature invalid
***DONE***

Any suggestions as to what I am doing wrong or what part of the incantation I got wrong?

Thanks, Arvid

Are your mirror and flavour settings (in System > Settings) set to default? What does it say in "Mirror" and "Repositories" on your System > Status page?
OPNsense 25.7.1_1-amd64 on APU2E4 using ZFS

Mirror may play a role, but it's more likely there's a local disk issue or a download issue -- the download looks reasonably fast, but maybe it got interrupted. I'd try again and avoid mobile WAN connections for fetching updates as they have always been problematic.


Cheers,
Franco

Same Problem here. AUDIT CONNECTIVITY reports:

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 25.1.12 (amd64) at Wed Jul 30 16:51:43 CEST 2025
Checking connectivity for host: mirror.fra10.de.leaseweb.net -> 37.58.58.140
PING 37.58.58.140 (37.58.58.140): 1500 data bytes
1508 bytes from 37.58.58.140: icmp_seq=0 ttl=57 time=18.735 ms
1508 bytes from 37.58.58.140: icmp_seq=1 ttl=57 time=18.795 ms
1508 bytes from 37.58.58.140: icmp_seq=2 ttl=57 time=18.638 ms
1508 bytes from 37.58.58.140: icmp_seq=3 ttl=57 time=18.892 ms

--- 37.58.58.140 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.638/18.765/18.892/0.092 ms
Checking connectivity for repository (IPv4): https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:14:amd64/25.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 900 packages processed.
All repositories are up to date.
Checking connectivity for host: mirror.fra10.de.leaseweb.net -> 2a00:c98:2030:a034::21
ping: UDP connect: No route to host
Checking connectivity for repository (IPv6): https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:14:amd64/25.1
Updating OPNsense repository catalogue...
pkg: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:14:amd64/25.1/latest/meta.txz: Non-recoverable resolver failure
repository OPNsense has no meta file, using default settings
pkg: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:14:amd64/25.1/latest/packagesite.pkg: Non-recoverable resolver failure
pkg: https://mirror.fra10.de.leaseweb.net/opnsense/FreeBSD:14:amd64/25.1/latest/packagesite.txz: Non-recoverable resolver failure
Unable to update repository OPNsense
Error updating repositories!
Checking server certificate for host: mirror.fra10.de.leaseweb.net
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = mirror.leaseweb.com
verify return:1
DONE
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL TLS RSA CA G1
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***

@OPNefx it probably prefers the defunct IPv6 on your end.  Either disable IPv6 on WAN or use Prefer IPv4 over IPv6 setting, whatever works best.


Cheers,
Franco

Quote from: franco on July 30, 2025, 08:01:03 PM@OPNefx it probably prefers the defunct IPv6 on your end.  Either disable IPv6 on WAN or use Prefer IPv4 over IPv6 setting, whatever works best.


Cheers,
Franco

Hello Franco, thank you very much for your quick reply. After the change you suggested nothing change.

I've found this error on System > Log Files > Web GUI:

"Error   lighttpd   (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.79/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi.socket-4: Connection refused".

Could it be that this error is related to my problem?

> After the change you suggested nothing change.

Well, to be precise: which one did you do? And did you do the other if you only did one? ;)

> Could it be that this error is related to my problem?

No.


Cheers,
Franco

I've disable IPv6 on WAN (and LAN) according to this guide:

https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6

But even if I set Prefer IPv4 over IPv6 the result of the audit is the same.

And this is the key point: the audit is irrelevant if your updates work.


Cheers,
Franco

OK. Later I'll try the Upgrade process again. Thx.

Quote from: franco on July 31, 2025, 11:37:31 AMAnd this is the key point: the audit is irrelevant if your updates work.


Cheers,
Franco

Hello Franco, the Upgrade Process starts only with "Prefer to use IPv4 even if IPv6 is available" checked in Settings > General > Networking.

Now I'm on OPNsense Version 25.7.1. Well done guys! You're magic!


Quote from: beneix on July 30, 2025, 07:42:14 AMAre your mirror and flavour settings (in System > Settings) set to default? What does it say in "Mirror" and "Repositories" on your System > Status page?
Quote from: franco on July 30, 2025, 08:17:24 AMMirror may play a role, but it's more likely there's a local disk issue or a download issue -- the download looks reasonably fast, but maybe it got interrupted. I'd try again and avoid mobile WAN connections for fetching updates as they have always been problematic.


Cheers,
Franco

Thank you both for the suggestions. The connection is 1g fiber to the house and all cat-8 within the house, no WiFi involved. The Repositories setting was Default.

I was able to get a good download by specifying the repository as what ever the offical name for New York is.