Unable to check for updates.

Started by LogicEthos, September 30, 2021, 04:09:36 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
September 30, 2021, 06:16:28 PM #15
Quote from: KHE on September 30, 2021, 06:12:33 PM
Do you use other repositories? The one from @minugmail has also this issue. And if one repository having issues, then the update is not possible via WebGUI.


Yes that must be it because I use their "os-unboundcustom-maxit" plug-in, and I notice all the plug-ins show as "(orphaned)" as well.
September 30, 2021, 06:18:17 PM #16
Probably has something to do with those certs that expired yesterday. Sure it will be fixed soon.
September 30, 2021, 06:31:36 PM #17
Just to share my solution:

  • remove any 3th party repros from /usr/local/etc/pkg/repos/
  • change either to a http mirror or to dns-root.de
  • update
I will wait for a fix for the LE certs, then I will add the 3th party repros again.
September 30, 2021, 06:46:56 PM #18
I'm getting this issue too, and had to flip to an HTTP mirror to upgrade. I don't have any custom repos installed.
September 30, 2021, 07:01:05 PM #19
Quote from: KHE on September 30, 2021, 06:31:36 PM
Just to share my solution:

  • remove any 3th party repros from /usr/local/etc/pkg/repos/
  • change either to a http mirror or to dns-root.de
  • update
I will wait for a fix for the LE certs, then I will add the 3th party repros again.

I just tried your solution and that resolved the issue.  Thank you!
September 30, 2021, 08:59:47 PM #20 Last Edit: September 30, 2021, 11:53:08 PM by japtain.cack
I believe this is the issue:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

I used the cloudflare CDN mirror which seemed to allow updates to work. A large portion of the internet, for TLS anyway, is broken right now until people update their root CAs. Blocklists are also broken due to the same reason I believe. DNS over TLS is also affected.

I was able to delete the LetsEncrypt CA, then regenerate the LE cert. It created a new cert under the new R3 CA properly. This fixed my UI/HAProxy issues, but you'll need to update all your settings that referenced the old cert. For instance under the opnsense settings for the web UI. However, some endpoints, like the update repo mirrors, seem to still be using expired root CAs in their cert chain. Nothing we can do until everyone updates their TLS certs.
October 08, 2021, 12:38:03 AM #21
I am now able to use the default mirror. No certificate issues appear anymore.
Print
Go Up Pages 1 2
User actions