English Forums > 22.7 Production Series

Revoked certificate after upgrading to 22.7.4

(1/3) > >>

Durandal:
Hello all,
today i took some time to upgrade my OPNSense firewall.
I had to perform an update first (of the old release, think it must have been 21.x), after that an upgrade to 22.7 and after that another update to 22.7.4

When i checked again for the updates i´m ok now, but there is a revoked certificate used to check for updates:


--- Code: ---***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.4 (amd64/OpenSSL) at Sun Sep 18 11:02:00 CEST 2022
Fetching changelog information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 802 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
--- End code ---

Found a reddit thread from 7 days ago about that no answer there.
Also i searched the forum here for revoked certificate and especially the string of the certificate but without luck.

Any idea on this one?
Appreciate any tipps.

Best,
Durandal

Fright:
Hi
it is certainly better to wait for @franco, but if I understand the code correctly, the signature file is downloaded only if the checksum of the changelog.txz has changed (that is, if at some point the missigned changelog file was already downloaded, then after creating a new signature file it may not be downloaded if the checksum of the changelog.txz has not changed). you can try deleting changelog.txz and  changelog.txz.sig files  in /usr/local/opnsense/changelog dir and try checking for updates again

abotsis:
I'm getting the same:

--- Code: ---Fetching change log information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903

--- End code ---
I did maybe sorta kinda run out of disk space because I had A Thing(tm) hammering unbound and filled logs up. So it might be related to that? I also recently upgraded the sensei engine (after my 22.7.4 upgrade). Removing the changelog.txz[.sig] did fix the error. I decided to let it upgade (yolo!) and got some (what I think are) new dependency errors:

--- Code: --->>> Missing package dependencies were detected.
>>> Found 3 issue(s) in the package database.

pkg-static: No packages available to install matching 'php74' have been found in the repositories
pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories

--- End code ---
*shrug* Happy to do more research. If a package mirror was popped and certs revoked, though, that'd be kinda good to know sooner rather than later. It makes me a little nervous because a cert revocation isn't really a "passive" failure mode that you'd expect as a side effect. It's a pretty deliberate and specific thing, only having one real root cause (someone explicitly revoking the thing).

*edited for formatting because OCD.

Koloa:

--- Quote from: Fright on September 19, 2022, 04:58:15 pm ---Hi
it is certainly better to wait for @franco, but if I understand the code correctly, the signature file is downloaded only if the checksum of the changelog.txz has changed (that is, if at some point the missigned changelog file was already downloaded, then after creating a new signature file it may not be downloaded if the checksum of the changelog.txz has not changed). you can try deleting changelog.txz and  changelog.txz.sig files  in /usr/local/opnsense/changelog dir and try checking for updates again

--- End quote ---

For what it is worth, this worked for me.

In my case, I blamed the fact that I sidegraded from the Business Edition to the Community Edition -- but that may not have been the reason for the error.  I made a backup of the changelog files just in case, then removed them, tried updates, and no longer have the error.

franco:
> Fetching change log information, please wait... The file was signed with revoked certificate pkg.opnsense.org.20210903

I see no indication for this in the scripting or files on the mirror.

Can you post the following?

# opnsense-update -M

I assume it still points to "22.1" when it should point to "22.7" in the URL...


Cheers,
Franco

Navigation

[0] Message Index

[#] Next page

Go to full version