Firmware update does not work

[tbednarz]

Hi everybody

I have two opnSense firewalls, where one is a backup device, just in case one fails. The backup machine I sometimes use for travel, since it is a desktop version and not a rackmout device.

Now I was a bit lazy and did not update the desktop version for more than 6 months. It still has version 22.7.10_2 installed. When I try to update the firmware, I got lots of Certificate errors:

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.10_2 (amd64/OpenSSL) at Sun Apr 30 03:03:46 CEST 2017
Fetching changelog information, please wait... Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34389172224:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
fetch: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/sets/changelog.txz: Authentication error
Updating OPNsense repository catalogue...
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/meta.txz: Authentication error
repository OPNsense has no meta file, using default settings
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.pkg: Authentication error
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
Certificate verification failed for /C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020
34378686464:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1921:
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.7/latest/packagesite.txz: Authentication error
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Could anybody help me to get the update to the latest version working? Many thanks.
Tom

[tbednarz]

Sorry for this request. I tried again after a few minutes after a reboot and I could update to 22.7.11 without any errors. Now it is updating to 23.

Dont know why I got all those errors shown in my post...

[franco]

> Currently running OPNsense 22.7.10_2 (amd64/OpenSSL) at Sun Apr 30 03:03:46 CEST 2017

I suppose the certificate on the server wasn't valid yet when you tried it almost 6 years ago. ;)

In all seriousness looks like NTP took a while to kick in.


Cheers,
Franco

[tbednarz]

Ohh thats strange. The box was turned off for about 6 MONTHS not years! Maybe I was too fast after the first boot after such a long time. It may first have to sync time with a NTP server and I don't know what else is running in the background. But six YEARS ago I dit not yet own this machine!!!

[franco]

Maybe CMOS battery bad or empty and NTP was working on fixing that already but took more time to rush through the decades :)


Cheers,
Franco

[marmot74]

Not sure if the issue has a similar cause, but since yesterday, I cannot perform updates and get the following message :
I struggle to understand what's going on because this weekend it prompted me to upgrade to a more recent version of Opnsense.... now it's not prompting anymore.

I am on 22.7.11_1 and would like to update to 23.1 or later if possible.

Any thoughts ?

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.7.11_1 (amd64/OpenSSL) at Thu Aug 10 19:23:22 CEST 2023
Fetching changelog information, please wait... done
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 819 packages processed.
Updating SunnyValley repository catalogue...
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Not Found
repository SunnyValley has no meta file, using default settings
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.pkg: Not Found
pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/packagesite.txz: Not Found
Unable to update repository SunnyValley
Error updating repositories!
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

Thanks in advance for your help.

[franco]

While this report was solved and totally unrelated your problem simply is that you have a third party repo enabled that is not reachable:

> OPNsense repository update completed. 819 packages processed.

Notice our repository updated ok...

> Updating SunnyValley repository catalogue...
> pkg: https://updates.sunnyvalley.io/opnsense/FreeBSD:13:amd64/22.7/OpenSSL/latest/meta.txz: Not Found

I'd recommend removing os-sunnyvalley and that brings update functionality back.


Cheers,
Franco