unable to update from 23.7 to 24.1

[ajoeiam]

Greetings

Still pretty much a noob here!
When I am trying to update using the gui system (under system/firmware/updates) I'm getting 

pkg-static: https:// xxxxxx:amd64/23.7/latest/packagesite.pkg: Authentication error
similar except its packagesite.txz: Authenticaiton error
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI . . . done.
Generating RRD graphs . . . done.
***DONE***

What do I do to update my system?

TIA

[franco]

Hi,

Not sure what " xxxxxx" is but authentication error here means the TLS connection isn't working either indicating a custom untrusted mirror (self-signed?) or a proxy interfering with TLS while connecting to a known good mirror from the list.


Cheers,
Franco

[ajoeiam]

Hi,

Not sure what " xxxxxx" is but authentication error here means the TLS connection isn't working either indicating a custom untrusted mirror (self-signed?) or a proxy interfering with TLS while connecting to a known good mirror from the list.


Cheers,
Franco

Originally copied files from mirror to a computer. Then burned those files onto a USB stick. Used that for the install.

So - - - how do I 'fix' this?
Am I stuck with a perpetual download and burn?

TIA

[ajoeiam]

complete line is pkg-static https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/latest/meta.txz: Authentication error

does that help pinpoint what's not working correctly?

What do I need to do to get the system to update?

(Right now my only option seems to be to reinstall using a newer system - - which I would rather not do.)

[franco]

I think you hit a proxy or defunct IPv6, whichever comes first.

Or maybe the time of the box is off. There's a reason why posting full logs (like the update log) can help pinpoint this instead of stabbing in the dark. The connectivity audit can reveal problems with IPv6.


Cheers,
Franco

[ajoeiam]

I think you hit a proxy or defunct IPv6, whichever comes first.

Or maybe the time of the box is off. There's a reason why posting full logs (like the update log) can help pinpoint this instead of stabbing in the dark. The connectivity audit can reveal problems with IPv6.


Cheers,
Franco

Checked time with the 'date' command - - - system seems to be running about 30 some seconds behind ntp.

I would love to give you the complete update log except I would bet that me typing it from one screen to another is going to add a bunch of errors besides taking about and hour - - - then there are the 10 or so lines that have disappeared as the text scrolled by which I would have no way of copying.

I'm not trying to use ipv6 I'm on ipv4.

So it seems that you're politely saying that I'm sol regarding getting an update to work.
Will admit that this is not overwhelmingly reassuring.

[cookiemonster]

Whyy aren't you using one of the mirrors that host the firmwares, and without a proxy in between (if any)? They have the correct certificates to allow the TLS session to be established. That is the reason it is failing as was explained earlier.
By the way, the messages on screen (a console) also get written to file. But why would you use a screen+keyboard to a console to the system, when you can reach it by ssh and by a UI ?
Back to it though. Are you able to connect via the UI and select a mirror?

[ajoeiam]

Whyy aren't you using one of the mirrors that host the firmwares, and without a proxy in between (if any)? They have the correct certificates to allow the TLS session to be established. That is the reason it is failing as was explained earlier.
By the way, the messages on screen (a console) also get written to file. But why would you use a screen+keyboard to a console to the system, when you can reach it by ssh and by a UI ?
Back to it though. Are you able to connect via the UI and select a mirror?

In Debian I can edit /etc/usr/sources.list and then I can specify a mirror if I so desire.
Absolutely CANNOT find a way to do that here on opensense.
Why would I use a console - - - I'm comfortable using a non-gui updating system - - - definitely no expert but can work my way through most what I need to do and I can most often find some recipe to get to what/where I want.
Tried using # ssh root@192.168.1.1 and - - - well - - nothing happens!

When I go look into /usr/local/etc/pkg/repos I do find  OPNsense.conf - - - which reads:

OPNsense: {
   fingerprints: "usr/local/etc/pkg/fingerprints/OPNsense",
   url: "pkg+https://pkg.opnsense.org/${ABI}/23.7/latest",
   signature_tgype: "fingerprints",
   mirror_type: "srv",
   priority: 11,
   enabled: yes
}


That information is as installed where I changed nothing (added nor removed anything only added ip addresses!).

So from what you're saying I'm supposed to be able to choose a mirror - - - where/how?

TIA

[Patrick M. Hausen]

You can pick the mirror and perform the update right in the UI. System > Firmware > Settings.

[ajoeiam]

You can pick the mirror and perform the update right in the UI. System > Firmware > Settings.

So using the gui I went to system: firmware and chase as mirror :ServerBase AG, type: community, subscription: blank

ask for a system update

"Fetching changelog information, please wait . . . fetch" https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz:
Authentication error   
lots more info including the line:
pkg: Repository OPNsense cannot be opened. 'pkg update' required


so changing the mirror from 'default' to a specific mirror really didn't achieve anything.
(Changed mirror, saved, rebooted and then reconnected as for process)

[newsense]

You have a proxy upstream.

You can either bypass it or allow access through the proxy to the chosen mirror without authentication.

[cookiemonster]

To expand a little.

"Fetching changelog information, please wait . . . fetch" https://pkg.opnsense.org/FreeBSD:13:amd64/23.7/sets/changelog.txz:
Authentication error 
lots more info including the line:
pkg: Repository OPNsense cannot be opened. 'pkg update' required

so changing the mirror from 'default' to a specific mirror really didn't achieve anything.
(Changed mirror, saved, rebooted and then reconnected as for process)

The Authentication error is the important part.
And as franco said earlier

I think you hit a proxy or defunct IPv6, whichever comes first.

Or maybe the time of the box is off. There's a reason why posting full logs (like the update log) can help pinpoint this instead of stabbing in the dark. The connectivity audit can reveal problems with IPv6.

Please do the connectivity audit. If the update tries an IPv6 mirror and fails, you have this problem. It can be that you have IPv6 half setup. If you are not using it yourself (and you should know based on your ISP package), then try to disable it in OPN.
Also try different mirrors. Some are easier to reach than others, depending on your location.
And the proxy part is about some proxy (that you might know about or not, depending on where the system is sat or your ISP). Try to investigate if you are behind one.

[franco]

It might be an idea to add the dump of the SSL information from the main mirror so we can plainly see what's going on in these cases?

(Provided that information is ever given.)


Cheers,
Franco

[newsense]

I actually got a glimpse of that error on a VM I discovered that was off for a few months.

When I turned it on it would keep proposing to update to 24.1.r1 from 24.1.r_3.

Restarted services or rebooting didn't help, so I tried -Vbkr and saw it failing to verify the cert.

Inspected the cert with openssl and found it not valid yet, which ultimately revealed the ntp issue - machine time was in January.



So the previous comment about the FW being 30 seconds behind is a clear indication time is not syncing and causing the update issues for the OP - if there's no proxy upstream.

The time can be set in CLI to get the machine to update, and the NTP issue can be solved after.

The date command for the CLI is this one, two digits for year month day hour minutes .seconds

Code Select Expand

date yymmddhhmm.ss

[TomT]

Hi,
How do I patch my files for IPSec ?

I'm currently on 24.7.2 and if I check for an update I get
" There are no updates available on the selected mirror. "

The mirror is 'default' and the type is 'community'

Following the upgrade to 24.7.2 my IPSec VPN to my office fails to connect.

Thanks