Unable to upgrade from 22.1

Started by clarknova, January 15, 2025, 05:52:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 15, 2025, 05:52:45 PM
I was tasked today with upgrading a remote firewall that was running OPNsense 21.7.8. I upgraded to 22.1 in the web UI and it upgraded and rebooted without error. Now while trying to upgrade past 22.1 I get errors.

From web UI:
Code Select
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Wed Jan 15 09:40:23 MST 2025
Fetching changelog information, please wait... Missing /usr/local/etc/pkg/repos/OPNsense.conf
Repository not found: OPNsense
Updating FreeBSD repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries:
Newer FreeBSD version for package zziplib:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1304000
- running kernel: 1300523
Ignore the mismatch and continue? [y/N]: pkg: repository FreeBSD contains packages for wrong OS version: FreeBSD:13:amd64
Processing entries...
Unable to update repository FreeBSD
Error updating repositories!
pkg: Unknown repository: OPNsense
***DONE***
From shell:
Code Select
# opnsense-update -u
Missing /usr/local/etc/pkg/repos/OPNsense.conf

# opnsense-bootstrap
This utility will attempt to turn this installation into the latest
OPNsense 22.1 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:13:amd64/latest, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-1.21.3...
package pkg is already installed, forced install
Extracting pkg-1.21.3: 100%
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
The most recent versions of packages are already installed
/tmp/opnsense-bootstrap/core.tar.gz                   7508 kB 9443 kBps    01s
pkg: 139 packages installed
beep-1.0_1: already unlocked
I also tried a health check from the GUI:
Code Select
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 22.1 (amd64/OpenSSL) at Wed Jan 15 09:46:54 MST 2025
>>> Check installed kernel version
Version 22.1 is correct.
Unverified consistency check for kernel: invalid /usr/local/opnsense/version/kernel.mtree.sig
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 22.1 is correct.
Unverified consistency check for base: invalid /usr/local/opnsense/version/base.mtree.sig
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages:
ca_root_nss-3.104: checksum mismatch for /etc/ssl/cert.pem
Checking all packages.......
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20150402
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20160104
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20160630
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20161210
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20170625
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20171219
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20180614
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20181218
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20190702
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20200119
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20200313
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/revoked/pkg.opnsense.org.20210104
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/trusted/pkg.opnsense.org.20210629
opnsense-22.1: missing file /usr/local/etc/pkg/fingerprints/OPNsense/trusted/pkg.opnsense.org.20210903
opnsense-22.1: missing file /usr/local/etc/pkg/repos/FreeBSD.conf.sample
opnsense-22.1: missing file /usr/local/etc/pkg/repos/OPNsense.conf.sample
Checking all packages......... done
>>> Check for core packages consistency
Core package "opnsense" has 65 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.104 repository mismatch: FreeBSD
ca_root_nss-3.104 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20200512_1 has no upstream equivalent
Checking packages: .
dhcpleases-0.2 has no upstream equivalent
Checking packages: .
dnsmasq-2.86_2,1 has no upstream equivalent
Checking packages: .
dpinger-3.0 has no upstream equivalent
Checking packages: .
expiretable-0.6_2 has no upstream equivalent
Checking packages: .
filterlog-0.6 has no upstream equivalent
Checking packages: .
flock-2.37.2 has no upstream equivalent
Checking packages: .
flowd-0.9.1_3 has no upstream equivalent
Checking packages: .
hostapd-2.10 has no upstream equivalent
Checking packages: .
ifinfo-13.0 has no upstream equivalent
Checking packages: .
iftop-1.0.p4 has no upstream equivalent
Checking packages: .
isc-dhcp44-relay-4.4.2P1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.2P1_1 has no upstream equivalent
Checking packages: .
lighttpd-1.4.63 has no upstream equivalent
Checking packages: .
monit-5.29.0_1 has no upstream equivalent
Checking packages: .
mpd5-5.9_6 has no upstream equivalent
Checking packages: .
ntp-4.2.8p15_4 has no upstream equivalent
Checking packages: .
openssh-portable-8.8.p1_1,1 has no upstream equivalent
Checking packages: .
openssl-1.1.1m_1,1 has no upstream equivalent
Checking packages: .
openvpn-2.5.5 has no upstream equivalent
Checking packages: .
opnsense-22.1 has no upstream equivalent
Checking packages: .
opnsense-installer-22.1 has no upstream equivalent
Checking packages: .
opnsense-lang-21.7.8 has no upstream equivalent
Checking packages: .
opnsense-update-22.1 has no upstream equivalent
Checking packages: .
pam_opnsense-19.1.3 has no upstream equivalent
Checking packages: .
pftop-0.7_9 has no upstream equivalent
Checking packages: .
php74-ctype-7.4.27 has no upstream equivalent
Checking packages: .
php74-curl-7.4.27 has no upstream equivalent
Checking packages: .
php74-dom-7.4.27 has no upstream equivalent
Checking packages: .
php74-filter-7.4.27 has no upstream equivalent
Checking packages: .
php74-gettext-7.4.27 has no upstream equivalent
Checking packages: .
php74-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php74-json-7.4.27 has no upstream equivalent
Checking packages: .
php74-ldap-7.4.27 has no upstream equivalent
Checking packages: .
php74-openssl-7.4.27 has no upstream equivalent
Checking packages: .
php74-pdo-7.4.27 has no upstream equivalent
Checking packages: .
php74-pecl-radius-1.4.0b1_1 has no upstream equivalent
Checking packages: .
php74-phalcon4-4.1.3 has no upstream equivalent
Checking packages: .
php74-phpseclib-2.0.35 has no upstream equivalent
Checking packages: .
php74-session-7.4.27 has no upstream equivalent
Checking packages: .
php74-simplexml-7.4.27 has no upstream equivalent
Checking packages: .
php74-sockets-7.4.27 has no upstream equivalent
Checking packages: .
php74-sqlite3-7.4.27 has no upstream equivalent
Checking packages: .
php74-xml-7.4.27 has no upstream equivalent
Checking packages: .
php74-zlib-7.4.27 has no upstream equivalent
Checking packages: .
pkg-1.21.3 repository mismatch: unknown-repository
pkg-1.21.3 has no upstream equivalent
Checking packages: .
py38-Jinja2-3.0.1 has no upstream equivalent
Checking packages: .
py38-dnspython2-2.2.0 has no upstream equivalent
Checking packages: .
py38-netaddr-0.8.0 has no upstream equivalent
Checking packages: .
py38-requests-2.25.1 has no upstream equivalent
Checking packages: .
py38-sqlite3-3.8.12_7 has no upstream equivalent
Checking packages: .
py38-ujson-5.0.0 has no upstream equivalent
Checking packages: .
radvd-2.19_1 has no upstream equivalent
Checking packages: .
rrdtool-1.7.2_4 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
squid-4.15 has no upstream equivalent
Checking packages: .
strongswan-5.9.4 has no upstream equivalent
Checking packages: .
sudo-1.9.8p2 has no upstream equivalent
Checking packages: .
suricata-6.0.4_1 has no upstream equivalent
Checking packages: .
syslog-ng-3.35.1 has no upstream equivalent
Checking packages: .
unbound-1.14.0 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.10 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***
Where do I go from here? I'm off site, so any remote rescue option is preferred at this point and the firewall is still running and accesscible. If I brick the thing I can get remote hands, but I'd prefer not to delegate a fresh install from USB if I can avoid it.
January 17, 2025, 05:01:43 AM #1 Last Edit: January 17, 2025, 05:04:46 AM by newsense
Export your config and install from scratch. If your setup is not overly complex you can install from the 25.1 beta ISO and get an update early next week to 25.1.rc1. Else go for 24.7.

As a general rule, stop enabling FreeBSD repos or you'll experience breakage more often than not.

And just to be clear, that remote FW will have to be reinstalled on site to either 24.7 or 25.1, and you'll get access back to it once the configuration has been imported on it.
January 17, 2025, 12:17:33 PM #2
This install suffers from having the FreeBSD package repository active which prevents it from making a clean upgrade...

> Unable to update repository FreeBSD

# cp /usr/local/etc/pkg/repos/FreeBSD.conf{.sample,}
# cp /usr/local/etc/pkg/repos/OPNsense.conf{.sample,}

This should disable the FreeBSD repo and bring the other back (if the sample files still exist).  You may be able to recover, but if other offending packages were installed I don't have high hopes.

You can list packages that were installed from FreeBSD instead of OPNsense, remove them, but chances are somebody installed something vital that you're going to remove.


Cheers,
Franco
March 24, 2025, 07:02:45 PM #3
Thanks for the replies. I didn't set up this pair and I wasn't aware FreeBSD repos were enabled. I was under pressure to complete the upgrade so I ended up booting the VMs from the 25.1 ISO and did a fresh install after importing the config file. I then upgraded to 25.1.3 and was able to reinstall the plugins with a good outcome.

If I see this again in the future I will try disabling the extra repos.
Print
Go Up Pages1
User actions