After update to 25.10: “opnsense-business” release type not available

[ews]

After updating my OPNsense Business Edition from version 25.4 to 25.10, no packages are available anymore under
System → Firmware → Extensions.
The following error is shown:

The release type "opnsense-business" is not available in this repository.


Additionally, all installed extensions show up as "orphaned", even though they were updated successfully.
Running the usual update commands via shell shows that the repositories themselves are reachable, but the business release type seems to be missing:

root@fw:~ # pkg update
Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01   
Fetching packagesite.pkg: 100%  256 KiB 262.0kB/s    00:01   
Processing entries: 100%
OPNsense repository update completed. 911 packages processed.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.

root@fw:~ # opnsense-update
Nothing to do.

Environment:

OPNsense Business Edition 25.10

Previous version: 25.4

Default Business repository enabled
No manual changes to repository or mirror configuration

Expected behavior:

Business repository should be automatically recognized after the update
Installed extensions should not appear as "orphaned"
Package and plugin management should continue to function normally

Actual behavior:

Error: "The release type 'opnsense-business' is not available in this repository."
All extensions appear as orphaned
No new plugins or packages can be loaded

[franco]

This might be a Zenarmor issue, but I don't see the actual evidence. The OPNsense repo updates fine as you can see:

> OPNsense repository update completed. 911 packages processed.

A health audit would make sense.

> root@fw:~ # opnsense-update
> Nothing to do.

Which is correct because it needs an option to proceed.  ;)


Cheers,
Franco

[ews]

I ran a full Health Audit — it completed successfully and no errors or inconsistencies were found.

However, the issue remains:
All extensions are still marked as "orphaned", and no additional packages are listed besides the ones already installed.

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.10 (amd64) at Thu Oct 16 09:30:15 CEST 2025
Strict TLS 1.3 and CRL checking is enabled.
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.7.5 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.7.5 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
SunnyValley (Priority: 7)
OPNsense (Priority: 11)
>>> Check installed plugins
os-OPNBEcore 1.6
os-OPNcentral 1.11_2
os-acme-client 4.10
os-apcupsd 1.2_3
os-cpu-microcode-intel 1.1
os-ddclient 1.27_4
os-dmidecode 1.2
os-hw-probe 1.0_1
os-netbird 1.1
os-nginx 1.35_2
os-sensei 2.1
os-sensei-agent 2.1
os-sensei-updater 1.18
os-smart 2.4
os-sunnyvalley 1.5
os-tftp 1.0
os-zabbix7-agent 1.17
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 25.10 has 68 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

[franco]

Remove os-sunnyvalley repo plugin. I'm quite sure that's the issue. Zenarmor will remain installed, but firmware display should be back to normal.

Cheers,
Franco

[ews]

Removing os-sunnyvalley immediately resolves the issue — all extensions are shown again.
However, this also removes the Zenarmor integration, which I still need for installation and updates.
So I assume we need to wait until Sunny Valley releases a 25.10 compatible version?

[franco]

No, os-sunnyvalley is the repository file only. Since there is a persistent issue with wrong SSL certificates being published by cloudflare backend the repository enabled taints the update process inside the package manager.

You can see this more clearly in this report https://www.reddit.com/r/opnsense/comments/1o7aw84/comment/njpduc1/


Cheers,
Franco

[ews]

Thanks Franco, that makes sense.
So the issue is caused by the invalid SSL certificates on Sunny Valley's Cloudflare backend, and the only fix will have to come from Sunny Valley themselves, right?

I'll keep the os-sunnyvalley repository disabled for now and wait until they correct the certificates and republish the repository.

Thanks again for clarifying!

[franco]

Yes, their repo URL points via HTTPS to updates.zenarmor.net and strict host checking will not match when an SSL certificate for 85bd57b0.sni.cloudflaressl.com is presented. I've tried to explain this before to them. It's simply how HTTPS works and the check fails for obvious MITM concerns as it should.


Cheers,
Franco

[ews]

Alright, then I'll open a ticket with Sunny Valley about this — after all, they're getting quite a bit of money every year for the Business subscriptions.

[ews]

I've found the root cause of the issue.

Both packages — os-sunnyvalley and os-sensei — contain a hardcoded repository configuration under
/usr/local/etc/pkg/repos/SunnyValley.conf

In that file, the repository URL still points to:

.../25.7/


After manually changing this to:

.../25.10/


everything works perfectly again.

The package manager loads correctly, all extensions are displayed, and Zenarmor can be installed and updated without any issues.

So the problem is simply that the Sunny Valley repository URL in these packages still references version 25.7 instead of 25.10.

I also reported this in my ticket to Sun Valley.

[franco]

They told me the same thing, but this isn't true as it proves they are meddling with the forwarding for no apparent reason.

Changing the path of a URL should not change the presented TLS hostname of the certificate. The host name requested is still the same.


Cheers,
Franco

[sy]

Hi Franco,

We use the same repo server both business community edition and this happens only for business edition. We need to make change for business edition.

[franco]

For everything in community plugins, business and community ABI is meant to be the same. Whatever you're doing for a path "25.10" you should really be done for "25.7" and the situation suggests you do not.


Cheers,
Franco

[sy]

Hi,

We usually do not require specific configurations for versions; however, adjustments became necessary for business purposes following the Cloudflare update.

The issue has now been resolved, and it should be functioning properly.

[ews]

I can confirm that. It's working again.