DEC600 BE 24.4 — lapsed subscription blocks updates (403), templates ERR, no ser

[ed3]

Hi all,
Solo operator self-supporting a DEC600 that's run reliably for ~1 year but is now behind and has a couple of issues I've diagnosed. I'd appreciate guidance, especially on a few direct questions up front.
Unit: DEC600, Business Edition 24.4_8 (FreeBSD 13.2-p11). Running uninterrupted for about a year. I'd mistakenly assumed the subscription kept it auto-updated; I now understand updates are manual, and it simply ran 24.4 the whole time.

Finding 1 — updates blocked by lapsed subscription (403). Attempting an update returns Forbidden against the BE repo:

Code Select Expand

https://opnsense-update.deciso.com/${SUBSCRIPTION}/FreeBSD:13:amd64/24.4/latest/meta.txz: Forbidden
... packagesite.pkg: Forbidden
... packagesite.txz: Forbidden
Unable to update repository OPNsense
Error updating repositories!The changelog lists releases up to 25.4.1 (2025-05-22), but pulling packages is clearly gated by the lapsed (~2025-06) subscription.

Finding 2 — templates errors every boot, and the serial console has no login prompt. Over the labeled CONSOLE port (micro-USB-B → Exar XR21V1410 USB-UART, 115200 8N1) I receive the complete boot output through the OPNsense banner, stable across reboots — but no login prompt and no input response after boot completes. Every boot shows:

Code Select Expand

>>> Invoking early script 'templates'
Generating configuration: ERRConsole config: vt driver enabled, Primary = Serial Console, Secondary = None, USB-based serial enabled. Web GUI over LAN works fine. My working theory is that the failed template generation prevents the serial getty (/etc/ttys) from being configured — producing output-yes / login-no.
Direct questions to help me decide between renewing BE and moving to Community Edition:

• Is A causing B? Is the templates: ERR (and the resulting absence of a serial-console login) a side-effect of the lapsed subscription making the update repository unreachable (the 403s above)? I'm trying to confirm whether the broken repo is what's breaking template generation, rather than assuming a cause.
• Would switching to Community Edition restore console access? If the template error stems from the unit being unable to reach its subscription-gated repo, would migrating this DEC600 to the free Community Edition repo — which it can reach — fix template generation and bring back the serial console login?
• Is the migration reversible? If I move this DEC600 from Business Edition to Community Edition now, can I later switch it back to Business Edition with a new/renewed subscription? I'd like to know whether CE is a one-way door before committing.
• Diagnosing the template error directly: how can I find which template is failing (a way to run template generation manually with verbose output)?
• Update sequence / safety: what's the recommended path to get current from 24.4, and I'd want a working serial console as a fallback before any major upgrade or BE→CE switch — so should I resolve the console/template issue first, then update?

Full GUI/shell access available; happy to run diagnostics or share logs. Thanks in advance

Code Select Expand

[shutdown of prior boot]
Waiting for system process `vnlru' to stop... done
Waiting for `syncer'... Syncing disks... done
Uptime: 6m55s ; uhub detached

coreboot-v4.16.5-Deciso ... CPU: AMD GX-420MC SOC ... 4 CPUs initialized
SeaBIOS rel-1.16.0
/boot/config: -S115200 -h
Consoles: serial port
FreeBSD/x86 bootstrap loader
[ OPNsense loader menu ... 24.4 "Savvy Shark" ]
Loading kernel + modules (carp, pflog, pf, zfs, if_bridge, if_lagg, if_gre, ...)
KDB: backend ddb
---<<BOOT>>---
FreeBSD 13.2-RELEASE-p11 stable/24.1 SMP amd64
CPU: AMD GX-420MC SOC (1597 MHz) ; ~8944 MB real / ~7874 MB avail ; 4 CPUs
nvme0 / nvd0: <TS256GMTE110S> 244198MB
igc0: I225-V  MAC [REDACTED]
igc1: I225-V  MAC [REDACTED]
igc2: I225-V  MAC [REDACTED]
igc3: I225-V  MAC [REDACTED]
ahci0: AMD Hudson-2 SATA ; ehci0: AMD FCH USB 2.0 ; usbus0 480Mbps
uart0: console (115200,n,8,1) port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
ZFS v5 / pool 5000
ugen0.2: <vendor 0x0438 product 0x7900>  (internal USB hub)
Trying to mount root from zfs:zroot/ROOT/default
Setting hostuuid: [REDACTED] ; hostid: [REDACTED]

>>> Invoking early script 'configd'  -> Starting configd.
>>> Invoking early script 'templates'
Generating configuration: ERR          <-- THE ISSUE
>>> Invoking early script 'backup' ... carp: OK
Launching init system...done.
igc0/igc1: link UP
Setting timezone: [REDACTED]
Setting hostname: [REDACTED]
Configuring firewall / VLAN / interfaces ...done.  [interface list redacted]
Starting web GUI...done.
Starting DHCPv4/DHCPv6, Unbound DNS, NTP, suricata, cron ...done.
Root file system: zroot/ROOT/default
[date redacted]

*** [HOSTNAME REDACTED]: OPNsense 24.4_8 ***
 [interface -> IP table REDACTED]
 HTTPS: SHA256 [REDACTED]

[patient0]

Finding 1 — updates blocked by lapsed subscription (403).

If you buy a OPNsense appliance, you get 1 year of the Business Edition. After the year you either renew/pay the subscription or change to Community Edition. The 403 likely means that your BE subscription has run out and therefore you are not allow access to the BE repo anymore.

You can switch to the CE and back to BE later if you choose to renew the subscription.

Finding 2 — templates errors every boot, and the serial console has no login prompt.

I'm can't comment on the template error. For the serial console, make sure the 'USB-based serial' box is unchecked. You can find details in the documentation:

https://docs.opnsense.org/hardware/serial_connectivity.html#serial-console-connectivity

Regarding upgrading to latest: Fastest is usually backup the configuration and reinstall if you have fallen back a bit. Otherwise if you go via the webGUI, just upgrade to whatever OPNsense is offering you, and the next and so on.