Update trains will not display under System -> Update. Tried many solutions.

[Matt Morgan]

Hi everyone, I've got a strange one here. I think the first conclusion will be a DNS issue...maybe it is....but I've tried the other solutions that have resolved the issue and no luck so far.

Steps to reproduce:
1. Navigate to System -> Update
2. Click the refresh icon at the top right.
3. Message appears: Unable to connect to url https://update-master.ixsystems.com/FreeNAS/trains.txt: Automatic update check failed. Please check system network settings.

Troubleshooting done so far:
1. I can view https://update-master.ixsystems.com/FreeNAS/trains.txt in my browser on the network
2. Ping from console "ping https://update-master.ixsystems.com/FreeNAS/trains.txt" results in "Cannot resolve https://update-master.ixsystems.com/FreeNAS/trains.txt unknown server error"
3. Confirmed I network settings...I believe they are correct.

4. Nothing in the proxy field on Global Configuration

5. wget --verbose https://update-master.ixsystems.com/FreeNAS/trains.txt returns:

6. Tried rebooting Freenas, router, and modem

Hardware involved:

• Frontier Fiber through a modem
• Orbi (Netgear) router - no crazy settings to block anything

Freenas system details in signature.

One last item, though I don't believe it is related, I do have this new alert:

I am including this in case it is the culprit.

Any help would be appreciated!

 

[JalbyX]

+1 to this issue with my 11.3 U4 server and the same steps have been taken as you have. Of note, my TN12 server + one other on the same network are not seeing this issue which are configured identical network settings to the 11.3 box.

I am also finding when I attempt to manually update to 11.3 U5 since the GUI states manual updates do not work on major version updates (I'm wanting to update this box to TN12) the update also fails and states it's "Not an manual update file". Of note, my TN12 server + one other on the same network are not seeing this issue which are configured identical to the 11.3 box.

I'm looking for a solution as well and will post anything of relevance I find.

 

[tdhffg]

I'm fairly certain it's due to the Let's encrypt cert, I created an issue for jail creation and support via the UI (https://jira.ixsystems.com/browse/NAS-112671?filter=-2) but I think this has a similar cause, https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/ I was able to resolve the other issue with jail creation by removing the DST Root CA X3 from the python root store, and this could probably be resolved by removing that cert from the main root store.

 

[Matt Morgan]

@tdhffg You were spot on with you analysis. Here are the steps I took to resolve this issue:

1. Navigate to /etc/ssl/
2. Open cert.pem
3. Search 'DST Root CA X3'
4. Verify that the dates align to 9/30/2021 expiration (probably not necessary, but why not double check)
5. Delete this cert and save the cert.pem file
6. Navigate back to Freenas UI System -> Update

Note: I have not accomplished anything other than get this to display, but I suspect this will also resolve issue I had with jail creation.

Many thanks!

 

[tdhffg]

Note: I have not accomplished anything other than get this to display, but I suspect this will also resolve issue I had with jail creation.

Many thanks!

Your fix won't solve jail creation, you'll need to remove the cert from /usr/local/lib/python3.7/site-packages/certifi/cacert.pem in order to resolve that.

 

[Matt Morgan]

Observation:

After updating to latest 11.3, this issue reappeared. I had to go back into the cert.pem file and delete the reference again. I'm not sure if it was the update or the reboot that reinstated the cert. Next up is moving to TrueNas. Hoping that will resolve the issue moving forward.

 

[jgreco]

Observation:

After updating to latest 11.3, this issue reappeared. I had to go back into the cert.pem file and delete the reference again. I'm not sure if it was the update or the reboot that reinstated the cert. Next up is moving to TrueNas. Hoping that will resolve the issue moving forward.

This is possibly because you're editing the wrong thing.

/etc/ssl/cert.pem is a symlink; you really need to be editing the system's actual file. This might still get updated when you upgrade FreeNAS, of course, but you need to edit the target.

More discussion at https://www.truenas.com/community/threads/system-update-not-working.95703/post-662035

 

[Matt Morgan]

Your fix won't solve jail creation, you'll need to remove the cert from /usr/local/lib/python3.7/site-packages/certifi/cacert.pem in order to resolve that.

Correct, removed there as well and was able to create the jail.

 

[JalbyX]

Wow great catch! My situation took a turn (as computers often times do) so I've gone a different direction but I never would have thought this. Glad it was resolved for the OP and will keep this in mind for the future.

 

[jgreco]

Your fix won't solve jail creation, you'll need to remove the cert from /usr/local/lib/python3.7/site-packages/certifi/cacert.pem in order to resolve that.

Correct, removed there as well and was able to create the jail.

Yes. Unfortunately, independent lists of SSL CA data may be kept by multiple subsystems on a UNIX platform. Other common ones would be Firefox (and friends), Java, etc. This generally means that over time, SSL capabilities of an installed system tend to diminish in their ability to communicate unless that particular subsystem gets updated.