Check Your pfSense CE Version

Your Self-update Utilities May Have Become Broken in 2.7.0

Introduction

If you’re not a user of pfSense, this post may not be of great interest. Though, if you’re not familiar with the product – I’ll quickly explain it’s a way to get a powerful “prosumer” router for those wanting to maintain refined levels of control (security) and flexibility with their internet connections.

Some of you may know DD-WRT, OpenWRT, and FreshTomato – these are definitely very good options for keeping your existing retail-bought routers secure. However, pfSense is specifically designed for certain hardware specs instead of replacing the software on retail devices. You can search Amazon for “Protectli” to find firewall micro appliances compatible with pfSense if you are interested and use the pfSense web site to educate yourself on the hardware.

Netgate, the open-source company responsible for pfSense, provides two versions: the paid pfSense+, which offers more frequent updates and enhanced support, and the Community Edition (CE). I utilize the Community Edition, as my requirements typically do not necessitate extensive support.

I would like to note that major updates to the Community Edition are infrequent, although underlying OS packages with security concerns may receive more frequent updates. Several message boards have documented concerns from other Community Edition users regarding the frustration with not receiving all the latest and greatest features offered by the pfSense+ version as frequently.

During my investigation, I found that my version was over a year old. Although major releases weren't much more frequent, this prompted me to examine the software/OS further.

Stuck at Version 2.7.0

The main page of the interface for pfSense will indicate if it is up to date or not, such as that pictured here (after I was able to invoke an upgrade).

Current version display from pfSense Web UI

In my case, the display had been showing 2.7.0-RELEASE with a version from mid 2023. However, the “The system is on the latest version.” message with friendly green type was still present. Being a bit skeptical, I went over to the system update page.

System -> Update

This situation was rather perplexing. Each software package seems to follow its own versioning logic, making it difficult to determine whether this interface aimed to distinguish between the UI layer, firmware, package bundle, or something else entirely. Regrettably, I proceeded under the assumption that these mismatched numbers and the reassuring green text indicating "up to date" were accurate, and my lack of knowledge should not result in undue concern about being outdated.

After several weeks, I opted to review the current state of the software to address any CVE concerns that might have arisen since the initial installation. Utilizing pfSense's capability to access FreeBSD through SSH, I logged in accordingly. ChatGPT advised performing a series of verifications, including executing package refresh commands via the command line.

At this point, I start seeing an error message in ld-elf.so and lib-ssl.so error message.

ld-elf.so.1: Shared object "libssl.so.30" not found, required by "pkg"

I decided to search the web. It turns out I wasn’t alone.

I’ll credit the post here on Reddit with the answer for solving my problem.

I ran these commands via SSH

certctl rehash
pkg-static update -f
pkg-static install -fy pkg pfSense-repo pfSense-upgrade

After a minute or two of updates and certificate checks, I went back to the System Update page and forced a refresh.

System -> Update

The friendly Web UI now realized it was out of date and an update to 2.7.2 was available. I started the upgrade which took me 5-10 minutes for a full update. My pfSense device was now back up to date once again!

Note, this may also be the same root problem if the package manager (available via the pfSense Web UI) does not show any available packages.

System -> Package Manager -> Available Packages

My web interface showed all available packages as empty or missing, but after the fix and update, the optional available packages listed is now populated and plentiful.

Conclusion

Hopefully this information helps other pfSense CE users that are concerned about being stuck on 2.7.0 and not able to upgrade to 2.7.2 easily. Please feel free to use the comments below if clarification is needed.