Solved freebsd-update fetch fails

Hi folks, I'm running 14.3-RELEASE and recently ran freebsd-update fetch and seem to be getting a strange response from the update server:
Code:
# freebsd-update -v debug fetch
Password:
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 14.3-RELEASE from update2.freebsd.org...
fetch: http://update2.freebsd.org/14.3-RELEASE/amd64/latest.ssl: Permission denied
failed.
Fetching metadata signature for 14.3-RELEASE from update1.freebsd.org...
fetch: http://update1.freebsd.org/14.3-RELEASE/amd64/latest.ssl: Permission denied
failed.
Fetching metadata signature for 14.3-RELEASE from dualstack.aws.update.freebsd.org...
fetch: http://dualstack.aws.update.freebsd.org/14.3-RELEASE/amd64/latest.ssl: Permission denied
failed.
No mirrors remaining, giving up.

This may be because upgrading from this platform (amd64)
or release (14.3-RELEASE) is unsupported by freebsd-update. Only
platforms with Tier 1 support can be upgraded by freebsd-update.
See https://www.freebsd.org/platforms/ for more info.

If unsupported, FreeBSD must be upgraded by source.

Manually running fetch(1) on the given URLs gives the same error:
Code:
# fetch -v http://update2.freebsd.org/14.3-RELEASE/amd64/latest.ssl
resolving server address: update2.freebsd.org:80
failed to connect to update2.freebsd.org:80
fetch: http://update2.freebsd.org/14.3-RELEASE/amd64/latest.ssl: Permission denied

I haven't touched /etc/freebsd-update.conf, and a previous run of freebsd-update(8) a few weeks ago succeeded just fine, so I'm surprised this isn't working.

I also can resolve the update server names, so I don't think this is a network issue...
Code:
# drill update2.freebsd.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61001
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; update2.freebsd.org. IN      A

;; ANSWER SECTION:
update2.freebsd.org.    2935    IN      A       204.15.11.69

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 192.168.1.1
;; WHEN: Wed Sep 17 11:20:56 2025
;; MSG SIZE  rcvd: 53

Anyone have any pointers for how to figure out the root cause of this?

Thanks in advance!
 
Strange, seems to work fine here
Code:
dice@maelcum:~ % fetch http://update2.freebsd.org/14.3-RELEASE/amd64/latest.ssl
latest.ssl                                             512  B 4202 kBps    00s
dice@maelcum:~ % fetch http://update1.freebsd.org/14.3-RELEASE/amd64/latest.ssl
latest.ssl                                             512  B 4236 kBps    00s
Can you try again, perhaps it was a temporary glitch on the servers? Or, if you're still getting that error, it might be something local.

If it's local, you could try deleting everything in /var/db/freebsd-update/, it should all get freshly fetched if needed.
 
Strange, seems to work fine here
Code:
dice@maelcum:~ % fetch http://update2.freebsd.org/14.3-RELEASE/amd64/latest.ssl
latest.ssl                                             512  B 4202 kBps    00s
dice@maelcum:~ % fetch http://update1.freebsd.org/14.3-RELEASE/amd64/latest.ssl
latest.ssl                                             512  B 4236 kBps    00s
Can you try again, perhaps it was a temporary glitch on the servers? Or, if you're still getting that error, it might be something local.

If it's local, you could try deleting everything in /var/db/freebsd-update/, it should all get freshly fetched if needed.
I just realized the issue; this one is an operator error.

I setup pf(4) and I apparently accidentally blocked HTTP traffic (HTTPS was allowed, though). Fixing my /etc/pf.conf got it working:

Code:
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 14.3-RELEASE from update1.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
The following files will be updated as part of updating to
14.3-RELEASE-p3:
/bin/freebsd-version
/boot/kernel/if_bnxt.ko
/boot/kernel/kernel
/usr/src/sys/arm64/arm64/elf32_machdep.c
/usr/src/sys/conf/newvers.sh
/usr/src/sys/dev/bnxt/bnxt_en/if_bnxt.c
/usr/src/sys/kern/vfs_syscalls.c

Since my account is still too new, could you mark this post as [SOLVED] for me?

Thanks!
 
Back
Top