Upgraded from 14.3 to 15.0 - Jail now has bad certificate and can't update

formdissolve · 2026-04-08T01:14:50+0100

Hello! I did some research but haven't found a good solution yet.

I updated my system from 14.3p10 to 15.0p5. After a few hiccups, I am now up and running as normal. However, I have a jail I use for some things and when I went to update, I get a cert error. This is a standard "thick" jail, so of course it shares the same kernel. I was under the impression I had to do the whole freebsd-update fetch install process in the jail as well.

What's a good way to update my cert in the jail so I can run through the upgrade process?

Code:

freebsd-update fetch
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... invalid signature.
Fetching metadata signature for 15.0-RELEASE from update1.freebsd.org... invalid signature.
Fetching metadata signature for 15.0-RELEASE from dualstack.aws.update.freebsd.org... invalid signature.
No mirrors remaining, giving up.

This may be because upgrading from this platform (amd64)
or release (15.0-RELEASE) is unsupported by freebsd-update. Only
platforms with Tier 1 support can be upgraded by freebsd-update.
See https://www.freebsd.org/platforms/ for more info.

If unsupported, FreeBSD must be upgraded by source.

OK.

Code:

cat /etc/os-release
NAME=FreeBSD
VERSION="15.0-RELEASE-p5"
VERSION_ID="15.0"
ID=freebsd
ANSI_COLOR="0;31"
PRETTY_NAME="FreeBSD 15.0-RELEASE-p5"
CPE_NAME="cpe:/o:freebsd:freebsd:15.0"
HOME_URL="https://FreeBSD.org/"
BUG_REPORT_URL="https://bugs.FreeBSD.org/"

Checking pkg -vv

Code:

ABI = "FreeBSD:14:amd64";
ALTABI = "freebsd:14:x86:64";
OSVERSION = "1403000";


Repositories:
  FreeBSD: {
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }
  FreeBSD-kmods: {
    url             : "pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3",
    enabled         : yes,
    priority        : 0,
    mirror_type     : "SRV",
    signature_type  : "FINGERPRINTS",
    fingerprints    : "/usr/share/keys/pkg"
  }

Clearly the old one. I tried pkg update and of course got the error here:

Code:

Updating FreeBSD repository catalogue...
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/meta.conf: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/meta.txz: SSL peer certificate or SSH remote key was not OK
repository FreeBSD has no meta file, using default settings
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/data.pkg: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/data.tzst: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/packagesite.pkg: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/packagesite.tzst: SSL peer certificate or SSH remote key was not OK
Unable to update repository FreeBSD
Updating FreeBSD-kmods repository catalogue...
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/meta.conf: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/meta.txz: SSL peer certificate or SSH remote key was not OK
repository FreeBSD-kmods has no meta file, using default settings
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/data.pkg: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/data.tzst: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/packagesite.pkg: SSL peer certificate or SSH remote key was not OK
pkg: Failed to fetch https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/packagesite.tzst: SSL peer certificate or SSH remote key was not OK
Unable to update repository FreeBSD-kmods
Error updating repositories!

Trying pkgbootstrap -f

Code:

pkg bootstrap -f
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly, please wait...
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: Attempted to fetch pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/Latest/pkg.pkg
pkg: Attempted to fetch pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly/Latest/pkg.txz
pkg: Error: Authentication error
A pre-built version of pkg could not be found for your system.
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3, please wait...
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
Certificate verification failed for /C=US/O=Let's Encrypt/CN=E8
08100586032C0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
pkg: Attempted to fetch pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/Latest/pkg.pkg
pkg: Attempted to fetch pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/kmods_quarterly_3/Latest/pkg.txz
pkg: Error: Authentication error
A pre-built version of pkg could not be found for your system.

Also tried (which of course didn't work)

Code:

pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/base_release_0/FreeBSD-pkg-bootstrap-15.0.pkg

Alain De Vos · 2026-04-08T01:24:05+0100

env SSL_NO_VERIFY_PEER=1 pkg bootstrap -f
check date / clock

formdissolve · 2026-04-08T01:39:27+0100

Thanks for the reply Alain De Vos . Tried that inside the jail. Date and time are correct as well.

Code:

root@plex:/home/plex # env SSL_NO_VERIFY_PEER=1 pkg bootstrap -f
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
[plex] Installing pkg-2.6.2_1...
package pkg is already installed, forced install
[plex] Extracting pkg-2.6.2_1: 100%

After that tried freebsd-update and pkg and both show cert error still.

Hiroo Ono · 2026-04-08T01:54:53+0100

Do you try it inside the jail?
How about trying freebsd-update from outside thejail. From the host,

freebsd-update -b /path/to/jail upgrade -v 15.0-RELEASE

Sorry that I did not try myself, but I had a similar problem with pkgbase and solved by issuing pkg -r /path/to/jail upgrade instead of pkg -j jail upgrade

formdissolve · 2026-04-08T02:21:30+0100

Hello Hiroo. I tried your first command and it said already am updated.

Code:

sudo freebsd-update fetch -b /usr/jail/plex
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 15.0-RELEASE-p5.

For the second command:

Code:

sudo pkg -r /usr/jail/plex update
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
All repositories are up to date.

Also:

Code:

sudo pkg -r /usr/jail/plex bootstrap -f
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
pkg(8) is already installed. Forcing reinstallation through pkg(7).
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+https://pkg.FreeBSD.org/FreeBSD:15:amd64/quarterly, please wait...
Verifying signature with trusted certificate pkg.freebsd.org.2013102301... done
Installing pkg-2.6.2_1...
package pkg is already installed, forced install
Extracting pkg-2.6.2_1: 100%

formdissolve · 2026-04-08T02:42:15+0100

I tried something else I found that pkg works now. But freebsd-update does not..

Code:

sudo pkg -r /usr/jail/plex install ca_root_nss
Message from ca_root_nss-3.117_2:

--
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of
the system administrator.

This package installs symlinks to support root certificate discovery
for software that either uses other cryptographic libraries than
OpenSSL, or use OpenSSL but do not follow recommended practice.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem

And now inside the jail I am able to run pkg commands.. Is ca_root_nss pkg secure? It says it's from Mozilla, so I trust that. This is a jail so not sure if it matters to me now.

So now I just need to figure out why the other cert is broken for freebsd-update..

Hiroo Ono · 2026-04-08T03:42:47+0100

From the manpage, -b option has to come befor freebsd-update command ( upgrade and so on). So, run

sudo freebsd-update -b /usr/jail/plex fetch,

not

sudo freebsd-update fetch -b /usr/jail/plex

formdissolve · 2026-04-08T04:10:03+0100

Thank you Hiroo. If I run commands from the host, it all seems to match now. But running freebsd-update inside the jail doesn't work. For pkg now I get this:

Code:

pkg update
pkg: Setting ABI requires setting OSVERSION, guessing the OSVERSION as: 1500000
pkg: Warning: Major OS version upgrade detected.  Running "pkg bootstrap -f" recommended
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
[plex] Fetching meta.conf: 100%     179 B   0.2 kB/s    00:01   
[plex] Fetching data: 100%    10 MiB  11.0 MB/s    00:01   
Processing entries:   0%
Newer FreeBSD version for package zsync:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1500068
- running userland: 1500000
Ignore the mismatch and continue? [y/N]:

Hiroo Ono · 2026-04-08T06:06:28+0100

The upgrade does not seem to have finished. Would you try re-running the upgrade command once or twice more?