Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#4059 - ca-certificates doesn't include Lets Encrypt CA, preventing package installations through opkg #9077

Closed
openwrt-bot opened this issue Sep 30, 2021 · 5 comments
Labels

Comments

@openwrt-bot
Copy link

RichardoC:

Summary
ca-certificates doesn't include the new Lets Encrypt CA which prevents opkg update and other opkg actions as wget rejects the certs for https://downloads.openwrt.org

Supply the following if possible:

  • Device problem occurs on
    Zbtlink ZBT-WG3526 (16M)
  • Software versions of OpenWrt/LEDE release, packages, etc.
    OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-21.231.26241-422c175
    ca-certificates 20210119-1
  • Steps to reproduce

root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz

Collected errors:

Testing the wget directly

root@OpenWrt:~# wget https://downloads.openwrt.org/releases/21.02.0/packages/mip
sel_24kc/telephony/Packages.gz
Downloading 'https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz'
Connecting to 168.119.138.211:443
Connection error: Invalid SSL certificate

Attached is the certificate chain that is problematic for this version of openwrt. My browser (Firefox 92.0.1 (64-bit) on macOS 11.6) has no issues with this CA chain.

Workaround, run the opkg commands directly (not through LuCI) and add the flag --no-check-certificate
Example
opkg update --no-check-certificate&& opkg install ca-certificates --no-check-certificate

@openwrt-bot
Copy link
Author

RichardoC:

It's possible this isn't an issue with the CA bundle, but wget instead but given https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ and the fact it works from other devices it seems like a CA bundle thing

@openwrt-bot
Copy link
Author

thom1122:

Hello, I've done some digging. CA bundle seems OK. Seems to me it is related to WolfSSL. wget and opkg work fine using libustream-mbedtls20201210

@openwrt-bot
Copy link
Author

RichardoC:

This can be closed out. Problem seems to be the SSL lib rather than the CA bundle.

I resolved it using the following based on that thread.

opkg update --no-check-certificate
opkg install libopenssl --no-check-certificate
opkg install openssl-util --no-check-certificate

@openwrt-bot
Copy link
Author

vlna:

OpenWrt 21.02.0, r16279-5cc0535800 on TP-LINK WDR3600

wget http://oleole.pl -O -
Downloading 'http://oleole.pl'
Connecting to 155.133.76.33:80
Redirected to / on www.oleole.pl
Redirected to / on www.oleole.pl
Connection error: Invalid SSL certificate

It started after 2021-09-30 13:05 and before 2021-09-30 16:05 CEST.

No problem with update/install.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant