OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Packages
  • Assigned To No-one
  • Operating System All
  • Severity High
  • Priority Very Low
  • Reported Version openwrt-21.02
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Richard Tweed - 30.09.2021
Last edited by Ted Hess - 20.10.2021

FS#4059 - ca-certificates doesn't include Lets Encrypt CA, preventing package installations through opkg

Summary
ca-certificates doesn’t include the new Lets Encrypt CA which prevents opkg update and other opkg actions as wget rejects the certs for https://downloads.openwrt.org

Supply the following if possible:
- Device problem occurs on

 Zbtlink ZBT-WG3526 (16M)

- Software versions of OpenWrt/LEDE release, packages, etc.

 OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-21.231.26241-422c175
 ca-certificates	20210119-1

- Steps to reproduce

 
root@OpenWrt:~# opkg update 
Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz, wget returned 5.

Testing the wget directly

root@OpenWrt:~# wget https://downloads.openwrt.org/releases/21.02.0/packages/mip
sel_24kc/telephony/Packages.gz
Downloading 'https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz'
Connecting to 168.119.138.211:443
Connection error: Invalid SSL certificate

Attached is the certificate chain that is problematic for this version of openwrt. My browser (Firefox 92.0.1 (64-bit) on macOS 11.6) has no issues with this CA chain.

Workaround, run the opkg commands directly (not through LuCI) and add the flag

--no-check-certificate

Example

opkg update --no-check-certificate&& opkg install ca-certificates --no-check-certificate


Closed by  Ted Hess
20.10.2021 11:19
Reason for closing:  Fixed
Richard Tweed commented on 30.09.2021 15:04

It's possible this isn't an issue with the CA bundle, but wget instead but given https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ and the fact it works from other devices it seems like a CA bundle thing

Thom Thom commented on 30.09.2021 17:30

Hello, I've done some digging. CA bundle seems OK. Seems to me it is related to WolfSSL. wget and opkg work fine using libustream-mbedtls20201210

Richard Tweed commented on 03.10.2021 12:58

This can be closed out. Problem seems to be the SSL lib rather than the CA bundle.

I resolved it using the following based on that thread.

opkg update --no-check-certificate
opkg install libopenssl --no-check-certificate
opkg install openssl-util --no-check-certificate
Vladimír Návrat commented on 03.10.2021 19:13

OpenWrt 21.02.0, r16279-5cc0535800 on TP-LINK WDR3600

wget http://oleole.pl -O -
Downloading 'http://oleole.pl'
Connecting to 155.133.76.33:80
Redirected to / on www.oleole.pl
Redirected to / on www.oleole.pl
Connection error: Invalid SSL certificate

It started after 2021-09-30 13:05 and before 2021-09-30 16:05 CEST.

No problem with update/install.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing