Cert verify failed: BADCERT_EXPIRED (Letsencrypt global root cert)

Ok, I'll rebuild using the 21.02.0.

I don't mean in any way cracking anything. I mean using one of their legit certs, maybe an intermediate, something on the server that would allow the devices to communicate again.

As I mentioned, I have zero access to the devices, they are ermote.
The only thing installed on the devices are ca-certificates package, nothing else, nothing special at least.

Hmm, using 21.02.0, I get this right from the start.


Collected errors:
 * check_data_file_clashes: Package libustream-wolfssl20201210 wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/lib/libustream-ssl.so
        But that file is already provided by package  * libustream-openssl20201210
 * opkg_install_cmd: Cannot install package libustream-wolfssl.
 * check_data_file_clashes: Package wpad-basic-wolfssl wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/usr/sbin/wpa_supplicant
        But that file is already provided by package  * wpa-supplicant
 * opkg_install_cmd: Cannot install package wpad-basic-wolfssl.
make[2]: *** [Makefile:167: package_install] Error 255
make[1]: *** [Makefile:122: _call_image] Error 2
make: *** [Makefile:240: image] Error 2


You get that if you try installing both wolfssl and openssl versions of the libustream package.

If you want only openssl, then e.g. select luci-ssl-openssl instead of luci-ssl (with wolfssl). Same goes for hostapd/wpad variants...

I don't use luci on these things so not sure how to get past this.

Wpad-basic-openssl

You may need to deselect some default packages like wpad-basic-wolfssl.

See example in Libustream-wolfssl clashing with libustream-openssl - #3 by hnyman

I disabled that as you suggested.
Closer.

Collected errors:
 * check_data_file_clashes: Package libustream-wolfssl20201210 wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/lib/libustream-sso
        But that file is already provided by package  * libustream-openssl20201210
 * opkg_install_cmd: Cannot install package libustream-wolfssl.
make[2]: *** [Makefile:167: package_install] Error 255
make[1]: *** [Makefile:122: _call_image] Error 2
make: *** [Makefile:240: image] Error 2

The devices do not have luci but do support wireless so I need to build with that in mind.
I guess I need to disable libustream-wolfssl next?

That worked and writing to device to see if everything is there.

1 Like

Did you read that example that I linked?

CONFIG_PACKAGE_wpad-openssl=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set
# CONFIG_PACKAGE_libwolfssl is not set

Yes, you need to disable all default wolfssl things if you want only openssl based

Edit
Ok, you got it working

I missed that so will re-try it.
The new build gave me this.

curl: (77) CA signer not available for verification

# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

You possibly miss the cacertificates package?

And note that you can also tell curl to not check the certificate.

I'm not sure what I'm doing wrong at this point. I've commented out all of the packages you mentioned unless I'm missing one.

~# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

I commented out libwolfssl but I now see the package name is libwolfssl4.7.0.66253b90.
I don't recall package names usually having versions as part of the name so I'll try as suggested.

libopenssl1.1
libustream-openssl20201210
libwolfssl4.7.0.66253b90

Trying again.

Specifying the cert or not gives the same result.

curl: (77)  CA signer not available for verification

Do you have the ca-bundle package installed?

Yes, it's installed. I cannot build now, the repo is constantly unavailable.

% opkg update
Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt76x8/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt76x8/packages/Packages.gz

No matter if I disable the package -libwolfssl4.7.0.66253b90 or -libwolfssl, it just keeps being installed.

Sorry, yes, using --insecure does work.
BTW, I'm using image builder, not source.

Server side workaround on downloads.openwrt.org implemented, at least I am able to connect using a vanilla OpenWrt 21.02.0 x86/64 VM now

2 Likes

Jow, not following. What is the server side workaround?

See the other threads...

This is nuts. I simply cannot prevent libwolfssl4.7.0.66253b90 from getting installed.