ACME fails mbedTLS SSL - fatal alert message

Hi,

I just installed 22.03.3 on an RT-AX53U (Asus). I'm trying to fetch letsencrypt cert via dns challenge.
It seems this is failing due to OpenWrt not recognizing a valid Letscencrypt certificate. When I manually curl against the API URL of the powerdns server it says

root@ax1800:~# curl https://mypowerdnsapi.server.com
curl: (35) ssl_handshake returned - mbedTLS: (-0x7780) SSL - A fatal alert message was received from our peer

I cross checked by curling to a regular webserver I know it uses letsencrypt certs. This also fails with the same error.

Is the date correct on the device ?

Yes, the date is fine. I found out that all my OpenWrt devices seem to have a problem curling against letsencrypt https sites. What package contains all the CA certs?

there's a ca-bundle and ca-certificates package.

ca-bundle was already installed ca-certificates was not. Even after installing, curl against https://libcom.de throws an error while against another letsencrypt site like https://relaix.net it does not.

It seems like this mbedTLS doesn't support the ciphers I'm offering at my nginx reverse proxy which is somewhat weird because I optimized them for being as secure as possible.

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

I switched to those ciphers, which also are secure AFAIK and they work with mbedTLS.

ssl_ciphers EECDH+AESGCM:EECDH+AES256;

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.