ACME fails mbedTLS SSL - fatal alert message


I just installed 22.03.3 on an RT-AX53U (Asus). I'm trying to fetch letsencrypt cert via dns challenge.
It seems this is failing due to OpenWrt not recognizing a valid Letscencrypt certificate. When I manually curl against the API URL of the powerdns server it says

root@ax1800:~# curl
curl: (35) ssl_handshake returned - mbedTLS: (-0x7780) SSL - A fatal alert message was received from our peer

I cross checked by curling to a regular webserver I know it uses letsencrypt certs. This also fails with the same error.

Is the date correct on the device ?

Yes, the date is fine. I found out that all my OpenWrt devices seem to have a problem curling against letsencrypt https sites. What package contains all the CA certs?

there's a ca-bundle and ca-certificates package.

ca-bundle was already installed ca-certificates was not. Even after installing, curl against throws an error while against another letsencrypt site like it does not.

It seems like this mbedTLS doesn't support the ciphers I'm offering at my nginx reverse proxy which is somewhat weird because I optimized them for being as secure as possible.


I switched to those ciphers, which also are secure AFAIK and they work with mbedTLS.

ssl_ciphers EECDH+AESGCM:EECDH+AES256;

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.