suddenly I have errors from the attendedsysupgrade.
I used it for quite a while so far.
I am upgrading from 22.03.5 to 23.05.0.rc2 (no other options)
The routers are:

  1. xiaomi,mi-router-4a-gigabit (ap-1)
  2. dlink,dap-2695-a1 (ap-2)
  3. netgear,r7800 (this is my main router)
    Now all my 3 routers give me the same error: (after a long list...)
 * check_data_file_clashes: Package libustream-mbedtls20201210 wants to install file /home/aparcar/asu/worker1/cache/23.05.0-rc2/ath79/generic/build_dir/target-mips_24kc_musl/root-ath79/lib/
	But that file is already provided by package  * libustream-wolfssl20201210
 * opkg_install_cmd: Cannot install package luci-ssl.
make[2]: *** [Makefile:187: package_install] Error 255
make[1]: *** [Makefile:152: _call_manifest] Error 2
make: *** [Makefile:272: manifest] Error 2

Others with same issue?
Any suggestion?
Should I do a manual upgrade?
Why doi I see this error?
Lots of questions. sorry!
Thanks for your help.

Did you read the release information? It states that wolfssl is replaced by mbedtls. So I think you need to:

  1. install mbedtls
  2. remove wolfssl

then do an attended sysupgrade

1 Like

Thanks Dantes,
no I did not read the release.
Probably something that we all should do just like RTMF.. and we all skip it.
Specially when you do that often...
Thanks for the heads up. I will try right away

can you please point me out the release note?
Using the attended sys upgrade I cant see it (or I dont look well for it.. ) thanks.
There are many mbedtls and not sure the one to install.
I assume mbedtls-util??

Its only missing the neon light, but its in bold you can't miss it.

Got it. thanks

Switch from wolfssl to mbedtls as default

OpenWrt switched the default cryptographic library from wolfssl to mbedtls. This library is used for HTTPS/TLS in the Webserver providing LuCI and for the cryptographic operations in hostapd. mbedtls provides security updates in their LTS branch without changing the application binary interface (ABI) of the library. wolfssl provides a stable ABI only for a very limited subset of functions. mbedtls allows us to update only mbedtls without the need to recompile and upgrade all users of mbedtls.

would it be enough to install mbedtls-util among all other mbedtls options?

also, I have quite a few wolfssl packages.
Should I remove them all?

I think you need libustream-mbedtls*

  1. make a backup
  2. install all mbedtls packages you need (opkg list *mbedtls*)
  3. remove all wolfssl packages
  4. do the upgrade
1 Like

I installed the mbedtls-util
I deleted one of the wolfssl and they all have gone.
restarted the attendedsysupgrade and the installation begun.
It has been waiting for all this time. Check the CLI and looks like the version 23.05.0 is installed.
But I lost the GUI
I rebooted.. but the GUI is still not available.
If you or someone has an idea how to get that back... much appreciated

disregard the post.
Turned out that my browser was forcing https when openwrt is on http.
it works now.
Thank you @Dantes

there are really a lot. And on my main server I have openvpn. I see a openvpn-mbedtls too...

If you use openvpn-wolfssl you need to replace that with openvpn-mbedtls. So it all depends on what you had installed.

From what I can tell:

  • px5g-mbedtls
  • libuhttpd-mbedtls (which should give you back the https in luci)

After you have installed everything you want to run attended-sysupgrade again to integrate your packages. (Otherwise they'll be gone if you reset or restore)

so, what I noticed is that I lost wireless in every upgraded router.
Looks like the encryption is gone.
When I look at wireles interfaces, are all desabled. editing any of them gives me an issue in wirless security: no encryption.
WPA-Encryption requires wpa_supplicant (for client mode) or hostapd (for AP and ad-hoc mode) to be installed.

Could be wolfssl removal plays a role on this?
I dont think wpa_supplicant should have been removed, right?
and yet, is seems is already installed! now this is an issue.

Actually it seems that the process is not simply

make a backup
install all mbedtls packages you need (opkg list *mbedtls*)
remove all wolfssl packages
do the upgrade

Turns out quite some re-configuring is necessary.
The needed packages to have wifi encryption seem to have been removed and have to be manually installed: hostapd (precisely was hostapd-openssl for me)
without it, there is no more wireless.
after installing it, you have to first reboot the router and than the hostapd is active.
I will keep reporting to let you know if more packages have been removed.
All in all, it has not been a smooth upgrade for me.

I think these packages use mbedtls

  • hostapd-mini
  • hostapd-basic
  • hostapd-full

but you should check and see what fits your use case.

You will run into these problems now and again if you install the RC's and nightlies. Problem-less upgrades require a more conservative approach :wink:

True, but I did not use nightly version.
Quite a while ago, I had a conversation here and I got suggested not to manually upgrade to avoid the risk of breaking (sooner or later) part or all of my openwrt.
The strong suggestion was to use the Attendedsysupgrade. That I promptly did and embrace the suggestion.
Also because I read a lot around and seems that the openwrt attendedup0grade was the best and safest way to upgrade the router.
There should be no nightly choice in attendedsysupgrade. And it also build all the packages you already use. So you dont have to use any other form of back up (as I was doing before attendedsysupgrade)

Basically, I should not expect to run in such a issues when using Attendedsysupgrade.
Are you familiar with Attendedsysupgrade?
For those that are not familiar with it, here is a good explanation:
I hop I can safely use this tool again in the future.
At the moment I an uncomfortable to use it to my main router as it serves not only internet (from ISP) but also my IPTV provider and all the needed NAT.
I am going to read and wait for more user experiences on the latest upgrade.
Nevertheless, Dantes, you did help me to solve the upgrade procedure.
The rest is actually not supposed to be in this posts... I should have create a new one.

There are three scenarios to consider when using auc/asu:

  1. When upgrading a patch level within a release, say from 22.03.2 to 22.03.5. This should work flawlessly and is a highly recommended application for auc/asu.

  2. When you wish to remain up-to-date on SNAPSHOT releases, say updating on a frequent (say, weekly) basis for testing or whatever. This generally works quite well, but can sometimes result in issues, such as we saw back in Feb 2023 when mbedtls replaced wolfssl. Usually you get an error during the update, scan the commit logs for OpenWrt core or the packages feed, and can figure out a solution by either doing some opkg update/remove commands or editing the odd /etc/config/blah file.

  3. When you wish to update from one release branch to another, say 22.03.5 to 23.05.0. DON'T DO THIS*. This is where you can get into trouble, it's almost always best to just back up your current installation and do a standard sysupgrade followed by manual "rebuild from scratch". Using asu/auc for this type of update will propagate bad information in config files, try to install obsolete or missing packages, and generally is a bad idea.

* - Yes, do this! If you encounter issues, let me know so I can figure out how to make asu/auc better.

1 Like

Your suggestion is fair.
And probably is even the best doing a fresh install.
When using a router for years, a lot of things have changed or added along the way.
If I understand correctly what you say, you suggest to make a fresh upgrade and reinstall what One need. Do I get that correctly?
In my case, 2 of the routers are actually dumb AP and what I described in those posts, was easy to re-configure.
I do have a main router that serves all others.
This one runs a number of packages mostly have a configuration.
It has a vlan for my ISP and for my ISP IPTV.
I also run OpenVPN client (to a commercial vpn provider) that covers my all network devices (really everything but 2 devices).
I run a VPNbypass to exclude those few devices or specific external IPs/domains
I also use custom DNSs and so on ....
If I have to re-do all that, I am a bit afraid I will miss something out
I used to follow an other process before using Attendedsysupgrade, but I was later discouraged to use it :
Starting re-configuring a router after many years of use, does take some effort and fear (and time).

Correct. If you know the package list that applies to the new version, with required changes, then the firmware builder can be used. If you don't know, then just grab the latest base firmware, install it and use "System -> Software" to pick through and install whatever top-level packages you need. See Detecting user installed pkgs for some tools to help dig out the list of top-level packages you've got installed.

Yeah, that's the big problem, it's hard to know what to rebuild, what got replaced, how to reconfigure...

And that's not just a problem you and I have, but also one that applies to auc/asu as well. There's currently no mechanism in place that says things like, "if you see package x getting upgraded from version 1 to version 2, then make sure to update the config to include the new fubar feature and delete the old barfu one" or "package A gets replaced by package B, but only if package X is present!" That info is probably in the release notes, but asu/auc can't read (yet :slight_smile:) so it's left to use mere humans to do so.

The only reason item #1 in my list works so well is because the devs have made a concerted effort to never change basic structure in a given release (where "basic structure" could be viewed as library dependencies, package names and content, config file contents and meaning, stuff like that).

My best advice is "don't put off updates too long or it will become exponentially more painful with time."