Cert verify failed: BADCERT_EXPIRED (Letsencrypt global root cert)

I disabled that as you suggested.
Closer.

Collected errors:
 * check_data_file_clashes: Package libustream-wolfssl20201210 wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/lib/libustream-sso
        But that file is already provided by package  * libustream-openssl20201210
 * opkg_install_cmd: Cannot install package libustream-wolfssl.
make[2]: *** [Makefile:167: package_install] Error 255
make[1]: *** [Makefile:122: _call_image] Error 2
make: *** [Makefile:240: image] Error 2

The devices do not have luci but do support wireless so I need to build with that in mind.
I guess I need to disable libustream-wolfssl next?

That worked and writing to device to see if everything is there.

1 Like

Did you read that example that I linked?

CONFIG_PACKAGE_wpad-openssl=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set
# CONFIG_PACKAGE_libwolfssl is not set

Yes, you need to disable all default wolfssl things if you want only openssl based

Edit
Ok, you got it working

I missed that so will re-try it.
The new build gave me this.

curl: (77) CA signer not available for verification

# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

You possibly miss the cacertificates package?

And note that you can also tell curl to not check the certificate.

I'm not sure what I'm doing wrong at this point. I've commented out all of the packages you mentioned unless I'm missing one.

~# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

I commented out libwolfssl but I now see the package name is libwolfssl4.7.0.66253b90.
I don't recall package names usually having versions as part of the name so I'll try as suggested.

libopenssl1.1
libustream-openssl20201210
libwolfssl4.7.0.66253b90

Trying again.

Specifying the cert or not gives the same result.

curl: (77)  CA signer not available for verification

Do you have the ca-bundle package installed?

Yes, it's installed. I cannot build now, the repo is constantly unavailable.

% opkg update
Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt76x8/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt76x8/packages/Packages.gz

No matter if I disable the package -libwolfssl4.7.0.66253b90 or -libwolfssl, it just keeps being installed.

Sorry, yes, using --insecure does work.
BTW, I'm using image builder, not source.

Server side workaround on downloads.openwrt.org implemented, at least I am able to connect using a vanilla OpenWrt 21.02.0 x86/64 VM now

2 Likes

Jow, not following. What is the server side workaround?

See the other threads...

This is nuts. I simply cannot prevent libwolfssl4.7.0.66253b90 from getting installed.

Should I start a new thread asking how I can remove libustream-wolfssl when using image builder. Nothing works so far. It's always added.

Let's close this as it will not be of any use to someone who comes across it. At this point, we know what happened so time to build a new version but that is now another question.

Thanks very much for all the help.

As an update, I went ahead and purchased a cert from GoDaddy.

I cannot get a build to work with any letsencrypt site and I've started a new post asking for help with that so I can get back to letsencrypt at some point.

% curl https://shop.bbc.com/
curl: (51) Cert verify failed: BADCERT_EXPIRED
% curl https://help.behance.net/
curl: (51) Cert verify failed: BADCERT_EXPIRED
% curl https://www.pinterest.com/
Works fine.

Posted on your other thread.

But in short, curl is linked to wolfssl. You will need to rebuild it too.

root@wrt:/tmp# ldd /usr/bin/curl
	/lib/ld-musl-armhf.so.1 (0xb6e9e000)
	libcurl.so.4 => /usr/lib/libcurl.so.4 (0xb6e49000)
	libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0xb6e1a000)
	libwolfssl.so.4.7.0.66253b90 => /usr/lib/libwolfssl.so.4.7.0.66253b90 (0xb6ca4000)
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb6c88000)
	libc.so => /lib/ld-musl-armhf.so.1 (0xb6e9e000)
1 Like

I am using the image builder, not source and I've not found any way to get past this so far.
I started a new question so as not to confuse whom ever finds this one.

I can confirm that recompiling curl and using OpenSSL as the SSL lib works. Understandably, this isn't going to be a solution for everyone unfortunately.

1 Like