Cert verify failed: BADCERT_EXPIRED (Letsencrypt global root cert)

And note that you can also tell curl to not check the certificate.

I'm not sure what I'm doing wrong at this point. I've commented out all of the packages you mentioned unless I'm missing one.

~# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

I commented out libwolfssl but I now see the package name is libwolfssl4.7.0.66253b90.
I don't recall package names usually having versions as part of the name so I'll try as suggested.


Trying again.

Specifying the cert or not gives the same result.

curl: (77)  CA signer not available for verification

Do you have the ca-bundle package installed?

Yes, it's installed. I cannot build now, the repo is constantly unavailable.

% opkg update
Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt76x8/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt76x8/packages/Packages.gz

No matter if I disable the package -libwolfssl4.7.0.66253b90 or -libwolfssl, it just keeps being installed.

Sorry, yes, using --insecure does work.
BTW, I'm using image builder, not source.

Server side workaround on downloads.openwrt.org implemented, at least I am able to connect using a vanilla OpenWrt 21.02.0 x86/64 VM now


Jow, not following. What is the server side workaround?

See the other threads...

This is nuts. I simply cannot prevent libwolfssl4.7.0.66253b90 from getting installed.

Should I start a new thread asking how I can remove libustream-wolfssl when using image builder. Nothing works so far. It's always added.

Let's close this as it will not be of any use to someone who comes across it. At this point, we know what happened so time to build a new version but that is now another question.

Thanks very much for all the help.

As an update, I went ahead and purchased a cert from GoDaddy.

I cannot get a build to work with any letsencrypt site and I've started a new post asking for help with that so I can get back to letsencrypt at some point.

% curl https://shop.bbc.com/
curl: (51) Cert verify failed: BADCERT_EXPIRED
% curl https://help.behance.net/
curl: (51) Cert verify failed: BADCERT_EXPIRED
% curl https://www.pinterest.com/
Works fine.

Posted on your other thread.

But in short, curl is linked to wolfssl. You will need to rebuild it too.

root@wrt:/tmp# ldd /usr/bin/curl
	/lib/ld-musl-armhf.so.1 (0xb6e9e000)
	libcurl.so.4 => /usr/lib/libcurl.so.4 (0xb6e49000)
	libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0xb6e1a000)
	libwolfssl.so. => /usr/lib/libwolfssl.so. (0xb6ca4000)
	libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb6c88000)
	libc.so => /lib/ld-musl-armhf.so.1 (0xb6e9e000)
1 Like

I am using the image builder, not source and I've not found any way to get past this so far.
I started a new question so as not to confuse whom ever finds this one.

I can confirm that recompiling curl and using OpenSSL as the SSL lib works. Understandably, this isn't going to be a solution for everyone unfortunately.

1 Like

Faced analogical issue with dnscrypt-proxy:

Fri Oct  1 12:37:04 2021 daemon.err dnscrypt-proxy[6174]: dnscrypt-proxy Unable to retrieve server certificates
Fri Oct  1 12:37:05 2021 daemon.info dnscrypt-proxy[6174]: dnscrypt-proxy Refetching server certificates
Fri Oct  1 12:37:20 2021 daemon.err dnscrypt-proxy[6174]: dnscrypt-proxy Unable to retrieve server certificates
Fri Oct  1 12:37:23 2021 daemon.info dnscrypt-proxy[6174]: dnscrypt-proxy Refetching server certificates

I'm just installed openssl1.1 and issue was gone
opkg install libopenssl1.1

How can I close a post so that folks don't keep adding things that might be lost once the reader finds the 'solution'.

Another solution, which does not require making any changes on deployed devices:

1 Like

I tried that using an LE thread I found but that didn't work for me. Not sure why.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.