Cert verify failed: BADCERT_EXPIRED (Letsencrypt global root cert)

I see two options:
Upgrade all wolfssl libs to handle the new ISRG X1 root certificates gracefully.
(these can be upgraded using temporary --no-check-certificate switch in opkg)
Change the default ssl libs to openssl in the installation images.
(this requires image upgrade and possibly interupt operations on a wider scale)

I don't know which option can be implemented faster (in the long term I would prefer a return to openssl as this is standard)

I updated a local device and still doesn't work.
19.07.7-ramips-mt300n-v2

% opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20150806 - 2020-03-13-40b563b1-1

Cert verify failed: BADCERT_EXPIRED

I updated a 21.02.0 device by:

  • removing luci-ssl and libustream-wolfssl
  • installing libopenssl, libustream-openssl and luci-ssl-openssl
root@OpenWRT:~# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl-conf - 1.1.1l-1
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2
luci-ssl-openssl - git-17.031.53232-b6341bd
openssl-util - 1.1.1l-1
px5g-wolfssl - 3
wpad-basic-wolfssl - 2020-06-08-5a8b3662-35

Works now. Needed to stage libustream-openssl to /tmp because removing the wolfssl version disables ssl support. Besides that, if space is available, switching was relatively easy.

1 Like

My problem is different. I'm not able to reach any of these remote devices so am testing on a local one. I rebuilt the firmware using 19.07.7 and now have openssl 1.1 but the problem remains.

What's going on? That's confusing based on the input so far.

Also, asking again, is there some way to fake the X1 on the server so that the devices can communicate again? If so, I could then remotely upgrade them once I solve why the openssl 1.1 is not working.

You might try getting a newer ca-bundle or ca-certificates from 21.02 or master.
I think that 19.07 has somewhat older list of root certs.

You mean, fake a major global root cert so well, that the certs signed with the original one authenticate right against your fake? Sounds like that would mean cracking global SSL trust base...

Easier might be turning the servers' and clients' clock backward to yesterday, so that the cert would still be valid (as it would not have been expired yet). But that would naturally mean reaching the device.

Easiest quick solution is probably changing the certs installed at the servers to something from some other provider than letsencrypt, assuming that the verification chain to the new cert is found in the ca-bundle in your devices.

Ok, I'll rebuild using the 21.02.0.

I don't mean in any way cracking anything. I mean using one of their legit certs, maybe an intermediate, something on the server that would allow the devices to communicate again.

As I mentioned, I have zero access to the devices, they are ermote.
The only thing installed on the devices are ca-certificates package, nothing else, nothing special at least.

Hmm, using 21.02.0, I get this right from the start.


Collected errors:
 * check_data_file_clashes: Package libustream-wolfssl20201210 wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/lib/libustream-ssl.so
        But that file is already provided by package  * libustream-openssl20201210
 * opkg_install_cmd: Cannot install package libustream-wolfssl.
 * check_data_file_clashes: Package wpad-basic-wolfssl wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/usr/sbin/wpa_supplicant
        But that file is already provided by package  * wpa-supplicant
 * opkg_install_cmd: Cannot install package wpad-basic-wolfssl.
make[2]: *** [Makefile:167: package_install] Error 255
make[1]: *** [Makefile:122: _call_image] Error 2
make: *** [Makefile:240: image] Error 2


You get that if you try installing both wolfssl and openssl versions of the libustream package.

If you want only openssl, then e.g. select luci-ssl-openssl instead of luci-ssl (with wolfssl). Same goes for hostapd/wpad variants...

I don't use luci on these things so not sure how to get past this.

Wpad-basic-openssl

You may need to deselect some default packages like wpad-basic-wolfssl.

See example in Libustream-wolfssl clashing with libustream-openssl - #3 by hnyman

I disabled that as you suggested.
Closer.

Collected errors:
 * check_data_file_clashes: Package libustream-wolfssl20201210 wants to install file /21.02.0-ramips-mt300n-v2/build_dir/target-mipsel_24kc_musl/root-ramips/lib/libustream-sso
        But that file is already provided by package  * libustream-openssl20201210
 * opkg_install_cmd: Cannot install package libustream-wolfssl.
make[2]: *** [Makefile:167: package_install] Error 255
make[1]: *** [Makefile:122: _call_image] Error 2
make: *** [Makefile:240: image] Error 2

The devices do not have luci but do support wireless so I need to build with that in mind.
I guess I need to disable libustream-wolfssl next?

That worked and writing to device to see if everything is there.

1 Like

Did you read that example that I linked?

CONFIG_PACKAGE_wpad-openssl=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set
# CONFIG_PACKAGE_libwolfssl is not set

Yes, you need to disable all default wolfssl things if you want only openssl based

Edit
Ok, you got it working

I missed that so will re-try it.
The new build gave me this.

curl: (77) CA signer not available for verification

# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

You possibly miss the cacertificates package?

And note that you can also tell curl to not check the certificate.

I'm not sure what I'm doing wrong at this point. I've commented out all of the packages you mentioned unless I'm missing one.

~# opkg list-installed | grep -E "wget|ssl|cert"
libopenssl1.1 - 1.1.1l-1
libustream-openssl20201210 - 2020-12-10-68d09243-1
libwolfssl4.7.0.66253b90 - 4.7.0-stable-2

I commented out libwolfssl but I now see the package name is libwolfssl4.7.0.66253b90.
I don't recall package names usually having versions as part of the name so I'll try as suggested.

libopenssl1.1
libustream-openssl20201210
libwolfssl4.7.0.66253b90

Trying again.

Specifying the cert or not gives the same result.

curl: (77)  CA signer not available for verification

Do you have the ca-bundle package installed?