I see two options:
Upgrade all wolfssl libs to handle the new ISRG X1 root certificates gracefully.
(these can be upgraded using temporary --no-check-certificate switch in opkg)
Change the default ssl libs to openssl in the installation images.
(this requires image upgrade and possibly interupt operations on a wider scale)
I don't know which option can be implemented faster (in the long term I would prefer a return to openssl as this is standard)
Works now. Needed to stage libustream-openssl to /tmp because removing the wolfssl version disables ssl support. Besides that, if space is available, switching was relatively easy.
My problem is different. I'm not able to reach any of these remote devices so am testing on a local one. I rebuilt the firmware using 19.07.7 and now have openssl 1.1 but the problem remains.
What's going on? That's confusing based on the input so far.
Also, asking again, is there some way to fake the X1 on the server so that the devices can communicate again? If so, I could then remotely upgrade them once I solve why the openssl 1.1 is not working.
You mean, fake a major global root cert so well, that the certs signed with the original one authenticate right against your fake? Sounds like that would mean cracking global SSL trust base...
Easier might be turning the servers' and clients' clock backward to yesterday, so that the cert would still be valid (as it would not have been expired yet). But that would naturally mean reaching the device.
Easiest quick solution is probably changing the certs installed at the servers to something from some other provider than letsencrypt, assuming that the verification chain to the new cert is found in the ca-bundle in your devices.
I don't mean in any way cracking anything. I mean using one of their legit certs, maybe an intermediate, something on the server that would allow the devices to communicate again.
As I mentioned, I have zero access to the devices, they are ermote.
The only thing installed on the devices are ca-certificates package, nothing else, nothing special at least.
CONFIG_PACKAGE_wpad-openssl=y
# CONFIG_PACKAGE_wpad-basic-wolfssl is not set
# CONFIG_PACKAGE_libustream-wolfssl is not set
# CONFIG_PACKAGE_libwolfssl is not set
Yes, you need to disable all default wolfssl things if you want only openssl based
I commented out libwolfssl but I now see the package name is libwolfssl4.7.0.66253b90.
I don't recall package names usually having versions as part of the name so I'll try as suggested.
libopenssl1.1
libustream-openssl20201210
libwolfssl4.7.0.66253b90
Trying again.
Specifying the cert or not gives the same result.
curl: (77) CA signer not available for verification