Already tried completely removing the crt and do a new one.
Configuring uhttpd.
4+0 records in
4+0 records out
Generating EC private key
Generating selfsigned certificate with subject '/C=ZZ/ST=Somewhere/L=Unknown/O=OpenWrt3ca99c2a/CN=OpenWrt' and validity 20210126103435-20230126103435
Also the default commandline downloader tool in OpenWrt (uclient-fetch, which is symlinked as "wget" as well if you didn't install wget) is able to download stuff ignoring the certificate, so you can use wget --no-check-certificate to work around this issue with that for now.
My OpenWrt builds are OpenSSL based, and curl, wget and uclient-fetch all succeed with the above examples. So this issue seems to be specific to wolfssl.
OpenWrt SNAPSHOT, r15618-56c20f0a5a
-----------------------------------------------------
root@router1:~# curl -I --insecure https://127.0.0.1
HTTP/1.1 200 OK
Connection: Keep-Alive
Keep-Alive: timeout=20
ETag: "a06-20a-60104774"
Last-Modified: Tue, 26 Jan 2021 16:46:44 GMT
Date: Tue, 26 Jan 2021 18:50:26 GMT
Content-Type: text/html
Content-Length: 522
root@router1:~# wget --no-check-certificate https://127.0.0.1
--2021-01-26 20:49:59-- https://127.0.0.1/
Connecting to 127.0.0.1:443... connected.
WARNING: cannot verify 127.0.0.1's certificate, issued by 'CN=OpenWrt,O=OpenWrt3c77dc87,L=Unknown,ST=Somewhere,C=ZZ':
Self-signed certificate encountered.
WARNING: certificate common name 'OpenWrt' doesn't match requested host name '127.0.0.1'.
HTTP request sent, awaiting response... 200 OK
Length: 522 [text/html]
Saving to: 'index.html'
index.html 100%[==========================================>] 522 --.-KB/s in 0s
2021-01-26 20:49:59 (7.12 MB/s) - 'index.html' saved [522/522]
root@router1:~# uclient-fetch --no-check-certificate -O- https://localhost/
Downloading 'https://localhost/'
Connecting to ::1:443
Writing to stdout
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/ DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" / >
<meta http-equiv="refresh" content="0; URL=cgi-bin/luci/" />
</head>
<body style="background-color: white">
<a style="color: black; font-family: arial, helvetica, sans-serif;" href="cgi-bi n/luci/">LuCI - Lua Configuration Interface</a>
</body>
</html>
- 100% |*******************************| 522 0:00:00 ETA
Download completed (522 bytes)
Looking at the woflssl sources, the explanation for for that error is:
case ASN_SIG_OID_E :
return "ASN signature error, mismatched oid";
Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
In my openssl-generated key, both the cert and signature are made with the same crypto algorithm:
If u follow through the code apacar wrote, it looks correct... But I'm kind of tired and just looked if the type and signature is correct. I think I need to add more debug output what is happenning. But I also tried rsa and that did not work either.