Opkg --no-check-certificate update doesn't work

BobSelf · November 14, 2021, 9:16pm

I installed the current release on a raspberry pi 4B. Yesterday I was able to update the software list from luci and the command line. Today that doesn't work. It has to do with ca-certificate. I've been reading the forum and a bug report to use --no-check-certificate option. But that gives the error below. I was trying to update so that ca-bundle was up to date. How can I get this to work?

> opkg --no-check-certificate update
> Downloading https://downloads.openwrt.org/releases/21.02.1/targets/bcm27xx/bcm2711/packages/Packages.gz
> *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.1/targets/bcm27xx/bcm2711/packages/Packages.gz
> 
> Downloading https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/base/Packages.gz
> *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/base/Packages.gz
> 
> Downloading https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/luci/Packages.gz
> *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/luci/Packages.gz
> 
> Downloading https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/packages/Packages.gz
> *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/packages/Packages.gz
> 
> Downloading https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz
> *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz
> 
> Downloading https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/telephony/Packages.gz
> *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/telephony/Packages.gz
> 
> Collected errors:
>  * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/targets/bcm27xx/bcm2711/packages/Packages.gz, wget returned 8.
>  * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/base/Packages.gz, wget returned 8.
>  * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/luci/Packages.gz, wget returned 8.
>  * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/packages/Packages.gz, wget returned 8.
>  * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz, wget returned 8.
>  * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/telephony/Packages.gz, wget returned 8.

psherman · November 14, 2021, 9:37pm

what happens if you ping downloads.openwrt.org (from an ssh session into the router)?

BobSelf · November 14, 2021, 9:40pm

That works. But opkg quit working.

psherman · November 14, 2021, 9:40pm

When was it last working? What changed between then and now?

BobSelf · November 14, 2021, 9:43pm

it worked yesterday. Apparently, the ca-certificate expired. I've made no changes since yesterday.

psherman · November 14, 2021, 9:44pm

Back on September 30, the root cert expired, but that was resolved within a day or two.

What version of OpenWrt are you using?

BobSelf · November 14, 2021, 9:54pm

I installed it 2 days ago. It says this:

|

Model|Raspberry Pi 4 Model B Rev 1.1|
|---|---|
|Architecture|ARMv8 Processor rev 3|
|Firmware Version|OpenWrt 21.02.1 r16325-88151b8303 / LuCI openwrt-21.02 branch git-21.295.67054-13df80d|
|Kernel Version|5.4.154|

psherman · November 14, 2021, 10:11pm

That is the current version.

What errors do you get if you don't specify no-check-certificate?

Is your date and time set properly on the Pi?

BobSelf · November 14, 2021, 10:29pm

the date/time:
Local Time 2021-11-14 17:26:07

errors without --no-check-certificate:

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/targets/bcm27xx/bcm2711/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/base/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/luci/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/routing/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.1/packages/aarch64_cortex-a72/telephony/Packages.gz, wget returned 5.

BobSelf · November 14, 2021, 10:37pm

I also read about using 'opkg files whatever' but that gave similar errors.

anon69880279 · November 14, 2021, 11:00pm

Look your network configuration

Gateway, DNS

For test png by exemple google.fr

Link for downloads.openwrt.org/releases/21.02.1/targets/bcm27xx/bcm2711/packages is good

BobSelf · November 14, 2021, 11:09pm

under network/diagnostics/ping test:

PING google.fr (74.125.21.94): 56 data bytes
64 bytes from 74.125.21.94: seq=0 ttl=105 time=14.067 ms
64 bytes from 74.125.21.94: seq=1 ttl=105 time=12.915 ms
64 bytes from 74.125.21.94: seq=2 ttl=105 time=13.267 ms
64 bytes from 74.125.21.94: seq=3 ttl=105 time=14.143 ms
64 bytes from 74.125.21.94: seq=4 ttl=105 time=13.027 ms

--- google.fr ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 12.915/13.483/14.143 ms

psherman · November 14, 2021, 11:10pm

What was the last thing you installed (or upgraded) when you last used the opkg package manager?

BobSelf · November 14, 2021, 11:14pm

I believe that the only things that I've installed are these:

htop
iftop
vim
speedtest-netperf

I think that after speedtest-netperf I did not run opkg again (yesterday).

psherman · November 14, 2021, 11:15pm

nothing there that would be likely to break opkg.

Silly question -- have you tried restarting the pi?

BobSelf · November 15, 2021, 1:44am

Yes I did that too.

psherman · November 15, 2021, 1:47am

Are you able to download any of those lists using a host behind your pi?

BobSelf · November 15, 2021, 11:47am

I just tried it from my test computer behind the pi and it worked fine.

wget downloads.openwrt.org/releases/21.02.1/targets/bcm27xx/bcm2711/packages/Packages.gz

I also checked to make sure the default route was to the pi. It also works from in front of the pi.

From the command line on the pi:
opkg -V=4 --no-check-certificate update returns wget error 8.

It seems that the ca-certificate stuff is not working. Is there a way to fix that or should I just re-install? But I have no idea why --no-check-certificate doesn't work.

psherman · November 15, 2021, 4:16pm

Yeah, that's what I'm thinking will be the best option. I don't know why you've run into these issues.
Make a backup first, of course. Then start fresh. Test opkg and see if you can get the package lists properly. Assuming that is working (and it should), restore your backup and test again, and finally re-install your user-installed packages and test once more. If it fails at any point along the way, hopefully we can identify the true cause.

BobSelf · November 15, 2021, 4:45pm

OK. I'll do that and let you know.