Hi, I'm having what seems to be the same problem described in SSL support in OpenWrt OPKG (wget) -- I'm running OpenWRT 21.02 (on generic x64 hardware), and opkg can't download from https://downloads.openwrt.org:
# opkg update Downloading https://downloads.openwrt.org/releases/21.02.0/targets/x86/64/packages/Packages.gz *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/x86/64/packages/Packages.gz Downloading https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/base/Packages.gz *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/base/Packages.gz Downloading https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/luci/Packages.gz *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/luci/Packages.gz Downloading https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/packages/Packages.gz *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/packages/Packages.gz Downloading https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/routing/Packages.gz *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/routing/Packages.gz Downloading https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/telephony/Packages.gz *** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/telephony/Packages.gz Collected errors: * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/targets/x86/64/packages/Packages.gz, wget returned 5. * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/base/Packages.gz, wget returned 5. * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/luci/Packages.gz, wget returned 5. * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/packages/Packages.gz, wget returned 5. * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/routing/Packages.gz, wget returned 5. * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/x86_64/telephony/Packages.gz, wget returned 5.
If I try to download one of the files myself using wget, I get this error:
# wget https://downloads.openwrt.org/releases/21.02.0/targets/x86/64/ packages/Packages.gz Downloading 'https://downloads.openwrt.org/releases/21.02.0/targets/x86/64/packages/Packages.gz' Connecting to 2a01:4f8:251:321::2:443 Connection error: Invalid SSL certificate
It seems to be using uclient-fetch as wget, libustream-wolfssl20201210 (/lib/libustream-ssl.so) is installed, as is ca-bundle (/etc/ssl/certs/ca-certificates.crt).
And it's not that it can't download from any https site: https://google.com and https://microsoft.com work. However, https://kernel.org also says "Invalid SSL certificate". Perhaps it's Let's Encrypt certificates that it's having problems with? https://www.ssllabs.com/ssltest/analyze.html?d=downloads.openwrt.org&s=22.214.171.124 shows two certification paths, one of which has an expired root CA certificate (DST Root CA X3 expired on 2021-09-30, which is today). However, there's another path rooted at ISRG Root X1, which is still valid. And the ca-certificates.crt file seems to have the ISRG Root X1 certificate in it, so I don't know why it's not being used. Maybe I'll try removing expired DST Root CA X3 cert from ca-certificates.crt and see if that fixes things. (opkg was working fine a few weeks ago; it seems very likely that the DST Root expiration is causing this)