Opkg update fails. wget can download from http but not https

tl;dr;

  1. opkg update fails (wget error 4)
  2. But I can download from http://downloads.openwrt.org - using wget
  3. Changing /etc/opkg/distfeeds.conf URLs all from https to http still doesn't work (wget error 8)
  4. Other https URLs/domains download correctly
  5. IPv6 has been disabled everywhere: /etc/config/network, /etc/config/dhcp
  6. WAN and WAN6 interfaces have been removed
  7. Followed 'dump AP' OpenWrt guide
  8. Firewall and DHCP is disabled
  9. LAN is set as a DHCP client
  10. DNS is set to the correct server
  11. Gateway is set correctly
  12. Using very latest 21.02.2 OpenWrt release
  13. I've read countless posts online and in the forum but those suggestions don't work for my situation

Any ideas? Thanks for the help in advance.

Full post:
I have three TP-Link Archer C7 v2 that I'm using as dumb APs. Two work perfectly fine, but one can't do opkg update. This is the error message I received:

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.2/targets/ath79/generic/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.2/packages/mips_24kc/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.2/packages/mips_24kc/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.2/packages/mips_24kc/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.2/packages/mips_24kc/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.2/packages/mips_24kc/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

This is the error when I try wget over https.

Downloading 'https://downloads.openwrt.org'
Connecting to 176.9.48.73:443
Connection error: Connection failed

Switching it to http (http://downloads.openwrt.org) works - for wget.

I tried changing the /etc/opkg/distfeeds.conf URLs from https to http. When I run opkg update again I get wget error 8 instead of 4. I can download with wget over https with other domains/urls fine though. ca-bundle is installed but not ca-certificates.

I disabled every IPv6 thing I can find. Removed all the interfaces except the LAN one. The LAN is configured as a DHCP client. I tried bypassing IPv6 with wget by using wget -4, but it didn't work. It is getting the correct DNS and gateway via DHCP.

Even though I've disabled everything IPv6 I do still see IPv6 IPs when I do ip addr:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether f4:f2:6d:9c:23:b7 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether f4:f2:6d:9c:23:b6 brd ff:ff:ff:ff:ff:ff
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether f4:f2:6d:9c:23:b6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe9c:23b6/64 scope link
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f4:f2:6d:9c:23:b6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f6f2:6dff:fe9c:23b6/64 scope link
       valid_lft forever preferred_lft forever
13: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f4:f2:6d:9c:23:b5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f6f2:6dff:fe9c:23b5/64 scope link
       valid_lft forever preferred_lft forever
14: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether f6:f2:6d:9c:23:b5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f4f2:6dff:fe9c:23b5/64 scope link
       valid_lft forever preferred_lft forever

Connect via ssh and run:

sed -i 's,https,http,g' /etc/opkg/distfeeds.conf;
opkg update; opkg list-upgradable;
# opkg restore # or upgrade available packages #
sed -i 's,http,https,g' /etc/opkg/distfeeds.conf;
opkg update;

If you're using something like Wireguard, try whitelisting downloads.openwrt.org

check the date/time on the one thats failing. HTTPS needs encryption. If the date/time is wrong then SSL info will be wrong. (its why NTP updates should be run unencrypted to set your time before using encrypted DNS)

(edit)
create this file /etc/hotplug.d/ntp/20-ntpd-logger

#!/bin/sh
[ $ACTION = "step" ]    && logger -t ntpd Time set, stratum=$stratum interval=$poll_interval offset=$offset
[ $ACTION = "stratum" ] && logger -t ntpd Stratum change, stratum=$stratum interval=$poll_interval offset=$offset

And now ntpd will log to your syslog so you can see updates like this

Thu Apr 21 17:04:16 2022 user.notice ntpd: Stratum change, stratum=3 interval=1 offset=0.806760
Thu Apr 21 17:04:16 2022 user.notice ntpd: Stratum change, stratum=2 interval=1 offset=0.807366
1 Like