I am running 24.10 and am 95% sure I have run opkg update before (or at least clicked on "Update List" in LuCI) but suddenly today I am getting an error when I run opkg update either way.
Says that the SSL certificate is either self-signed or not signed by a trusted CA.
root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/packages/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/packages/Packages.gz
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/base/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/base/Packages.gz
Downloading https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/kmods/6.6.73-1-2577896cea679d46fe670142cc9703c1/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/kmods/6.6.73-1-2577896cea679d46fe670142cc9703c1/Packages.gz
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/luci/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/luci/Packages.gz
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/packages/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/packages/Packages.gz
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/routing/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/routing/Packages.gz
Downloading https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/telephony/Packages.gz
SSL verify error: certificate is self-signed or not signed by a trusted CA
SSL verify error: certificate is self-signed or not signed by a trusted CA
*** Failed to download the package list from https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/telephony/Packages.gz
Collected errors:
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/packages/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/base/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/kmods/6.6.73-1-2577896cea679d46fe670142cc9703c1/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/luci/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/packages/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/routing/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://downloads.openwrt.org/releases/24.10.0/packages/aarch64_cortex-a72/telephony/Packages.gz, wget returned 5.
Looks like I have openssl libraries installed just in case that was missing:
It does update if I use the --no-check-certificate but I'd think it should work without it. BTW, yes, when I enter the URL in a browser, I get a perfectly acceptable certificate and now browser warnings or anything.
Issues like this can occur if the system clock is off by more than a few minutes. Is the clock on that OpenWrt device synchronized?
the date cli command or the "Local Time" line in the luci status page should show the correct time. If it is off then update the time through ntp, the browser or command line.
Yep, time is synced to NTP and looks good to me. Accurate within a second or so of my laptop as well.
I did go ahead and resync it and try it again but it errored out just the same.
I don't know if it is an appropriate check for the certificate issue but this is what I tried and some info:
I was successful with a wget of your first file on my OpenWrt device:
cd /tmp
wget https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/packages/Packages.gz >test.gz
Downloading 'https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/packages/Packages.gz'
Connecting to 151.101.2.132:443
Writing to 'Packages.gz'
Packages.gz 100% |*******************************| 9467 0:00:00 ETA
Download completed (9467 bytes)
I wonder if there is a bad certificate cached for the fastly server for your geographic area, although you said it worked on your pc. If your network setup is such that your pc and your router uses the same public ip address then the fastly load balancer might connect you to the same server but it could use other info as well so that is not a guarantee.
My ISP is IPv4 only but if your setup is dual stack then try wget with explicit ip version set. That has been a solution for others in a similar situation. If that works then search the forum for more info on how to proceed from there.
Thanks for the help. I tried wget like you and got the same error.
Downloading 'https://downloads.openwrt.org/releases/24.10.0/targets/bcm27xx/bcm2711/packages/Packages.gz'
Connecting to 151.101.2.132:443
SSL verify error: certificate is self-signed or not signed by a trusted CA
Connection error: Invalid SSL certificate
When I get some time later I was going to try this and see if that helps by reinstalling some of the packages.
Since it seems like your device is the only thing having the problem I'm also wondering if the certificate store on your system has been modified. The inability to verify certificates can be an issue on the local side where the local copy of the root/ca certificates is bad so the certificate check of the server certificate fails even though the web server certificate is good.
The local certificate store may be at /etc/ssl/certs/ca-certificates.crt . That file probably should have the same date as most other files unmodified since the build/installation time like the default apps in /bin unless you or an installed package intentionally replaced or updated it.
It looks like you have the openssl cli tools installed (openssl-util - 3.0.16-r1) so you can parse and analyze the certs in that file as well as the full cert chain presented by https://downloads.openwrt.org . You could also copy the ca certificate store to your pc and evaluate it there. I don't know how programs like uclient-fetch find the cert store but making sure the file exists in the correct spot and is good would be useful.
There might be some help on that on this forum but there definitely is info on that on the web. I used to do this for work like a decade ago so I can't rattle off the instructions now. I could dig into it later when I have some free time.
Edit /etc/opkg/distfeeds.conf changing the URLs from https to http
opkg install libustream-openssl
This resulted in
* check_data_file_clashes: Package libustream-openssl20201210 wants to install file /lib/libustream-ssl.so
But that file is already provided by package * libustream-mbedtls20201210
* opkg_install_cmd: Cannot install package libustream-openssl.*
So now force remove that package opkg --force-depends remove libustream-mbedtls20201210
opkg install libustream-openssl
Edit /etc/opkg/distfeeds.conf changing the URLs from http to https
That resulted in SSL verify error: unable to get local issuer certificate which is a different error than the original so I knew I was onto something.
A quick google search tells me that I probably needed to update my ca-certificates package
Edit /etc/opkg/distfeeds.conf changing the URLs from https to http (again)
opkg update
opkg install ca-certificates
Edit /etc/opkg/distfeeds.conf changing the URLs from http to https (again)
opkg update
IT WORKS!!!!!!!
I have no idea why or how it got that way. I suspect because I am using openssl rather than wolfssl? Who knows. Glad it fixed. Now onto installing PBR so I can workaround my ISP's dead route/routing loop issue.
I guess that the reason was all the time somehow missing, outdated or damaged SSL certificates, so that installing ca-certificates fixed the problem.
Curious though, as ca-bundle or ca-certificates is installed by default since a few years ago. Your opkg install did apparently not complain about "already installed", so I wonder if something would have removed that from your system)