TLDR solution at bottom, current defaults and CDN setup seem incompatible.
Today I freshly installed 23.05.4 on an ASUS RT-AX53U.
After setting up the network (i.e. setting the IP and DNS to point to my existing network) I Tried to run opkg update (via Luci and SSH).
Both failed, and checking one of the URLs manually with 'wget' was met with
Connection error: Server hostname does not match SSL certificate
Wget is provided by uclient-fetch by default.
To resolve, I needed to replace the downloads hostname with the direct mirror found visiting the downloads in a web browser and noting the occasional redirect:
sed -i 's/downloads.openwrt.org/mirror-03.infra.openwrt.org/g' /
etc/opkg/distfeeds.conf
It's been quite a while that downloads.openwrt.org pointed to mirror-03.infra.openwrt.org. It is supposed to point to dualstack.j.sni.global.fastly.net nowadays. Stale DNS cache maybe?
No idea how, but in the actual address bar of Chrome was showing the infra domain. Like it would randomly have redirected me there. Only difference between Chrome and the router would be IPv6 vs IPv4 only on the router
Of course now that I try reproduce it I can't. I'll have to run a pcacp on the Asus to see why SNI seems to fail with the downloads domain
Hmm, same issue? About 15 hours ago I could access neither downloads nor the forum, and ultimately deduced it was a fastly CDN issue. My test was curl https://forum.openwrt.org (or downloads, both did the same thing), which timed out on a couple local machines (I'm in California), but when I sshed into a Linode in Virginia, it worked fine. I thought at first it was my local DNS cache, but I flushed everything and still dig got me the same IPv4/v6, so I went to bed and it was all fixed in the morning.