What's new

amtm AC87U - "All download attempts failed"

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ticki276

New Around Here
Hello everyone!

First time und first thread here, so please be gentle :D

Flashed the Merlin firmware a few month ago on my AC87U.. everything worked fine until my USB storage said bye.. So I ordered a new one and tried to install diversion and everything new. Didn't work.. So I decided to hard reset the router: Didn't work either. Also the flash of the original Asus software followed by a hard reset and the new flash of the Merlin software didn't get me a solution.

Everytime I try to start amtm by typing "amtm" in the ssh consol I get the following answer (using the cmd of Windows and also Putty) :

Code:
Initializing amtm for first run
 - Created /jffs/addons/amtm directory
 - JFFS custom scripts and configs enabled

 Getting from fwupdate.asuswrt-merlin.net
 ! Module amtm.mod download failed
 ! using fallback server diversion.ch
 ! Module amtm.mod download failed

 All download attempts failed,
 exiting amtm now.

 Check that both domains properly resolve
 on this router:
 - fwupdate.asuswrt-merlin.net
 - diversion.ch

I did a little research and get to the following thread: https://www.snbforums.com/threads/amtm-the-asuswrt-merlin-terminal-menu.42415/page-118

Someone with the same problem and solution strategie (I also get the same information like "aunahin" in post number 2341 by typing the "nslookup"-command). But as I read the whole last pages of the thread, there was no solution found.

Maybe there is one solution today? Can somebody help me? :confused:

Thanks in advance for any answers!
 
Similar problem here after ssh'ing in last night (Oct 1st) for the first time in a while. Problem persists after hard reboot. (RT-AC87U FW-384.13, amtm 3.1.8 FW)

This is may be related to Let's Encrypt certificate updates affecting https://diversion.ch/:
DST Root CA X3 Expiration (September 2021)

Error reported by amtm:
Getting from fwupdate.asuswrt-merlin.net
! Module amtm_rev4.mod download failed
! using fallback server diversion.ch
! Module amtm_rev4.mod download failed

DNS resolves:
> nslookup diversion.ch
Server: 8.8.8.8
Address 1: 8.8.8.8 dns.google

Name: diversion.ch
Address 1: 80.74.145.140 emerson.ch-meta.net

Running curl against diversion.ch:
> curl https://diversion.ch/amtm_fw/amtm_rev
4.mod
curl: (60) SSL certificate problem: certificate has expired
...

I can successfully curl that file on my local machine on the router's network. Do we need to update the cert store on the router? If so, how does one do that? (Note that 384.13 is the last supported Asuswrt-Merlin version on AC87U.)
 
Last edited:
Just ran into this myself and can confirm disabling certificate validation works running this from SSH:

echo insecure >> $HOME/.curlrc

However I'm not sure how to undo this...
 
Interesting, it seems to undo after restart as I couldn't install another amtm package until running the command again. Obviously I am totally lost with Linux. But I guess this is good?

Hopefully someone can confirm.
 
Interesting, it seems to undo after restart as I couldn't install another amtm package until running the command again. Obviously I am totally lost with Linux. But I guess this is good?

Hopefully someone can confirm.
The contents of $HOME are not persistent after a reboot, but you can add that echo line to /jffs/configs/profile.add to ensure it is added when you login. But you might want to change it to:
Code:
echo insecure > $HOME/.curlrc
Otherwise you’d get another insecure added every time you login.

Or put the command in /jffs/scripts/services-start which would run once on a reboot.
 
First: Thanks for the answers!

The command
Code:
echo insecure > $HOME/.curlrc
works for me, too! Nice!

But when I try to insert the command in
Code:
/jffs/scripts/services-start
it doesn't seem to do like i want.. i have to call the command again for myself.

My start-file looks like this:

Code:
#!/bin/sh
echo insecure > $HOME/.curlrc
 
@Ticki276 When services-start runs the environment variables are set differently because it's not an interactive session. One of the differences is that $HOME is set to '/' instead of '/root'. So you'll need to hard-code the .curlrc filename to be /root/.curlrc or simply use the -k option on curl, e.g. curl -k https://diversion.ch/amtm_fw/amtm_rev.
 
Thanks for this. Been trying to update Diversion for days now and just reset the router to defaults, couldn't resolve diversion.ch but could ping the other.

I even tried tethering my phone and using that connection thinking it was some DNS issue with my ISP.
 
I can successfully curl that file on my local machine on the router's network. Do we need to update the cert store on the router? If so, how does one do that? (Note that 384.13 is the last supported Asuswrt-Merlin version on AC87U.)

Is anyone able to answer that question? Is there a more permanent fix, like updating the certificate on the AC87U?
 
Is anyone able to answer that question? Is there a more permanent fix, like updating the certificate on the AC87U?
This being outdated firmware you are using (I presume) there is no way to change it as the files are read only. That includes the skeleton amtm file that comes with the firmware. With no way to update the behavior of amtm at this time, you are left to use the only work around that has been posted here.
 
You could store an updated root certificate list in jffs, then do a binding mount on top of the firmware's file, through services-start.

Code:
mount -o bind /jffs/new-ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
You could store an updated root certificate list in jffs, then do a binding mount on top of the firmware's file, through services-start.

Code:
mount -o bind /jffs/new-ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
That‘s after amtm ran for the first time. Users would still have to somehow enable unsecure connection for the initial run.
But good point, I can add that to amtm/Diversion.
 
That‘s after amtm ran for the first time. Users would still have to somehow enable unsecure connection for the initial run.
If they put that command in services-start, it should be available early enough. One could possibly even use init-start to have it happen even before WAN comes online, but I'm not sure if /etc is properly configured so early.
 
For a more complete solution that will also download the updated CA bundle from my Github:

Code:
wget https://raw.githubusercontent.com/RMerl/asuswrt-merlin.ng/master/release/src/router/rom/certs/ca-bundle.crt -O /jffs/ca-bundle.crt
mount -o bind /jffs/ca-bundle.crt  /etc/ssl/certs/ca-certificates.crt
 
Here is what I get when I do the wget cmd:


admin@RT-AC86U-1BD0:/tmp/home/root# wget https://raw.githubusercontent.com/R...g/master/release/src/router/rom/certs/ca-bund
le.crt -O /jffs/ca-bundle.crt
Will not apply HSTS. The HSTS database must be a regular and non-world-writable file.
ERROR: could not open HSTS store at '/root/.wget-hsts'. HSTS will be disabled.
--2021-10-17 08:31:39-- https://raw.githubusercontent.com/R...er/release/src/router/rom/certs/ca-bundle.crt
Resolving raw.githubusercontent.com... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com|185.199.108.133|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.
 
Here is what I get when I do the wget cmd:


admin@RT-AC86U-1BD0:/tmp/home/root# wget https://raw.githubusercontent.com/R...g/master/release/src/router/rom/certs/ca-bund
le.crt -O /jffs/ca-bundle.crt
Will not apply HSTS. The HSTS database must be a regular and non-world-writable file.
ERROR: could not open HSTS store at '/root/.wget-hsts'. HSTS will be disabled.
--2021-10-17 08:31:39-- https://raw.githubusercontent.com/R...er/release/src/router/rom/certs/ca-bundle.crt
Resolving raw.githubusercontent.com... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com|185.199.108.133|:443... connected.
ERROR: cannot verify raw.githubusercontent.com's certificate, issued by 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.
The last line of the error tells you what to do.
Code:
wget --no-check-certificate https://raw.githubusercontent.com/RMerl/asuswrt-merlin.ng/master/release/src/router/rom/certs/ca-bundle.crt -O /jffs/ca-bundle.crt
mount -o bind /jffs/ca-bundle.crt  /etc/ssl/certs/ca-certificates.crt
Although this was really intended for unfortunate users who have no firmware upgrade options. You do have a choice to upgrade your AC86U.
 
the new certs (ca-bundle.crt) don't seem to fix the problem. amtm is still not able to contact diversion.ch without the "insecure" flag.
 
adding info to my previous post, i'd like to understand why curl cannot connect to diversion.ch

router AC3200 (fw 384.13.10) - i know, not supported anymore
i'm using the updated ca-bundle.crt as instructed above

I did a comparison of
Code:
openssl s_client -showcerts -servername diversion.ch -connect diversion.ch:443
on the router, as well as my debian 10 nas (which works when you curl diversion.ch/amtm/amtm)

The only difference I saw was my debian system was using TLS1.3 to make the connection, but the router was using TLS1.2 and picked the old certificate (Digital Signature Trust Co., CN = DST Root CA X3).

Is the reason it's not working because openssl / curl is out of date?
OpenSSL 1.0.2u 20 Dec 2019 on the router
OpenSSL 1.1.1k 25 Mar 2021 on debian

Is there a way to update openssl on the router? I noticed libopenssl - 1.1.1k-1 in my installed entware packages...is there any way for amtm to use that instead of the router outdated version?
 
ok, i've confirmed that installing the updated curl from entware allows my to curl to diversion.ch and use the proper certificate, however amtm still can't get the updates for diversion or amtm. Does amtm not use the entware version of curl?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top