amtm amtm 3.2.0 Entware fails to update - opkg wget certificate error

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Phantomski

Occasional Visitor
After update to amtm 3.2.0 on FW-384.18 (RT-AC88U), I can't update entware packages (armv7sf-k2.6).
Code:
Downloading https://bin.entware.net/armv7sf-k2.6/Packages.gz
*** Failed to download the package list from https://bin.entware.net/armv7sf-k2.6/Packages.gz
Collected errors:
 * opkg_download: Failed to download https://bin.entware.net/armv7sf-k2.6/Packages.gz, wget returned 5.
Trying
Code:
opkg update
returns the same error.

Trying
Code:
wget https://bin.entware.net/armv7sf-k2.6/Packages.gz
indicates a problem with the certificate:
Code:
--2021-07-18 10:32:12--  https://bin.entware.net/armv7sf-k2.6/Packages.gz
Resolving bin.entware.net... 104.21.91.83, 172.67.212.134, 2606:4700:3032::ac43:d486, ...
Connecting to bin.entware.net|104.21.91.83|:443... connected.
ERROR: cannot verify bin.entware.net's certificate, issued by 'CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to bin.entware.net insecurely, use `--no-check-certificate'.

Checking in the browser, the certificate is valid. Trying wget on a different machine, it works ok too.

If I edit /opt/etc/opkg.conf and replace https:// with http:// I can run at least opkg update and opkg upgrade, even though it's obviously not ideal. Also, amtm checks for https in the opkg.conf file anyway, so I can't use amtm for entware upgrades anymore (without editing the script).

I have also noticed that checking
Code:
openssl version
Returns:
Code:
OpenSSL 1.0.2u  20 Dec 2019
Which migh suggest it's a bit outdated and potentially struggling with more modern TLS.
Looking at the Merlin's changelog, openssl should have been 1.1.1g since FW 384.17

Any ideas why it's still the old version? Could it be related to amtm/opg/wget issues above? Can I update just openssl without breaking anything down the line? Or do I have to update whole FW?
 

Jack Yaz

Part of the Furniture
After update to amtm 3.2.0 on FW-384.18 (RT-AC88U), I can't update entware packages (armv7sf-k2.6).
Code:
Downloading https://bin.entware.net/armv7sf-k2.6/Packages.gz
*** Failed to download the package list from https://bin.entware.net/armv7sf-k2.6/Packages.gz
Collected errors:
* opkg_download: Failed to download https://bin.entware.net/armv7sf-k2.6/Packages.gz, wget returned 5.
Trying
Code:
opkg update
returns the same error.

Trying
Code:
wget https://bin.entware.net/armv7sf-k2.6/Packages.gz
indicates a problem with the certificate:
Code:
--2021-07-18 10:32:12--  https://bin.entware.net/armv7sf-k2.6/Packages.gz
Resolving bin.entware.net... 104.21.91.83, 172.67.212.134, 2606:4700:3032::ac43:d486, ...
Connecting to bin.entware.net|104.21.91.83|:443... connected.
ERROR: cannot verify bin.entware.net's certificate, issued by 'CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to bin.entware.net insecurely, use `--no-check-certificate'.

Checking in the browser, the certificate is valid. Trying wget on a different machine, it works ok too.

If I edit /opt/etc/opkg.conf and replace https:// with http:// I can run at least opkg update and opkg upgrade, even though it's obviously not ideal. Also, amtm checks for https in the opkg.conf file anyway, so I can't use amtm for entware upgrades anymore (without editing the script).

I have also noticed that checking
Code:
openssl version
Returns:
Code:
OpenSSL 1.0.2u  20 Dec 2019
Which migh suggest it's a bit outdated and potentially struggling with more modern TLS.
Looking at the Merlin's changelog, openssl should have been 1.1.1g since FW 384.17

Any ideas why it's still the old version? Could it be related to amtm/opg/wget issues above? Can I update just openssl without breaking anything down the line? Or do I have to update whole FW?
i suspect that since you're on an ancient f/w (384.18) openssl was 1.0.2 and openssl11 was a separate command until asus caught up. are you able to upgrade to the 386.x codebase?
if not, you might need to update the cert store in the firmware
 

thelonelycoder

Part of the Furniture
Oh dear, what return do you get with which openssl?
It should be the routers binary /usr/sbin/openssl
If it returns the /opt version, removing it might help.

FW 384.18 also is outdated, upgrading it to latest is my suggestion.
 

Phantomski

Occasional Visitor
i suspect that since you're on an ancient f/w (384.18) openssl was 1.0.2 and openssl11 was a separate command until asus caught up. are you able to upgrade to the 386.x codebase?
if not, you might need to update the cert store in the firmware
It's a bit old, I know. It's in the pipeline, but with setting up everything from scratch, I didn't have an opportunity yet.
Code:
opkg install ca-certificates
from http repo cured it. Thanks.
 

Phantomski

Occasional Visitor
Oh dear, what return do you get with which openssl?
It should be the routers binary /usr/sbin/openssl
If it returns the /opt version, removing it might help.

FW 384.18 also is outdated, upgrading it to latest is my suggestion.
which openssl returned correct /usr/sbin/openssl.
/usr/sbin/openssl version still returned OpenSSL 1.0.2u 20 Dec 2019

For some reason it didn't get updated with the fw.

For the moment, the updated cert store cured the issue, but of course 386 is the way. Soon! ;)
 

Phantomski

Occasional Visitor
Thanks everyone. Sorted for now, 386 next.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top