What's new

amtm amtm 3.2.0 Entware fails to update - opkg wget certificate error

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Phantomski

Regular Contributor
After update to amtm 3.2.0 on FW-384.18 (RT-AC88U), I can't update entware packages (armv7sf-k2.6).
Code:
Downloading https://bin.entware.net/armv7sf-k2.6/Packages.gz
*** Failed to download the package list from https://bin.entware.net/armv7sf-k2.6/Packages.gz
Collected errors:
 * opkg_download: Failed to download https://bin.entware.net/armv7sf-k2.6/Packages.gz, wget returned 5.
Trying
Code:
opkg update
returns the same error.

Trying
Code:
wget https://bin.entware.net/armv7sf-k2.6/Packages.gz
indicates a problem with the certificate:
Code:
--2021-07-18 10:32:12--  https://bin.entware.net/armv7sf-k2.6/Packages.gz
Resolving bin.entware.net... 104.21.91.83, 172.67.212.134, 2606:4700:3032::ac43:d486, ...
Connecting to bin.entware.net|104.21.91.83|:443... connected.
ERROR: cannot verify bin.entware.net's certificate, issued by 'CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to bin.entware.net insecurely, use `--no-check-certificate'.

Checking in the browser, the certificate is valid. Trying wget on a different machine, it works ok too.

If I edit /opt/etc/opkg.conf and replace https:// with http:// I can run at least opkg update and opkg upgrade, even though it's obviously not ideal. Also, amtm checks for https in the opkg.conf file anyway, so I can't use amtm for entware upgrades anymore (without editing the script).

I have also noticed that checking
Code:
openssl version
Returns:
Code:
OpenSSL 1.0.2u  20 Dec 2019
Which migh suggest it's a bit outdated and potentially struggling with more modern TLS.
Looking at the Merlin's changelog, openssl should have been 1.1.1g since FW 384.17

Any ideas why it's still the old version? Could it be related to amtm/opg/wget issues above? Can I update just openssl without breaking anything down the line? Or do I have to update whole FW?
 
After update to amtm 3.2.0 on FW-384.18 (RT-AC88U), I can't update entware packages (armv7sf-k2.6).
Code:
Downloading https://bin.entware.net/armv7sf-k2.6/Packages.gz
*** Failed to download the package list from https://bin.entware.net/armv7sf-k2.6/Packages.gz
Collected errors:
* opkg_download: Failed to download https://bin.entware.net/armv7sf-k2.6/Packages.gz, wget returned 5.
Trying
Code:
opkg update
returns the same error.

Trying
Code:
wget https://bin.entware.net/armv7sf-k2.6/Packages.gz
indicates a problem with the certificate:
Code:
--2021-07-18 10:32:12--  https://bin.entware.net/armv7sf-k2.6/Packages.gz
Resolving bin.entware.net... 104.21.91.83, 172.67.212.134, 2606:4700:3032::ac43:d486, ...
Connecting to bin.entware.net|104.21.91.83|:443... connected.
ERROR: cannot verify bin.entware.net's certificate, issued by 'CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to bin.entware.net insecurely, use `--no-check-certificate'.

Checking in the browser, the certificate is valid. Trying wget on a different machine, it works ok too.

If I edit /opt/etc/opkg.conf and replace https:// with http:// I can run at least opkg update and opkg upgrade, even though it's obviously not ideal. Also, amtm checks for https in the opkg.conf file anyway, so I can't use amtm for entware upgrades anymore (without editing the script).

I have also noticed that checking
Code:
openssl version
Returns:
Code:
OpenSSL 1.0.2u  20 Dec 2019
Which migh suggest it's a bit outdated and potentially struggling with more modern TLS.
Looking at the Merlin's changelog, openssl should have been 1.1.1g since FW 384.17

Any ideas why it's still the old version? Could it be related to amtm/opg/wget issues above? Can I update just openssl without breaking anything down the line? Or do I have to update whole FW?
i suspect that since you're on an ancient f/w (384.18) openssl was 1.0.2 and openssl11 was a separate command until asus caught up. are you able to upgrade to the 386.x codebase?
if not, you might need to update the cert store in the firmware
 
Oh dear, what return do you get with which openssl?
It should be the routers binary /usr/sbin/openssl
If it returns the /opt version, removing it might help.

FW 384.18 also is outdated, upgrading it to latest is my suggestion.
 
i suspect that since you're on an ancient f/w (384.18) openssl was 1.0.2 and openssl11 was a separate command until asus caught up. are you able to upgrade to the 386.x codebase?
if not, you might need to update the cert store in the firmware
It's a bit old, I know. It's in the pipeline, but with setting up everything from scratch, I didn't have an opportunity yet.
Code:
opkg install ca-certificates
from http repo cured it. Thanks.
 
Oh dear, what return do you get with which openssl?
It should be the routers binary /usr/sbin/openssl
If it returns the /opt version, removing it might help.

FW 384.18 also is outdated, upgrading it to latest is my suggestion.
which openssl returned correct /usr/sbin/openssl.
/usr/sbin/openssl version still returned OpenSSL 1.0.2u 20 Dec 2019

For some reason it didn't get updated with the fw.

For the moment, the updated cert store cured the issue, but of course 386 is the way. Soon! ;)
 
Thanks everyone. Sorted for now, 386 next.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top