! Entware: bin.entware.net unreachable [SOLVED]

dony71

Regular Contributor
I have RT-AC86U and after install firmware 386.7_2, update entware gives an error

[email protected]:/tmp# opkg update

Code:
Downloading https://bin.entware.net/aarch64-k3.10/Packages.gz
*** Failed to download the package list from https://bin.entware.net/aarch64-k3.10/Packages.gz

Collected errors:
* opkg_download: Failed to download https://bin.entware.net/aarch64-k3.10/Packages.gz, wget returned 5.


[email protected]:/tmp# wget https://bin.entware.net/aarch64-k3.10/Packages.gz

Code:
--2022-09-19 13:04:43--  https://bin.entware.net/aarch64-k3.10/Packages.gz
Resolving bin.entware.net... 104.21.91.83, 172.67.212.134, 2606:4700:3032::6815:5b53, ...
Connecting to bin.entware.net|104.21.91.83|:443... connected.
ERROR: cannot verify bin.entware.net's certificate, issued by 'CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to bin.entware.net insecurely, use `--no-check-certificate'.


[email protected]:/tmp# /usr/sbin/openssl version

Code:
OpenSSL 1.1.1q  5 Jul 2022


[email protected]:/tmp# opkg install ca-certificates

Code:
Installing ca-certificates (20211016-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/ca-certificates_20211016-1_all.ipk
Collected errors:
 * opkg_download: Failed to download https://bin.entware.net/aarch64-k3.10/ca-certificates_20211016-1_all.ipk, wget returned 5.
 * opkg_install_pkg: Failed to download ca-certificates. Perhaps you need to run 'opkg update'?
 * opkg_install_cmd: Cannot install package ca-certificates.


Can anybody help how to fix this?
 
Last edited:

SomeWhereOverTheRainBow

Part of the Furniture
I have RT-AC86U and after install firmware 386.7_2, update entware gives an error

[email protected]:/tmp# opkg update

Code:
Downloading https://bin.entware.net/aarch64-k3.10/Packages.gz
*** Failed to download the package list from https://bin.entware.net/aarch64-k3.10/Packages.gz

Collected errors:
* opkg_download: Failed to download https://bin.entware.net/aarch64-k3.10/Packages.gz, wget returned 5.


[email protected]:/tmp# wget https://bin.entware.net/aarch64-k3.10/Packages.gz

Code:
--2022-09-19 13:04:43--  https://bin.entware.net/aarch64-k3.10/Packages.gz
Resolving bin.entware.net... 104.21.91.83, 172.67.212.134, 2606:4700:3032::6815:5b53, ...
Connecting to bin.entware.net|104.21.91.83|:443... connected.
ERROR: cannot verify bin.entware.net's certificate, issued by 'CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US':
  Unable to locally verify the issuer's authority.
To connect to bin.entware.net insecurely, use `--no-check-certificate'.


[email protected]:/tmp# /usr/sbin/openssl version

Code:
OpenSSL 1.1.1q  5 Jul 2022


[email protected]:/tmp# opkg install ca-certificates

Code:
Installing ca-certificates (20211016-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/ca-certificates_20211016-1_all.ipk
Collected errors:
 * opkg_download: Failed to download https://bin.entware.net/aarch64-k3.10/ca-certificates_20211016-1_all.ipk, wget returned 5.
 * opkg_install_pkg: Failed to download ca-certificates. Perhaps you need to run 'opkg update'?
 * opkg_install_cmd: Cannot install package ca-certificates.


Can anybody help how to fix this?
Use option ep in AMTM.
 

Viktor Jaep

Very Senior Member
Off course I already use AMTM and have this issue
this "! Entware: bin.entware.net unreachable" from AMTM error message
Are you able to ping/reach the site through a browser off your router? https://bin.entware.net/

Do you have any firewalls, blockers, or using skynet by chance? If so, try to whitelist that hostname?
 

Viktor Jaep

Very Senior Member
yes, can ping bin.entware.net
no skynet, only diversion
For kicks, try adding entware.net to the Diversion whitelist, and try again??
 

Viktor Jaep

Very Senior Member
still problem
I even try disable Diversion too
Can you try changing your WAN DNS servers to something else? Perhaps 9.9.9.9... or 8.8.8.8... not sure what you use? After the change, reboot and try again?
 

dony71

Regular Contributor
Can you try changing your WAN DNS servers to something else? Perhaps 9.9.9.9... or 8.8.8.8... not sure what you use? After the change, reboot and try again?
Tried assign google dns, but still problem
I don't think it's connectivity issue, because when I hit update option (1) on amtm, it shows wget issue
This is the same error message when doing "wget https://bin.entware.net/aarch64-k3.10/Packages.gz"
 

Attachments

  • WhatsApp Image 2022-09-19 at 4.34.18 PM.jpeg
    WhatsApp Image 2022-09-19 at 4.34.18 PM.jpeg
    103.9 KB · Views: 17

Viktor Jaep

Very Senior Member
Tried assign google dns, but still problem
I don't think it's connectivity issue, because when I hit update option (1) on amtm, it shows wget issue
This is the same error message when doing "wget https://bin.entware.net/aarch64-k3.10/Packages.gz"
Any way you can try to manually download some of these necessary .gz packages and install them manually? Personally, I would just blow away the entire entware environment, and try to start over at this point. Maybe do an M&M reset while you're at it...
 

dony71

Regular Contributor
Any way you can try to manually download some of these necessary .gz packages and install them manually? Personally, I would just blow away the entire entware environment, and try to start over at this point. Maybe do an M&M reset while you're at it...

how to download manually?
wget has already certificate issue
 

Viktor Jaep

Very Senior Member
how to download manually?
wget has already certificate issue
Maybe download on your laptop, use WinSCP and upload to the router... then extract the .gz's...
 

dony71

Regular Contributor
Maybe download on your laptop, use WinSCP and upload to the router... then extract the .gz's...
it will be significant hacking since the script will use wget to download each of ipk update
it appears to me this issue related to router certificate and my understanding ssl
certificate located in /rom/etc/ssl/certs/ca-certificates.crt which means from firmware itself
if this is the case, wipe usb and fresh install entware won't help either
 

Martinski

Regular Contributor
... it appears to me this issue related to router certificate and my understanding ssl
certificate located in /rom/etc/ssl/certs/ca-certificates.crt which means from firmware itself ...
You're right; the "wget returned 5" message indicates that there's some kind of issue with the SSL certificate validation.

As @ColinTaylor seems to suggest with his query in the previous post, make sure that you're running the built-in "wget" command (/usr/sbin/wget) and not another version possibly installed via Entware.

Also, what's the output of the following commands?
Bash:
echo $PATH
head -n20 /opt/etc/profile

It's also a good idea to double-check that your router's date & time are correct according to your time zone. If not correct, your NTP client may not be working properly, or for some reason cannot reach an NTP server to sync the system clock.

BTW, you can check the start & end dates of the router's default certificate with the following command:
Bash:
openssl x509 -dates -noout -in /etc/ssl/certs/ca-certificates.crt

Just my 2 cents.
 
Last edited:

dony71

Regular Contributor
As @ColinTaylor seems to suggest with his query in the previous post, make sure that you're running the built-in "wget" command (/usr/sbin/wget) and not another version possibly installed via Entware.

Yes, this is the problem
I don't remember installed wget-ssl, "which wget" pointed to /opt/wget which is soft link of wget-ssl
Thanks
 

Martinski

Regular Contributor
Yes, this is the problem
I don't remember installed wget-ssl, "which wget" pointed to /opt/wget which is soft link of wget-ssl
Thanks
OK, very good; the problem was found. Did you fix the PATH environment variable? Or, did you just remove the "wget-ssl" package from Entware? Or, did you do both?

I'm asking because removing the package from Entware would be one quick fix; however, it's possible that you may still encounter an issue with some other built-in command (now or maybe in the future) because your PATH variable is very likely set up so that the router's built-in commands have lower order of precedence than possible equivalent commands installed via Entware. That's why I asked to see the output of:
Bash:
echo $PATH
head -n20 /opt/etc/profile

The reason is that some built-in commands may have specific options or behaviors which are intended to work with the system in some expected manner (e.g. tightly-coupled components), and this might not be the case *if* running the usually larger, full-version, equivalent commands installed via Entware.

I'm not saying that this tight coupling of components within the router is a bad thing. In an embedded system, it's actually fairly common to do that; but you have to be careful & mindful of that when introducing "external" components like Entware packages.
 

dony71

Regular Contributor
OK, very good; the problem was found. Did you fix the PATH environment variable? Or, did you just remove the "wget-ssl" package from Entware? Or, did you do both?

I'm asking because removing the package from Entware would be one quick fix; however, it's possible that you may still encounter an issue with some other built-in command (now or maybe in the future) because your PATH variable is very likely set up so that the router's built-in commands have lower order of precedence than possible equivalent commands installed via Entware. That's why I asked to see the output of:
Bash:
echo $PATH
head -n20 /opt/etc/profile

The reason is that some built-in commands may have specific options or behaviors which are intended to work with the system in some expected manner (e.g. tightly-coupled components), and this might not be the case *if* running the usually larger, full-version, equivalent commands installed via Entware.

I'm not saying that this tight coupling of components within the router is a bad thing. In an embedded system, it's actually fairly common to do that; but you have to be careful & mindful of that when introducing "external" components like Entware packages.

I remove wget-ssl

[email protected]:/tmp/home/root# echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/admin:/mmc/sbin:/mmc/bin: /mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin

[email protected]:/tmp/home/root# head -n20 /opt/etc/profile
#!/bin/sh

# Please note it's not a system-wide settings, it's only for a current
# terminal session. Point your f\w (if necessery) to execute /opt/etc/profile
# at console logon.

is_substring(){
case "$2" in
*$1*) return 0;;
*) return 1;;
esac
}

# Set CHECK_OPT_PATH to 1 to check /opt/bin and /opt/sbin in PATH
CHECK_OPT_PATH=0
if [ $CHECK_OPT_PATH = 1 ]; then
is_substring "/opt/bin" $PATH
[ $? == 1 ] && export PATH=/opt/bin:$PATH
is_substring "/opt/sbin" $PATH
[ $? == 1 ] && export PATH=/opt/sbin:$PATH
 

Martinski

Regular Contributor
I remove wget-ssl

[email protected]:/tmp/home/root# echo $PATH


[email protected]:/tmp/home/root# head -n20 /opt/etc/profile
To make sure that all the router's built-in commands have precedence over any equivalent commands that might be installed (now or later) via Entware, this is how I fixed the setting of the PATH variable in the "/opt/etc/profile" file:
Bash:
...
CHECK_OPT_PATH=1
if [ $CHECK_OPT_PATH = 1 ]; then
    is_substring "/opt/bin" $PATH
    [ $? == 1 ] && export PATH="$PATH:/opt/bin"
    is_substring "/opt/sbin" $PATH
    [ $? == 1 ] && export PATH="$PATH:/opt/sbin"
else
    export PATH="$PATH:/opt/bin:/opt/sbin"
fi
...

The "PATH" assignment modifications may no longer be necessary in the most recent F/W releases, but I like to change them anyway to emphasize the intended/expected order in the PATH environment variable.

BTW, whenever you knowingly intend to use an equivalent command from Entware instead of the built-in version, you must use the full path (e.g. "/opt/bin/wget" instead of simply "wget"). This is what I do in my own scripts.
 

SomeWhereOverTheRainBow

Part of the Furniture
To make sure that all the router's built-in commands have precedence over any equivalent commands that might be installed (now or later) via Entware, this is how I fixed the setting of the PATH variable in the "/opt/etc/profile" file:
Bash:
...
CHECK_OPT_PATH=1
if [ $CHECK_OPT_PATH = 1 ]; then
    is_substring "/opt/bin" $PATH
    [ $? == 1 ] && export PATH="$PATH:/opt/bin"
    is_substring "/opt/sbin" $PATH
    [ $? == 1 ] && export PATH="$PATH:/opt/sbin"
else
    export PATH="$PATH:/opt/bin:/opt/sbin"
fi
...

The "PATH" assignment modifications may no longer be necessary in the most recent F/W releases, but I like to change them anyway to emphasize the intended/expected order in the PATH environment variable.

BTW, whenever you knowingly intend to use an equivalent command from Entware instead of the built-in version, you must use the full path (e.g. "/opt/bin/wget" instead of simply "wget"). This is what I do in my own scripts.
Maintaining the appropriate path seems to have become a common theme, and necessity, in these threads. You have just managed to reiterate its importance. Awesome share!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top