MerlinAU MerlinAU v1.1.2 - The Ultimate Firmware Auto-Updater (Now available in AMTM)

[ExtremeFiretop]

Hi,

Today I tried to update and got below messege.
——————————
**ERROR**
Unable to decompress the F/W Update ZIP file for version 3004.388.6.2 on the RT-AX88U router.

Flashing the F/W Update on the RT-AX88U router is now cancelled due to decompress error.

——————————

After this I only check the avances setting to check the change log an for me without any understandable reason the update worked without any issues. In other words, I don't understand why that adjustment leads to a successful installation.

Things that would be nice to add are updating the node(s) or maybe first updating nodes to test?

Anyway, nice module!
Thnx

Sorry can you clarify what exactly you adjusted in the advanced settings?

What was the setting set too before? And what was it set too when it worked?

 

[ExtremeFiretop]

Well, on days like today, silence is golden.
I guess I can relax and take a breath of fresh air. Considering this is our first release cycle since MerlinAU was officially released I think our team did pretty good.

Hi,

Today I tried to update and got below messege.
——————————
**ERROR**
Unable to decompress the F/W Update ZIP file for version 3004.388.6.2 on the RT-AX88U router.

Flashing the F/W Update on the RT-AX88U router is now cancelled due to decompress error.

——————————

After this I only check the avances setting to check the change log an for me without any understandable reason the update worked without any issues. In other words, I don't understand why that adjustment leads to a successful installation.

Things that would be nice to add are updating the node(s) or maybe first updating nodes to test?

Anyway, nice module!
Thnx

@Reef2009

Lots of things can cause a failed decompressed zip (extracted zip). Stuff even unrelated to the script directly like a really broken download, etc.

However we can potentially help rule a few reasons out (or in) if you can send me the contents of your log file for MerlinAU. (Luckily I added a redirection of this step in the last release so it should be in the logs)
You can find the log location under the advanced options. From there you can either use WinSCP or simply cat the file to provide the contents like :

cat /tmp/mnt/USB1/MerlinAU.d/logs/<LOGNAME>.log

Replace <LOGNAME> with the actual name of the log.

 

[Kingp1n]

I changed the default settings & did f/w option check now (option 1).

I wasnt sure what HSTS notification is at the top but other than that....all running smoothly!

Just wanted to report the recent firmware updated without any issues.

Thanks for the great work on this!

 

[TheLyppardMan]

I've received an alert e-mail from MerlinAU that a firmware update is available for my router, so I'm waiting for the 7-day delay to come to an end to see if all goes well. I'll report back next week when the delay has come to an end.

 

[ExtremeFiretop]

I changed the default settings & did f/w option check now (option 1).

I wasnt sure what HSTS notification is at the top but other than that....all running smoothly!

Just wanted to report the recent firmware updated without any issues.

Thanks for the great work on this!

All looks good and normal to me! Thanks for testing!

Edit: In regards to the HSTS error message you're seeing, it relates to the HSTS (HTTP Strict Transport Security) feature.
HSTS is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.

 

[JimbobJay]

Seems like a great script, however I ran into an error whilst trying to use it using my standard set-up and had to change things a bit to get it working.

Update failed because curl could not login to my web server. I use DDNS so I can resolve my router's hostname to connect to its VPN server when out and about. I also use LetsEncrypt for the web server's SSL certificate.
This seems to cause an issue for curl in the script, which is expecting the SSL's cert to contain the router's standard hostname in its subject name.

When attempting to update using the script, I had the following error:

curl: (60) SSL: no alternative certificate subject name matches target host name 'RT-AX86U_Pro-****.home-lan'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page ment ioned above.

(I have stared out the actual 4 digits in my router's hostname. home-lan is the LAN domain name I have configured)

I have gotten round this my disabling LetsEncrypt and also disabling the web server's HTTPS server, and then the script worked and updated the firmware just fine.

However, ideally the script would be able to account for this situation if HTTPS is used with a LetsEncrypt certificate, and curl would expect for the DDNS hostname rather than the standard hostname issued by the router's standard SSL cert generation technique.

 

[ExtremeFiretop]

Seems like a great script, however I ran into an error whilst trying to use it using my standard set-up and had to change things a bit to get it working.

Update failed because curl could not login to my web server. I use DDNS so I can resolve my router's hostname to connect to its VPN server when out and about. I also use LetsEncrypt for the web server's SSL certificate.
This seems to cause an issue for curl in the script, which is expecting the SSL's cert to contain the router's standard hostname in its subject name.

When attempting to update using the script, I had the following error:

curl: (60) SSL: no alternative certificate subject name matches target host name 'RT-AX86U_Pro-****.home-lan'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page ment ioned above.

(I have stared out the actual 4 digits in my router's hostname. home-lan is the LAN domain name I have configured)

I have gotten round this my disabling LetsEncrypt and also disabling the web server's HTTPS server, and then the script worked and updated the firmware just fine.

However, ideally the script would be able to account for this situation if HTTPS is used with a LetsEncrypt certificate, and curl would expect for the DDNS hostname rather than the standard hostname issued by the router's standard SSL cert generation technique.

I also use DDNS with LetsEncrypt by Asus, (asuscomm.com) and don't have this issue. I think it may need more investigation into root cause.
Can you send me your log file (info above for reference on retrieving it).

Do you have the option to redirect webui access to asusrouter.com?

 

[JimbobJay]

I also use DDNS with LetsEncrypt by Asus, (asuscomm.com) and don't have this issue. I think it may need more investigation into root cause.
Can you send me your log file (info above for reference on retrieving it).

Do you have the option to redirect webui access to asusrouter.com?

Ah ok, interesting. I do have that option, but it was unchecked. I have checked it now, however, I can't test to see if it makes a difference to the script as there is no longer a firmware update available.

I also use no-ip for my ddns service, not Asus built-in DDNS service, so I wonder if that also might make a difference.

 

[ExtremeFiretop]

Ah ok, interesting. I do have that option, but it was unchecked. I have checked it now, however, I can't test to see if it makes a difference to the script as there is no longer a firmware update available.

I also use no-ip for my ddns service, not Asus built-in DDNS service, so I wonder if that also might make a difference.

We will investigate and see if we can re-produce, I'd still like to see the log if possible to rule out any obvious oversights the script logic may have taken.
What about your local access config? Is it setup the same as mine above?

1. Authentication is set to "Both" for me. This may have an impact as I still allow HTTP traffic locally.
2. The ports remain the default ports, but I have not attempted to change them to see if it makes a difference.

 

[JimbobJay]

We will investigate and see if we can re-produce, I'd still like to see the log if possible to rule out any obvious oversights the script logic may have taken.
What about your local access config? Is it setup the same as mine above?

1. Authentication is set to "Both" for me. This may have an impact as I still allow HTTP traffic locally.
2. The ports remain the default ports, but I have not attempted to change them to see if it makes a difference.

I had the web-server set to HTTPS Only with default port (8443). I don't know whether it was disabling LetsEncrypt or changing this to HTTP Only (with default port of 80) that enabled the script to update the firmware, as I did both at the same time to troubleshoot this, and it worked after doing those.

I can't see where you mean by above that says where I should upload the logs? I have just checked the logs myself for the failed updates and they only say:

**ERROR**: Login failed. Please try the following:
1. Confirm you are not already logged into the router using a web browser.
2. Update credentials by selecting "Configure Router Login Credentials" from the Main Menu.
2024-02-28 07:27:13 The email notification was sent successfully [FAILED_FW_UPDATE_STATUS].

It was only when attempting to update manually could I see the curl error I enclosed in my first post that helped me figure out what the issue was.

 

[ExtremeFiretop]

I can't see where you mean by above that says where I should upload the logs? I have just checked the logs myself for the failed updates and they only say:

Sorry, I meant the steps to retrieve the logs I mentioned in an earlier post above yours here:

You can find the log location under the advanced options. From there you can either use WinSCP or simply cat the file to provide the contents like :

cat /tmp/mnt/USB1/MerlinAU.d/logs/<LOGNAME>.log

Replace <LOGNAME> with the actual name of the log.

As for your log output:

**ERROR**: Login failed. Please try the following:
1. Confirm you are not already logged into the router using a web browser.
2. Update credentials by selecting "Configure Router Login Credentials" from the Main Menu.
2024-02-28 07:27:13 The email notification was sent successfully [FAILED_FW_UPDATE_STATUS].

Thanks for all the detail and answering the questions in a timely manner. This is more than enough for me to go on for now.

I had the web-server set to HTTPS Only with default port (8443). I don't know whether it was disabling LetsEncrypt or changing this to HTTP Only (with default port of 80) that enabled the script to update the firmware, as I did both at the same time to troubleshoot this, and it worked after doing those.

My gut tells me this is what allowed it to work, you swapping to HTTP on port 80 likely allowed the script to login to the WebUI and trigger the update.
In my case, I have it set to both, so whichever method I try, it works, and the script likely defaults to HTTP port 80 in my case.

If you were using strictly HTTPS on port 8443 for LAN access, this may be the key difference. Will do some testing and report back what is found.

 

[Viktor Jaep]

@ExtremeFiretop ... please go ahead and add the GT-AX6000 to your list of tested devices! Successfully ran the update this morning, and all went extremely well! Congrats to both you and @Martinski for this awesome script!

 

[ExtremeFiretop]

@ExtremeFiretop ... please go ahead and add the GT-AX6000 to your list of tested devices! Successfully ran the update this morning, and all went extremely well! Congrats to both you and @Martinski for this awesome script!

Thanks Viktor!

The following has been updated as working:
GT-AX11000 Pro
GT-AX6000

Still waiting on:
RT-AX86U Pro from @TheLyppardMan

Seems like a great script, however I ran into an error whilst trying to use it using my standard set-up and had to change things a bit to get it working.

@JimbobJay

For diagnostics purposes, can I ask you to send the results of the following commands (including enclosing curly bracket):

{
_shownvram_() { printf "$1=[%s]\n" "$(nvram get "$1")" ; }
_shownvram_ http_enable
_shownvram_ lan_domain
_shownvram_ lan_hostname
_shownvram_ http_lanport
_shownvram_ https_lanport
}

If you don't want to share the info in a public forum, you could send it via DM.

 

[ExtremeFiretop]

I changed the default settings & did f/w option check now (option 1).

I wasnt sure what HSTS notification is at the top but other than that....all running smoothly!

Just wanted to report the recent firmware updated without any issues.

Thanks for the great work on this!

BTW We addressed the issue in PR 150: https://github.com/ExtremeFiretop/MerlinAutoUpdate-Router/pull/150
Again it's not really an issue, everything in your screenshot looked perfect, but we can see the concern from the HSTS warning and addressed it in this PR.

 

[JimbobJay]

@JimbobJay

For diagnostics purposes, can I ask you to send the results of the following commands (including enclosing curly bracket):


If you don't want to share the info in a public forum, you could send it via DM.

Sent via DM. As I understand it, when using LetsEncrypt, the SSL cert will have that hostname in its cert, and not the lan_hostname output. This won't matter if HTTP is enabled for the web-server, but if HTTPS Only mode is on, as it was for me, then curl will not accept the web-server's SSL cert as it does not match what it is expecting (the lan_hostname)

 

[ExtremeFiretop]

Sent via DM. As I understand it, when using LetsEncrypt, the SSL cert will have that hostname in its cert, and not the lan_hostname output. This won't matter if HTTP is enabled for the web-server, but if HTTPS Only mode is on, as it was for me, then curl will not accept the web-server's SSL cert as it does not match what it is expecting (the lan_hostname)

I can confirm I can re-create the issue on the fly by setting the local access config to HTTPS only as I suspected.
The command outputs were very valuable, thank you again.

We will provide an update to try and address this configuration

 

[ExtremeFiretop]

Sent via DM. As I understand it, when using LetsEncrypt, the SSL cert will have that hostname in its cert, and not the lan_hostname output. This won't matter if HTTP is enabled for the web-server, but if HTTPS Only mode is on, as it was for me, then curl will not accept the web-server's SSL cert as it does not match what it is expecting (the lan_hostname)

Just to close the loop, I've identified the issue and submitted PR 151 for this issue: https://github.com/ExtremeFiretop/MerlinAutoUpdate-Router/pull/151

Next release will work even if you set the LAN access to HTTPS only.

Thanks for testing and reporting!

 

[maghuro]

Can I ask you for something?
When inserting the admin password, the app should test it - because on most ssh terminals we can't see neither the password or characters we're typing, and I only know if I inserted it correctly whenever a new firmware is found

 

[bbunge]

OK, you can add AX86U Pro to your successful list. I started a manual update but it worked. BACKUPMON saved files to my NAS. Really cool!

 

[ExtremeFiretop]

Can I ask you for something?
When inserting the admin password, the app should test it - because on most ssh terminals we can't see neither the password or characters we're typing, and I only know if I inserted it correctly whenever a new firmware is found

I like the idea, you would like a test-login to the router as soon as we enter the password, correct?
That way the script can give you a pass/fail if the entered password worked?

Will look into this as a feature.

OK, you can add AX86U Pro to your successful list. I started a manual update but it worked. BACKUPMON saved files to my NAS. Really cool!

Thank you @bbunge Will do ! Happy to see everyone is having good positive results with this tool.