[FS#4059] ca-certificates doesn't include Lets Encrypt CA, preventing package installations through opkg (Attachment added)

Thu Sep 30 07:23:26 PDT 2021

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Richard Tweed (RichardoC) 

Attached to Project - OpenWrt/LEDE Project
Summary - ca-certificates doesn't include Lets Encrypt CA, preventing package installations through opkg
Task Type - Bug Report
Category - Packages
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Very Low
Reported Version - openwrt-21.02
Due in Version - Undecided
Due Date - Undecided
Details - Summary
ca-certificates doesn't include the new Lets Encrypt CA which prevents opkg update and other opkg actions as wget rejects the certs for https://downloads.openwrt.org

Supply the following if possible:
 - Device problem occurs on
   Zbtlink ZBT-WG3526 (16M)
 - Software versions of OpenWrt/LEDE release, packages, etc.
   OpenWrt 21.02.0 r16279-5cc0535800 / LuCI openwrt-21.02 branch git-21.231.26241-422c175
   ca-certificates	20210119-1
 - Steps to reproduce

root at OpenWrt:~# opkg update 
Downloading https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/targets/ramips/mt7621/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/base/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/luci/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/packages/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/routing/Packages.gz, wget returned 5.
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz, wget returned 5.

Testing the wget directly

root at OpenWrt:~# wget https://downloads.openwrt.org/releases/21.02.0/packages/mip
sel_24kc/telephony/Packages.gz
Downloading 'https://downloads.openwrt.org/releases/21.02.0/packages/mipsel_24kc/telephony/Packages.gz'
Connecting to 168.119.138.211:443
Connection error: Invalid SSL certificate

Attached is the certificate chain that is problematic for this version of openwrt. My browser (Firefox 92.0.1 (64-bit) on macOS 11.6) has no issues with this CA chain.

Workaround, run the opkg commands directly (not through LuCI) and add the flag --no-check-certificate
Example
opkg update --no-check-certificate&& opkg install ca-certificates --no-check-certificate

One or more files have been attached.

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=4059

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.