#424 ipkg update error / claims sourceforge cert expired ?!

[C3rebro]

Hey,

i've got problems with ipkg update:

ipkg update
Downloading https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages
Downloading https://downloads.sourceforge.net/project/alt-f/pkgs/unstable/Packages
An error ocurred, return value: 2.
Collected errors:
ipkg_download: ERROR: Command failed with return value 5: `wget --passive-ftp    -q -P /tmp/ipkg-HknFuV https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages'
ipkg_download: ERROR: Command failed with return value 5: `wget --passive-ftp    -q -P /tmp/ipkg-HknFuV https://downloads.sourceforge.net/project/alt-f/pkgs/unstable/Packages'

When i try to:
`wget --passive-ftp -P /tmp/ipkg-HknFuV https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages``

I do receive this:

--2021-10-07 08:48:55--  https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages
Resolving downloads.sourceforge.net... 204.68.111.105
Connecting to downloads.sourceforge.net|204.68.111.105|:443... connected.
ERROR: cannot verify downloads.sourceforge.net's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
To connect to downloads.sourceforge.net insecurely, use `--no-check-certificate'.

i however could do this

wget --passive-ftp -P /tmp/ipkg-ssrogD https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages --no-check-certificate
--2021-10-07 08:51:39--  https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages
Resolving downloads.sourceforge.net... 204.68.111.105
Connecting to downloads.sourceforge.net|204.68.111.105|:443... connected.
WARNING: cannot verify downloads.sourceforge.net's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
HTTP request sent, awaiting response... 302 Found
Location: https://deac-riga.dl.sourceforge.net/project/alt-f/pkgs/stable/Packages [following]
--2021-10-07 08:51:40--  https://deac-riga.dl.sourceforge.net/project/alt-f/pkgs/stable/Packages
Resolving deac-riga.dl.sourceforge.net... 89.111.52.100
Connecting to deac-riga.dl.sourceforge.net|89.111.52.100|:443... connected.
WARNING: cannot verify deac-riga.dl.sourceforge.net's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
  Issued certificate has expired.
HTTP request sent, awaiting response... 200 OK
Length: 281 [application/octet-stream]
Saving to: '/tmp/ipkg-ssrogD/Packages.1'

Packages.1                                                  100%[========================================================================================================================================>]     281  --.-KB/s    in 0s

2021-10-07 08:51:40 (5.86 MB/s) - '/tmp/ipkg-ssrogD/Packages.1' saved [281/281]

is this an error on my side or a bug?

[C3rebro]

According to this:

Wget trouble after chain change

This issue could be created by letsencrypt's change in certificate chain. so the ca in alt-f's /etc/ssl/ca-bundle.crt isn't valid anymore.

could some1 help me out how to fix this?

[C3rebro]

SOLVED:

One has to update /etc/ssl/ca-bundle.crt by this:

ca-bundle.crt from GitHub

ipkg update is working again

[João Cardoso]

After updating the openssl package to 1.1.k, a cronjob (/usr/bin/update_ca.sh) runs once every week updating the ca bundle from https://curl.haxx.se/ca. Have you already updated?

[Rafael]

Same issue here, after reinstall from scratch Alt-F firmware on DNS-320L.

How I can manually install openssl 1.1? I cannot update the old openssl 1.0.2l (version default on Alt-F) because ipkg dont work anymore.

[João Cardoso]

Good point. You have to download to a PC and install manually in the box.

1-Download to a PC from sourceforge->Files->pkgs->unstable, openssl-1.1.1k_arm.ipk
https://sourceforge.net/projects/alt-f/files/pkgs/unstable/openssl_1.1.1k_arm.ipk/download

2-Upload the pkg to the box using File Explorer, using a existing share, say to the public RW share

3-Login the box and execute the command

ipkg install /Public/RW/openssl-1.1.1k_arm.ipk # or whatever the share folder path is

4-if the above succeeds, a cronjob will be added and will run once a week, at random hours and days, executing the /usr/bin/update_ca.sh script. To execute it now just type

update_ca.sh

If it succeeds, the /etc/ssl/ca-bundle.crt will be updated (you can see its date using the command

ls -l /etc/ssl/ca-bundle.crt

Now wget should not complain about certificates and ipkg should works. Notice that previous failed ipkg attempts might be retried, so don't issue 'ipkg update' before the above.

Worked? Please let me know, so I can post it in the forum.

PS: the update_ca.sh script uses wget itself, but if the download site certificate is still valid you should have no issues downloading ca-bundle.crt. Otherwise you have to download the cacert.pem file from https://curl.se/ca/cacert.pem yourself and save it on the box with the name ca-bundle.crt at the /etc/ssl/ directory.

[João Cardoso]

I tested, and the curl.se certificate has also changed! You can use, right at the box, the command

wget --no-check-certificate https://curl.se/ca/cacert.pem -O /etc/ssl/ca-bundle.crt

which downloads and saves the certificate bundle. That is the only action needed, ipkg should work now, disregard the previous comment.

However, certificates have validity dates, verify that the box date and time is correct.
If the command date does not returns the correct date, update it using the command
ntpd -s -p pool.ntp.org

[Dave Albert]

Many thanks this is all that I needed for ipkg to work.

Note for others finding this: the certificate problem exists on a clean install of the 1.0 software. To fix it, log in as root via ssh and run the command João posted above to install an updated certificate chain. After that, package management worked fine for me.

[Roberto Ribes]

This command needs to be added to Wiki or to the firmware, or non advanced users can't install the packages.

[Rafael]

Thanks João!!

Before do this, I needed install ipkg.

I downloaded ipkg from https://sourceforge.net/projects/alt-f/files/pkgs/stable/ipkg_0.99.163-2_arm.ipk and saved at /tmp.

I used the Alt-F GUI (http://NASIP/cgi-bin/packages_ipkg.cgi) to install ipkg at the first time.

Fixed this issue (https://sourceforge.net/p/alt-f/tickets/421/) replacing manually ipkg-cl file.

Trying to install openssl...
ipkg install /tmp/openssl_1.1.1k_arm.ipk
Upgrading openssl on /Alt-F from 1.0.2l to 1.1.1k...
Nothing to be done
An error ocurred, return value: 1.
Collected errors:
ERROR: Cannot satisfy the following dependencies for openssl:
ipkg

Reinstalling ipkg
ipkg install /tmp/ipkg_0.99.163-2_arm.ipk
Installing ipkg (0.99.163-2) to /Alt-F...
Configuring ipkg
Successfully terminated.

Fixed this issue again (https://sourceforge.net/p/alt-f/tickets/421/) replacing manually ipkg-cl file.

Finally, openssl_1.1.1k was installed.
[root@NAS]# ipkg install openssl_1.1.1k_arm.ipk
Installing openssl (1.1.1k) to /Alt-F...
Configuring openssl
Successfully terminated.

After this command: wget --no-check-certificate https://curl.se/ca/cacert.pem -O /etc/ssl/ca-bundle.crt

ipkg update worked!!

ipkg update
Downloading https://downloads.sourceforge.net/project/alt-f/pkgs/stable/Packages
Updated list of available packages in /usr/lib/ipkg/lists/feed_1
Downloading https://downloads.sourceforge.net/project/alt-f/pkgs/unstable/Packages
Updated list of available packages in /usr/lib/ipkg/lists/feed_2
Successfully terminated.

Probably is possible simplify this steps, but my knowledge is limited.

[Tom Schmidt]

João,
Since this affects all new installs of 1.0, can you build a 1.0.1 release that includes the updated certs and the update_ca.sh script? Maybe the update_ca.sh script can be added and called as part of the initial setup configuration script right after configuring NTP. Other crucial fixes could also be included.

Thanks...Tom