We’re working on moving away from StartCom and this is a misconfiguration that resulted from it. It’s already fixed, but the CRL is cached for ~4 hours on the router. The problem should go away on its own.
Same problem here.
Is the issue only on the router’s side or is really something wrong with the repos certificates? Can we somehow force to expire the CRL cache?
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Collected errors:
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//base/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//lucics/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//management/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//packages/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//printing/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//routing/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//telephony/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//turrispackages/Packages.gz, curl returned 60.
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
Updater problems here as well.
Are there any solutions for this issue?
##### Error notifications #####
Updater failed:
unreachable: https://api.turris.cz/updater-defs/3.5.2/omnia/base.lua: curl: (60) SSL certificate problem: CRL has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
I removed the cached CRL and I got the "##### Error notifications ##### Updater failed: … " today again.
Any idea how to solve this problem permanently?
Taky mi to hlasi od vcerejska chybu certifikatu.
opkg_download: Failed to download https://api.turris.cz/openwrt-repo/turris/packages//base/Packages.gz, curl returned 60.
Vubec je to nejaky divny, minulej tejden mi certifikaty nefungovaly, o vikendu se to zahadne opravilo, v utery zase nefunkcni.
Veskere dostupne navody na opravu vyzkouseny-bez uspechu.
Dotaz, jakou verzi OS máte? Je to stable, nightly, master nebo rc? Ta řešení, která tu jsou předkládána jsou zřejmě “jen pro stable verzi”, když se nemění i další balíky podle toho návodu pro nastavení branches (konkrétně část OPKG) - tam je podle mě problém v mém případě. Jinak si nedokážu odůvodnit, že to někomu jde a někomu ne.