Today updater.sh threw an error, related to api.turris.cz’s certificate.
unreachable: https://api.turris.cz/updater-defs/3.5.1/omnia/base.lua: curl: (60) SSL certificate problem: CRL has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
I checked the certificate from two other machines but it looks OK at first glance.
OTOH, I would advise moving away from StartCom issued certificates ASAP, given the fact that they’re getting out of trust stores.
We’re working on moving away from StartCom and this is a misconfiguration that resulted from it. It’s already fixed, but the CRL is cached for ~4 hours on the router. The problem should go away on its own.
I have also problem with certificates see the log record from my System Log
2017-01-25T10:45:30+01:00 err nikola: (v41) socket: [SSL: CERTIFICATE_VERIFY_FAILED] unknown error (_ssl.c:590)
Nope. Problem not solved.
Turris is not updated yet. How do I trigger manual update?
It still doesn’t work. I have the Turris OS version 3.2 . Could I install the new OS manualy?
Thanks
Same problem here.
Is the issue only on the router’s side or is really something wrong with the repos certificates? Can we somehow force to expire the CRL cache?
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Collected errors:
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//base/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//lucics/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//management/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//packages/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//printing/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//routing/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//telephony/Packages.gz, curl returned 60.
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//turrispackages/Packages.gz, curl returned 60.Updater failed:
unreachable: https://api.turris.cz/updater-defs/3.5.2/omnia/base.lua: curl: (60) SSL certificate problem: CRL has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
Updater problems here as well.
Are there any solutions for this issue?
##### Error notifications #####
Updater failed:
unreachable: https://api.turris.cz/updater-defs/3.5.2/omnia/base.lua: curl: (60) SSL certificate problem: CRL has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.The problem is in the webserver configuration of api.turris.cz, that apparently bounces back and forth between a valid and an invalid certificate.
Until it is fixed by the Omnia people, it’s going to keep on faling.
To remove the cached CRL, move away /tmp/crl.pem and restart updater.sh: it should download the right one.
I removed the cached CRL and I got the "##### Error notifications ##### Updater failed: … " today again.
Any idea how to solve this problem permanently?
Try this from CLI:
wget http://repo.turris.cz/turris/packages/base/ca-certificates_20150426_mpc85xx.ipk
opkg install ca-certificates_20150426_mpc85xx.ipk
None of these helps didn’t work for me. I had master branch so I migrated to the nightly and nothing happens. Any advice?
And do you have Turris v1.x or Omnia?
Turris v1.x:
wget http://repo.turris.cz/turris/packages/base/ca-certificates_20150426_mpc85xx.ipk
opkg install ca-certificates_20150426_mpc85xx.ipk
Omnia:
wget http://repo.turris.cz/omnia/packages/base/ca-certificates_20150426_mvebu.ipk
opkg install ca-certificates_20150426_mvebu.ipk
Sorry, I have Omnia and it still not works.
Taky mi to hlasi od vcerejska chybu certifikatu.
opkg_download: Failed to download https://api.turris.cz/openwrt-repo/turris/packages//base/Packages.gz, curl returned 60.
Vubec je to nejaky divny, minulej tejden mi certifikaty nefungovaly, o vikendu se to zahadne opravilo, v utery zase nefunkcni.
Veskere dostupne navody na opravu vyzkouseny-bez uspechu.
Dotaz, jakou verzi OS máte? Je to stable, nightly, master nebo rc? Ta řešení, která tu jsou předkládána jsou zřejmě “jen pro stable verzi”, když se nemění i další balíky podle toho návodu pro nastavení branches (konkrétně část OPKG) - tam je podle mě problém v mém případě. Jinak si nedokážu odůvodnit, že to někomu jde a někomu ne.
Asi stable:
Zařízení Turris - RTRS02
Sériové číslo 38654716782
Verze Turris OS 3.5.2
Verze jádra 3.18.45-ac146b921f33516ce7617ef2914516ce-4
taham baliky:
src/gz turris_base https://api.turris.cz/openwrt-repo/turris/packages//base
Commands were accepted. Thank You. I will check the update status for the next days.