Turris 1.0 problém s SSL

Ahoj,

po delší době jsem vytáhl ze šuplíku Turris 1.0 a byl jsem překvapen že stále funguje.
Nicméně jsem se ho pokusil aktualizovat a nešlo to, nefungovalo korektně DNS.
Nefunkčnost DNS jsem se pokus sil řešit různě, ale zabral až post : Nefunguje DNS, ale jen na Turrise - #15 by RomanHK - Turris HW problems - Turris forum .

Bohužel bod 4, se nedal realizovat, ale tím pádem mám problém s SSL a nemůžu s modrákem přejít na “btrfs”…

je nějaké jednoduché řešení ?

Snímek obrazovky 2021-12-11 v 21.58.301009×425 12.6 KB

při pokusu o “opkg update” to píše

BusyBox v1.25.1 (2017-08-01 17:18:39 CEST) built-in shell (ash)

|__ || | | || __ \ | __ \ | _| / ____|
| | | | | || |) || |) | | | | (__
| | | | | || _ / | _ / | | ___ \
| | | || || | \ \ | | \ \ | | ) |
|| _/ || _|| _|||__/

root@turris:~# opkg update
Downloading https://repo.turris.cz/turris/packages//base/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//base/Packages.gz

Downloading https://repo.turris.cz/turris/packages//lucics/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//lucics/Packages.gz

Downloading https://repo.turris.cz/turris/packages//management/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//management/Packages.gz

Downloading https://repo.turris.cz/turris/packages//openwisp/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//openwisp/Packages.gz

Downloading https://repo.turris.cz/turris/packages//packages/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//packages/Packages.gz

Downloading https://repo.turris.cz/turris/packages//printing/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//printing/Packages.gz

Downloading https://repo.turris.cz/turris/packages//routing/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//routing/Packages.gz

Downloading https://repo.turris.cz/turris/packages//telephony/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//telephony/Packages.gz

Downloading https://repo.turris.cz/turris/packages//turrispackages/Packages.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
*** Failed to download the package list from https://repo.turris.cz/turris/packages//turrispackages/Packages.gz

Collected errors:

• opkg_download: Failed to download https://repo.turris.cz/turris/packages//base/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_base: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//lucics/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_lucics: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//management/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_management: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//openwisp/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_openwisp: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//packages/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_packages: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//printing/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_printing: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//routing/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_routing: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//telephony/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_telephony: No such file or directory.
• opkg_download: Failed to download https://repo.turris.cz/turris/packages//turrispackages/Packages.gz, curl returned 60.
• file_move: Failed to rename /tmp/opkg-gwbaWY/Packages.gz to /var/opkg-lists/turris_turrispackages: No such file or directory.

Nápovědu máte tady, potřebujete nové certifikáty…

Jsou tady https://repo.turris.cz/turris/packages/base/ca-certificates_20190110-1_mpc85xx.ipk

Děkuji za odpověď, ale bohužel to jsem již instaloval…
Tuto skutečnost, jsem zapomněl v úvodním příspěvku zdůraznit…
Dle postupu, dle kterého jsem postupoval bych řekl, že by se měla provést aktualizace /etc/ssl/updater.pem , bohužel nevím jak a kde to sehnat…

Předpokládám že restart jsi vyzkoušel.

Ano, restart a factory reset také…

Dobrý den,

ve vašem případě byl router dlouhodobě odpojen a nebyl vyaktualizován na verzi Turris OS 3.10.9 (vydaná 18. prosince 2018), kde jsme v rámci aktualizace připravili aktualizaci verze uložené v záchranném systému a zároveň aby se router dlouho neaktualizoval z velmi staré verze na novou.

Je nutné šáhnout do historie článku v již komunitní dokumentaci a postupovat podle něj:

https://doc.turris.cz/doc/cs/troubleshooting/sdcard_recovery?rev=1548320612

Následně jakmile budete mít verzi 3.6.5, tak by se router měl vyaktualizovat na nejnovější verzi, ale raději zkontrolujte, zda router má správný datum a čas společně s RTC baterkou, novější DNSSEC klíče. Pokud by se nedařilo, tak lze stáhnout nor-update balíček z našeho repozitáře, nainstalovat jej a provést factory reset. Tím byste měl mít verzi 3.8.5.

Posledním krokem bude přejít na Btrfs a na Turris OS 5.x:

Pokud byste si nevěděl rady, tak kolegové z technické podpory vám rádi pomůžou, případně se také můžeme domluvit, že nám router přinesete a já se na něj podívám.

Poprosil bych o postrceni, jak dal postupovat.

Udelal jsem podle navodu obnovu na 3.6.5, pokusil se projit 1. nastavenim a pak to bylo chvili peklo Podarilo se mi rozchodit DNS (rucni uprave /etc/resolv.conf pres console, protoze SSH nefunguje) a stahnout aktualni certs, ale po zadani updater.sh -n dostanu:

+ curl --compress --cacert /etc/ssl/updater.pem --crlfile /etc/ssl/crl.pem -T - https://api.turris.cz/getlists.cgi -X POST -f
+ uci -q get updater.override.branch
+ [ -z  ]
+ echo 0000000900001608
+ sed -e s/........//
+ SERIAL=00001608
+ echo 00001608
+ mkdir -p /tmp/updater-lists
+ [ base ]
+ [ -f /tmp/updater-lists/base ]
+ HASH=-
+ echo base -
+ shift
+ [ core ]
+ [ -f /tmp/updater-lists/core ]
+ HASH=-
+ echo core -
+ shift
+ [ luci-controls ]
+ [ -f /tmp/updater-lists/luci-controls ]
+ HASH=-
+ echo luci-controls -
+ shift
+ [ nas ]
+ [ -f /tmp/updater-lists/nas ]
+ HASH=-
+ echo nas -
+ shift
+ [ printserver ]
+ [ -f /tmp/updater-lists/printserver ]
+ HASH=-
+ echo printserver -
+ shift
+ [ netutils ]
+ [ -f /tmp/updater-lists/netutils ]
+ HASH=-
+ echo netutils -
+ shift
+ [ definitions ]
+ [ -f /tmp/updater-lists/definitions ]
+ HASH=-
+ echo definitions -
+ shift
+ [  ]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106    0     0    0   106      0    825 --:--:-- --:--:-- --:--:--   848
curl: (22) The requested URL returned error: 404 Not Found
+ die Could not download list pack
+ echo error
+ echo Could not download list pack
+ echo Could not download list pack
Could not download list pack
+ echo Could not download list pack
+ my_logger -p daemon.err
+ logger -t updater -p daemon.err
+ kill -SIGABRT 4165
+ rm -rf /tmp/update /tmp/update-state/pid /tmp/update-state/lock /usr/share/updater/packages /usr/share/updater/plan
+ exit 1
+ rm -rf /tmp/update /tmp/update-state/pid /tmp/update-state/lock /usr/share/updater/packages /usr/share/updater/plan
+ exit 1

Pokud chapu spravne, tak potrebuji vyupdatovat na verzi 3.10+ abych mohl udelat naslednou migraci na BTRFS z SD karty.

Dobrý den,

velice mě mrzí, že jsem sem nedal postup, který jsem vyjednal s podporou, proto doplňuji:

1. zprovoznit internet:

uci set network.wan.proto='dhcp'
uci commit
/etc/init.d/network restart

2. Ověření přístupu na internet:

ping 8.8.8.8

pokud funguje, tak upravit DNS:

echo 'nameserver 8.8.8.8' > /etc/resolv.conf

ověření funkcionality DNS překladu:

ping www.nic.cz

3. Nastavení času routeru:

ntpdate tik.cesnet.cz
hwclock -wu

4. Další kroky

get-api-crl
pkgupdate --batch

Dle komunikace s supportem by se měl router na aktualizovat na verzi “3.11.23”…
Ale mohu se vyskytnout chyby kdy pkgupdate skončí chybou, v tom případě je třeba zopakovat bod 2), konkrétně nastavení DNS a pokračovat pkgupdate --batch. Po té by měla aktualizace doběhnout a následně byste měl restartovat router. Jakmile po restartu router naběhne je třeba ověřit zda router má správnou verzi a pak se dá pokračovat dle návodu : https://docs.turris.cz/geek/btrfs_turris1x/.

Alespoň takto jsem byl instruován od podpory a vše dopadlo na jedničku…
Doufám, že Vám to pomůže.

Diky moc! Aktualizovano na 3.11.23