Turris Omnia 3.11.23 updates broken (claiming server certificates are self signed)

I have a Turris Omnia still running 3.11.23 due to a complex VLAN switch setup that I’ve not wanted to break and have downtime on while figuring out the new way of doing such things.

I’ve just noticed a lot of notifications about the updater failing due to not recognising the server certificates:

# pkgupdate
line not found
line not found
line not found
ERROR:
unreachable: https://repo.turris.cz/omnia/lists/base.lua: SSL certificate problem: self signed certificate

This is confirmed by:

# curl https://repo.turris.cz/omnia/lists/base.lua
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I’ve not missed any updates. Is there a new CA bundle that is required?

# opkg list-installed | grep ca-
ca-bundle - 20190110-1
ca-certificates - 20190110-1

# opkg list-installed | grep updater
updater-ng - 61.1.5.4-3.6-1
updater-ng-localrepo - 61.1.5.4-3.6-1
updater-ng-opkg - 61.1.5.4-3.6-1
updater-ng-supervisor - 61.1.5.4-3.6-1

3.11.23 is up to date 3.x. I have one such Omnia:

# curl https://repo.turris.cz/omnia/lists/base.lua
# -> success

# opkg list-installed | grep ca-
ca-bundle - 20190110-1
ca-certificates - 20190110-1
2 Likes

Thanks for checking that.

Strangely, it’s working for me too now. I wonder if there is some load balancing playing up somewhere?

I’ll keep an eye on it.

1 Like

I’ve had this same behaviour since at least last week, and I see the certificate on repo.turris.cz has changed on 2 aug 2021. But still, it is not self-signed and it is valid. However, my Turris OS version 3.11.23, after my reboot ten minutes ago, still says
curl: (60) SSL certificate problem: self signed certificate
More details here: curl - SSL CA Certificates

I don’t mind too much because there are no updates since everyone is working on OS5, but I want to be sure nothing stands in the way for an update to V5 in the future. Right now, if I would enable the “Migration to Turris OS 5.x (HIGHLY EXPERIMENTAL)” option in Foris, it wouldn’t work.

That’s curious. I just checked and mine can still retrieve the file OK today.

However, I have noticed on the Omnia (verified still to be the case now):

# echo | openssl s_client -showcerts -connect repo.turris.cz:443

CONNECTED(00000003)
depth=0 CN = repo
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = repo
verify return:1
---
Certificate chain
 0 s:/CN=repo
   i:/CN=repo

[snip]

Whereas on an up to date Debian Linux lxc container on the Omnia:

# echo | openssl s_client -showcerts -connect repo.turris.cz:443

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = repo.turris.cz
verify return:1
---
Certificate chain
 0 s:CN = repo.turris.cz
   i:C = US, O = Let's Encrypt, CN = R3

[snip]

So my thoughts yesterday was that we were missing the Let’s Encrypt root CA or something, but then it started working in curl despite that openssl command still printing stuff about self signing.

So I have no idea!

1 Like

Wait what? My Omnia returns a certificate for proxy!
root@turris:~# echo | openssl s_client -showcerts -connect repo.turris.cz:443
CONNECTED(00000003)
depth=0 CN = proxy
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = proxy
verify return:1

Certificate chain
0 s:/CN=proxy
i:/CN=proxy
[snip]

nslookup repo.turris.cz returns 217.31.192.84 but no reverse record.
nslookup proxy.turris.cz returns 217.31.192.69 and a matching reverse record.
This is when I use my ISP’s DNS, but also if I ask 8.8.8.8 or 1.0.0.1.

And I found the culprit:

root@turris:/etc# cat hosts
217.31.192.69 repo.turris.cz
127.0.0.1 localhost

Don’t know why it’s there but probably because of an an earlier problem. I deleted the first line and my problem is instantly solved, a clear case of PEBCAC.

1 Like