Frustrated as well, created simple script to remove /tmp/crl.pem, recreate it by get-api-crl and forcing updater.sh and set it in cron (option “-q”). No more troubles Case you are interested:
# mend corrupted/missing /tmp/crl.pem file
# causing updater.sh failing
QUIET=NO
for i
do
case $i in
-q) QUIET=YES
;;
esac
done
if [ -f /tmp/crl.pem ]
then rm /tmp/crl.pem
MSG="/tmp/crl.pem removed & recreated"
else MSG="/tmp/crl.pem created"
fi
if [ “$QUIET” == “YES” ]
then get-api-crl 2>/dev/null
echo -e “Subject: /tmp/crl.pem\n\n$MSG” | msmtp root updater.sh 2>/dev/null
else echo "$MSG"
get-api-crl updater.sh
fi
You may want to change mail via msmtp (should be configured!) by /usr/bin/create_notification -s {news|error} $MSG $MSG
(forgive improper formatting, have no patience to play with it in comments
Sorry, @jada4p, but how does it help in case the updater wants to do its stuff right after boot when no Internet connection is available? Or do you add it to cron to repeat every minute so that the router tries to finish the update until it eventually succeeds?
Then I’m probably in a bad set of conditions, because once my router starts update to 3.6.1, IPv4 connectivity gets broken after restartm and needs to run firewall-turris-download.sh to get repaired, but this script contains a call to get-api-crl, which doesn’t work without connection (f***n Vodafone doesn’t have IPv6 on VDSL, so I need IPv4 working).
I even tried to manually download crl.pem, saved it to some persistent path, and then added an init script (priority 15) that just copies it to /tmp/crl.pem, but for some reason the updater was still missing the file (as if the init script didn’t run at all or the updater was run earlier (but it has priority 85)).
Does anybody have an idea how to persuade the system to get the file from a local copy? If I edit get-api-crl and then start the update, this file gets overwritten.
Not every minute, it’d be overkill… I restart TO each day (by cron as well) and run this script couple of minutes later. Thus, if updater fails (it’s started as part of restart), this problem is mended. Anyhow, it’s quite peculiar - sometimes there is error, sometimes not.
I found a different technique, that seems to be a little bit more stable. It’s about storing the crl.pem file to permanent storage and copying it to /tmp after boot.
First of all, call get-api-crl when the system is connected to the internet and fully working.
Then call cp /tmp/crl.pem /etc/ssl/crl
My Turris Omnia ran for 2 months without this problem.
Yesterday evening the first pages did not start to load anymore. Shortly afterwards I got the mail about it.
But what surprised me, it just happened and the crl.pem would be gone.
Even more surprising is the fact that since the DNS forwarding can no longer activate, since then DNS and DNSSEC no longer works.
Have weeks of no changes made.
What is broken again …
Does somebody has any idea?
and set it in cron 
(option “-q”). No more troubles