I have a Turris Omnia model PTROM01-2G with “TurrisOS 4.0.1 80076f9 / LuCI branch (git-19.281.84184-0b4eebd)”.
Didn’t flash anything, just used the firmware as it came out of the box.
I configured it without issue (DHCP static leases, lots of Firewall rules, static routes for VPN, DynDNS, etc) mirroring my last OpenWRT router config. I left upgrading and installing additional packages as the last part, now having WAN connection, believing that Turris update just works out of the box (the reason I bought an Omnia, besides the powerful hardware). Alas, there are SSL certificate issues with both upgrade and opkg update.
Updater (both interface and “pkgupdate”) gives:
Updater failed:
runtime: [string "requests"]:395: [string "utils"]:427: URI download failed: SSL certificate problem: certificate has expired
“opkg update” gives this:
Downloading https://repo.turris.cz/hbs/omnia/packages/core/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/core/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/base/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/base/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/cesnet/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/cesnet/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/luci/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/luci/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/luci_theme_rosy/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/luci_theme_rosy/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/openwisp/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/openwisp/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/packages/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/packages/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/routing/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/routing/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/sidn/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/sidn/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/telephony/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/telephony/Packages.gz
Downloading https://repo.turris.cz/hbs/omnia/packages/turrispackages/Packages.gz
*** Failed to download the package list from https://repo.turris.cz/hbs/omnia/packages/turrispackages/Packages.gz
Collected errors:
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/core/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/base/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/cesnet/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/luci/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/luci_theme_rosy/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/openwisp/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/packages/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/routing/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/sidn/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/telephony/Packages.gz, wget returned 5.
* opkg_download: Failed to download https://repo.turris.cz/hbs/omnia/packages/turrispackages/Packages.gz, wget returned 5.
wget code 5 means “SSL verification failure”.
Distribution feeds list is this:
src/gz turrisos_core https://repo.turris.cz/hbs/omnia/packages/core
src/gz turrisos_base https://repo.turris.cz/hbs/omnia/packages/base
src/gz turrisos_cesnet https://repo.turris.cz/hbs/omnia/packages/cesnet
src/gz turrisos_luci https://repo.turris.cz/hbs/omnia/packages/luci
src/gz turrisos_luci_theme_rosy https://repo.turris.cz/hbs/omnia/packages/luci_theme_rosy
src/gz turrisos_openwisp https://repo.turris.cz/hbs/omnia/packages/openwisp
src/gz turrisos_packages https://repo.turris.cz/hbs/omnia/packages/packages
src/gz turrisos_routing https://repo.turris.cz/hbs/omnia/packages/routing
src/gz turrisos_sidn https://repo.turris.cz/hbs/omnia/packages/sidn
src/gz turrisos_telephony https://repo.turris.cz/hbs/omnia/packages/telephony
src/gz turrisos_turrispackages https://repo.turris.cz/hbs/omnia/packages/turrispackages
First odd thing is that “luci_theme_rosy” and “openwisp” folders don’t exist in HBS. (side note: Rosy doesn’t show up in the interface either, only option is Bootstrap).
So, HBS doesn’t seem to match my OS version, doesn’t seem to match 4x either. Is it 5.x? I found latest 4.x in archives and it does contain luci_theme_rosy and openwisp here: Index of /archive/4.0.6/omnia/packages/. Maybe this problem is because the router shipped with HBS at the time, but it was months ago when I aquired it but hadn’t have the time to configure it and replace the old router, and now it’a a bit late to upgrade.
Anyway, that’s not the main problem. It’s the SSL certificate issue.
What I’ve tried/checked so far based on forum posts:
-
Time/date is synced via browser, so no issue of time discrepancies. Tried to set the time a little in the past, both through system’s “date” and “hwclock -w” to sync hardware clock to system.
-
openssl s_client -servername repo.turris.cz -connect repo.turris.cz:443 | openssl x509 -noout -dates
outputs:
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
notBefore=Oct 1 21:17:09 2021 GMT
notAfter=Dec 30 21:17:08 2021 GMT
So I think the main cert is ok, but sees the CA as expired?
- wget --no-check-certificate https:// repo.turris.cz/hbs/omnia/packages/base/ca-bundle_20200601-1_all.ipk
opkg install ca-bundle_20200601-1_all.ipk
wget --no-check-certificate https:// repo.turris.cz/hbs/omnia/packages/base/ca-certificates_20200601-1_all.ipk
opkg install ca-certificates_20200601-1_all.ipk
There is no “update-ca-certificates” command, as I’ve seen on some posts. Tried
opkg upgrade ca-bundle
opkg upgrade ca-certificates
but still nothing.
LATER EDIT:
cat /etc/ssl/certs/DST_Root_CA_X3.crt | openssl x509 -noout -enddate
notAfter=Sep 30 14:01:15 2021 GMT
So this is definitely the culprit. Installing the certificate packages wasn’t enough, as I suspected. What should I run to update CAs?