Symptoms

Multiple symptoms may be observed related to this certificate issue, all related to validation of Let's Encrypt certificate. 

The most common is trying to update OPKG feeds from our download server but theoretically all software downloading file with SSL from Let's Encrypt signed website. This is also valid for our LORIX Remote Upgrade tool for example.

OPKG error

sudo opkg update
CODE 


Downloading https://download.wifx.net/lorix-os/1.3.3/feeds/all/Packages.gz.
Downloading https://download.wifx.net/lorix-os/1.3.3/feeds/cortexa5t2hf-neon-vfpv4/Packages.gz.
Downloading https://download.wifx.net/lorix-os/1.3.3/feeds/lorix_one_512/Packages.gz.
Collected errors:
 * opkg_download_backend: Failed to download https://download.wifx.net/lorix-os/1.3.3/feeds/all/Packages.gz, wget returned 5.
 * opkg_download_backend: Failed to download https://download.wifx.net/lorix-os/1.3.3/feeds/cortexa5t2hf-neon-vfpv4/Packages.gz, wget returned 5.
 * opkg_download_backend: Failed to download https://download.wifx.net/lorix-os/1.3.3/feeds/lorix_one_512/Packages.gz, wget returned 5.

wget error

wget https://download.wifx.net/lorix-os/1.4.0-beta.2/feeds/lorix_one_512/Packages.gz
CODE 
--2021-10-14 08:30:16--  https://download.wifx.net/lorix-os/1.3.3/feeds/lorix_one_512/Packages.gz
Resolving download.wifx.net... 185.43.244.57
Connecting to download.wifx.net|185.43.244.57|:443... connected.
ERROR: The certificate of 'download.wifx.net' is not trusted.
ERROR: The certificate of 'download.wifx.net' has expired.

Description

Multiple programs return a certificate error when connecting to a server providing a Let's Encrypt certificate.

Since the revocation of the DST Root CA X3 that was used by Let's Encrypt, they did a trick to ensure operation of old Android devices. Sadly, this trick is not compatible with some programs that use an older version of OpenSSL.

Details: https://blog.devgenius.io/lets-encrypt-change-affects-openssl-1-0-x-and-centos-7-49bd66016af3.

Resolution

Remove the expired DST Root CA X3 certificate from the CA store:

sudo sed -i 's|mozilla/DST_Root_CA_X3.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf && sudo update-ca-certificates
BASH