jamesog
commented
1 year ago Looks like I have the same issue. It's a problem with EdgeOS, possibly it has outdated root CAs.
Closed subzhn closed 9 months ago
jamesog
commented
1 year ago Looks like I have the same issue. It's a problem with EdgeOS, possibly it has outdated root CAs.
subzhn
commented
1 year ago Thank you for your answer. I appreciate your time and effort. To be honest I didnt expect the reply considering the project was established a few years ago. Its amazing that you still care and support it.
jamesog
commented
1 year ago You're welcome. I'm still using this setup myself, so it's good to keep it up to date and help others where I can.
I'll have to have more of a dig into this and see if there's a workaround. I'm not totally convinced Ubiquiti will fix the underlying problem as they seem to have removed a lot of focus from EdgeMax development :-(
jamesog
commented
1 year ago I tracked it down. It is indeed because Ubiquiti aren't maintaining EdgeOS well any more.
It's related to Let's Encrypt's root CA changing a few years (!) ago. All Linux distributions have an update for this, but EdgeOS doesn't have it.
This post describes the problem and the workaround: https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d
Note this comment:
This is solved for the USG and UDM, just update your firmware. There is no official fix for the EdgeRouter yet, but you can fix it manually by following the steps in the OP.
That's from 2 years ago but the fact that the most recent firmware doesn't have the fix doesn't give me hope.
jamesog
commented
1 year ago I can confirm that workaround works for me.
subzhn
commented
1 year ago Excellent! Tailscale is up and running with the above fix on the 1st try.
Its sad that they are slowly dropping the development of Edgerouter line, I dont need and dont want an all-in-one solution such as UDM.
Again, thank you very much for your help.
darthShadow
commented
1 year ago Would it be possible to add this workaround to the install script too?
jamesog
commented
1 year ago Possibly, it's fairly straightforward, although I no longer have a spare device I can use to try installing from scratch and testing upgrades.
If I get some free time I'll try and have a look at it.
ctrl-freak
commented
1 year ago I was able to get around this purely for this script by editing /config/scripts/post-config.d/tailscale.sh and adding a -o option to the apt update and apt install lines 44 and 45:
apt-get -o "Acquire::https::Verify-Peer=false" update
apt-get -o "Acquire::https::Verify-Peer=false" install tailscale@ctrl-freak I would very strongly advise against doing this. Disabling SSL/TLS validation is always a bad idea.
Sierra1011
commented
1 year ago Thanks, this helped me a bunch. And I love the repository install method of getting tailscale on it, so thank you @jamesog for your work <3
danfoxley
commented
10 months ago sudo -i sed -i 's|^mozilla\/DST_Root_CA_X3.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt update-ca-certificates --fresh
HI, im trying to follow your instruction but having error as below:
After this operation, 48.7 MB of additional disk space will be used. Do you want to continue? [Y/n] y Err:1 https://pkgs.tailscale.com/stable/debian stretch/main mipsel tailscale mipsel 1.48.1 server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none Err:2 https://pkgs.tailscale.com/stable/debian stretch/main all tailscale-archive-keyring all 1.35.181 server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none E: Failed to fetch https://dl.tailscale.com/stable/tailscale_1.48.1_mipsel.deb server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none E: Failed to fetch https://dl.tailscale.com/stable/tailscale-archive-keyring_1.35.181_all.deb server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
Any idea how to fix this?