root@OpenWrt:/etc/opkg# opkg update
Downloading https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/24.10.4/targets/bcm27xx/bcm2711/packages/Packages.gz
SSL verify error: unknown error
*** Failed to download the package list from https://mirrors.tuna.tsinghua.edu.cn/openwrt/releases/24.10.4/targets/bcm27xx/bcm2711/packages/Packages.gz
问题是时间没有更新,应该去luci的时间界面更新下时间
http://your-router-ip/cgi-bin/luci/admin/system/system
如果不行, 再看下面的解决办法。
The "SSL verify error: unknown error" when running opkg update on OpenWrt is a common problem, usually related to issues with your system's SSL/TLS certificates or incorrect time/date settings.
Since the opkg update relies on SSL/TLS to securely download package lists from the repository (the https:// URL), a failure in certificate validation halts the process.
Here are the most common solutions, starting with the easiest:
1. Check and Set System Time ⏰
The most frequent cause for SSL errors is an incorrect system date and time. Certificates have validity periods, and if your router's clock is far off, the certificate will fail verification.
-
Check the current time:
Bashdate -
If the time is wrong, try to sync it. If your router has WAN connectivity, it should sync automatically via NTP, but a manual sync may be needed:
-
Install
ntpclient(if needed) and force a sync (if possible):-
Note: You may need to use the
--no-check-certificateoption for the initial install if you don't have the time set.
-
-
If you have LuCI (the web interface), go to System → System → Time Synchronization and ensure the NTP client is enabled and click "Sync with browser" if available, then Save & Apply.
-
If you have an internet-connected computer and SSH access, you can manually set the time (replace the date and time with the current time):
Bashdate -s "2025-11-04 05:45:00" -
After setting the correct time, try
opkg updateagain.
-
2. Temporarily Bypass SSL Check (Insecure) ⚠️
You can temporarily bypass the certificate check to allow opkg update to complete, which is useful for installing an updated certificate bundle (see step 3). Use this only as a temporary fix as it removes security checks.
-
Run
opkg updatewith the no-check-certificate option:Bashopkg update --no-check-certificate -
If this succeeds, immediately proceed to the next step to install or update the certificate package.
3. Install or Update CA Certificates 🛡️
Your OpenWrt installation might be missing the correct or current CA (Certificate Authority) certificates needed to trust the repository's SSL certificate (which is likely a Let's Encrypt certificate).
-
Update the
ca-certificatespackage (use the--no-check-certificateoption if your previousopkg updatefailed):Bashopkg install ca-certificates --no-check-certificate -
Once the package is installed, try a regular update:
Bashopkg update
4. Change the SSL Library (Advanced) 🛠️
OpenWrt uses a lightweight SSL library like libustream-wolfssl by default. Sometimes, issues can be resolved by switching to the more standard libustream-openssl.
-
Force-install the necessary OpenSSL utilities (using
--no-check-certificateif necessary):Bashopkg update --no-check-certificate opkg install libopenssl openssl-util libustream-openssl --no-check-certificate -
Remove the old library (or it may be auto-removed with the install):
Bashopkg remove libustream-wolfssl # or whatever your current libustream package is -
Try to update again:
Bashopkg update
Next Step: If none of these solutions work, I can help you check the contents of your /etc/opkg/distfeeds.conf file to ensure the repository URLs are correct for your OpenWrt version.