September 12, 2013

Solaris 11: pkg update ca-certificates bug?

Posted in Solaris tagged , , , , , at 6:31 pm by alessiodini

Today I began a two Solaris 11.1 nodes installation and configuration. I will install Oracle Solaris Cluster 4.1 in the next days.
I was updating the nodes when I encountered a strange issue: after downloading certificates from http://pkg-register.oracle.com I ran the pkg set-publisher command following the standard procedure. The command was

mkdir -m 0755 -p /var/pkg/ssl
( upload the key and certificate files in /var/pkg/ssl )
pkg set-publisher \
-k /var/pkg/ssl/Oracle_Solaris_11_Support.key.pem \
-c /var/pkg/ssl/Oracle_Solaris_11_Support.certificate.pem \
-g https://pkg.oracle.com/solaris/support/ \
-G http://pkg.oracle.com/solaris/release/ solaris

On the first node this worked perfectly , on the second node not!!
I received this error:

pkg set-publisher: The origin URIs for ‘solaris’ do not appear to point to a valid pkg repository.
Please verify the repository’s location and the client’s network configuration.
Additional details:

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: 60 reason: SSL certificate problem, verify that the CA cert is OK.
Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
URL: ‘https://pkg.oracle.com

WHAT!? EHHH ?? *pokerface*
I checked DNS configuration , gateway , nsswitch options , all via SMF. I also asked a network analysis , but everything was ok.
After checking and checking I still had this issue. Well , looking on the web I found a command from Oracle forum:

svcadm refresh svc:/system/ca-certificates:default

I tried and nothing changed.
Just playing with that manifest I tried to disable and enable it.
THIS SOLVED THE ISSUE!!!
So , for some reason refreshing the manifest is not enough.

After these two commands all worked:

svcadm disable svc:/system/ca-certificates:default
svcadm enable svc:/system/ca-certificates:default

Could it be a bug?

Advertisements

10 Comments »

  1. Ove said,

    Solved my problem ! Thanks !!

    I had to disable/enable twice before it got it working which makes it even more strange !

    • alessiodini said,

      yes I agree with you. I also found due another bugs:
      1) IPS
      2) OSC 4.1

      I will write some post about them soon.
      Thank you for visit my blog and good job! 🙂

  2. Mark said,

    Thanks worked for me! Awesome

  3. Georg said,

    worked! thanks

    • alessiodini said,

      I’m happy , good job !!

  4. Jesus said,

    It WORKS… thats a Solaris BUG with pkg system. Thank you … your the best, Dude.

    • alessiodini said,

      Thank you man I’m happy I helped u !!

  5. Grover Jones said,

    Alas, this did not work for me. I’ve restarted the ca-certificates service multiple times, and even rebooted the server. It works on every other server in the network, and is clearly a bug with pkg.
    The only difference is this is a T5-2 server, and the others are all X4 (i.e. Sparc vs X86). I’m wondering if there is something in that?
    I’m going to log a call with Oracle and get an answer.

  6. Grover Jones said,

    Oracle have come back with a solution it is in the following doc:
    pkg(1M) on Solaris 11 System Fails with “Framework error: code: 60 reason: SSL certificate problem, verify that the CA cert is OK” (Doc ID 1395637.1)
    Essentially, the ca-certificate service failed to create on of the symlinks required in /etc/openssl/certs/
    On following the directions contained therein, the publisher now works.

    • alessiodini said,

      Thank you for your time and for share the solution!! 😀


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: