Originally posted by: mohsid
Hi All,
This is my first post in this forum. I'm a Systems Administrator working for the state of missouri. Having an issue in installing/configuring yum on one of the AIX 7.1 LPAR. While installating yum on one of the AIX 7.1 LPAR, followed the link and installed all the required RPM's.
https://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/ezinstall/ppc/README-yum
curl-7.52.1-1.ppc
yum-3.4.3-7.noarch
python-urlgrabber-3.10.1-1.noarch
python-pycurl-7.19.3-1.ppc
ca-certificates-2016.10.7-2.ppc
While trying to run any yum command, its throwing up an error saying cannot retrieve repository metadata. See below output. Verified that we are able to reach public.dhe.ibm.com from the server through port 443.
Have also verified the certs as well.
telnet public.dhe.ibm.com 443
Trying...
Connected to dispby-112.boulder.ibm.com.
Escape character is '^]'.
/var/ssl/certs # ls -lrt | grep -i geo
lrwxrwxrwx 1 root system 52 Jan 14 11:18 GeoTrust_Global_CA_2.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Global_CA_2.crt
lrwxrwxrwx 1 root system 50 Jan 14 11:18 GeoTrust_Global_CA.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Global_CA.crt
lrwxrwxrwx 1 root system 77 Jan 14 11:18 GeoTrust_Primary_Certification_Authority_-_G2.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G2.crt
lrwxrwxrwx 1 root system 72 Jan 14 11:18 GeoTrust_Primary_Certification_Authority.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Primary_Certification_Authority.crt
lrwxrwxrwx 1 root system 77 Jan 14 11:18 GeoTrust_Primary_Certification_Authority_-_G3.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G3.crt
lrwxrwxrwx 1 root system 55 Jan 14 11:18 GeoTrust_Universal_CA_2.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Universal_CA_2.crt
lrwxrwxrwx 1 root system 53 Jan 14 11:18 GeoTrust_Universal_CA.crt -> /opt/freeware/etc/ssl/certs/GeoTrust_Universal_CA.crt
lrwxrwxrwx 1 root system 22 Mar 22 11:03 2c543cd1.0 -> GeoTrust_Global_CA.crt
lrwxrwxrwx 1 root system 24 Mar 22 11:03 cbeee9e2.0 -> GeoTrust_Global_CA_2.crt
lrwxrwxrwx 1 root system 44 Mar 22 11:03 480720ec.0 -> GeoTrust_Primary_Certification_Authority.crt
lrwxrwxrwx 1 root system 49 Mar 22 11:03 116bf586.0 -> GeoTrust_Primary_Certification_Authority_-_G2.crt
lrwxrwxrwx 1 root system 49 Mar 22 11:03 e2799e36.0 -> GeoTrust_Primary_Certification_Authority_-_G3.crt
lrwxrwxrwx 1 root system 25 Mar 22 11:03 ad088e1d.0 -> GeoTrust_Universal_CA.crt
lrwxrwxrwx 1 root system 27 Mar 22 11:03 8867006a.0 -> GeoTrust_Universal_CA_2.crt
/var/ssl/certs #
/var/ssl/certs # openssl s_client -showcerts -connect public.dhe.ibm.com:443
CONNECTED(00000003)
write:errno=73
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1553290303
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
/var/ssl/certs #
/root # cat /opt/freeware/etc/yum/yum.conf
[main]
cachedir=/var/cache/yum
keepcache=1
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
plugins=1
[AIX_Toolbox]
name=AIX generic repository
baseurl=https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/
enabled=1
gpgcheck=0
[AIX_Toolbox_noarch]
name=AIX noarch repository
baseurl=https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/
enabled=1
gpgcheck=0
[AIX_Toolbox_71]
name=AIX 7.1 specific repository
baseurl=https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.1/
enabled=1
gpgcheck=0
root #
Performed a clean installation a few times, then tried changing different rpms versions to see if it will work, but ended up with the same result. Also created a ticket with support to get any help but since its an open source software, recommended to get any help from deverlopers forum. I went through a couple of forums on easy yum installation as well as the yum configuration proxy, but couldn't resolve the issue. I would really appreciate if you could help me out.
When I try to list the certificate of any local URL,its showing up but not the public.dhe.ibm.com
/root # openssl s_client -showcerts -connect XXXXX.XXXX:455
CONNECTED(00000003)
depth=1 DC = XX, DC = XX, DC = XX, CN = XXXXXX
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/XXXXXXXXXXXXX
i:/XXXXXXXXXXXXX
-----BEGIN CERTIFICATE-----
MIIIbDCCB1SgAwIBAgITcQAD5W+IRa1n7Ql4gwABAAPlbzANBgkqhkiG9w0BAQsF
ADBZMRIwEAYKCZImiZPyLGQBGRYCdXMxEjAQBgoJkiaJk/IsZAEZFgJtbzEVMBMG
...
...
0TCge809dCpfspe6KEcdpJ0Juhd5fsuglH4mExgTFOUR7QYRDaEqKLnNWzK3Z9uO
-----END CERTIFICATE-----
1 s:/
i:/DC=
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIQOSASNIaT3bNA1iD9ymvmETANBgkqhkiG9w0BAQUFADBZ
MRIwEAYKCZImiZPyLGQBGRYCdXMxEjAQBgoJkiaJk/IsZAEZFgJtbzEVMBMGCgmS
....
...
v7o0TdAplWecHXZIoEiey1hM0IQwdn3HUTb/YNvAH8n3EQKkG2s=
-----END CERTIFICATE-----
---
Server certificate
subject=XXXXXXXXXx
issuer=/DC=XXXXXXXXXXXXX
---
yum list
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#35 - "Unknown SSL protocol error in connection to public.dhe.ibm.com:443 "
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: AIX_Toolbox. Please verify its path and try again
#
/root # curl -v public.dhe.ibm.com
* Rebuilt URL to: public.dhe.ibm.com/
* Trying 170.225.15.112...
* TCP_NODELAY set
* Connected to public.dhe.ibm.com (170.225.15.112) port 80 (#0)
> GET / HTTP/1.1
> Host: public.dhe.ibm.com
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 503 Service Unavailable
< Content-Type: text/html; charset=UTF-8
< Content-Length: 9691
< Connection: close
< P3P: CP="CAO PSA OUR"
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
<
<html>
<head>
<title>Web Page Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<meta name="viewport" content="initial-scale=1.0">
<script>
// replace blocked ads with small image or stop loading content/etc so it's just blank.
var adsarebad = "No Decrypt Websites"
if (adsarebad == "web-advertisements") {
document.write('<!--');
window.stop();
//return '\u00A0/\u00A0';
//window.location.replace("");
}
// Grab the URL that's in the browser.
var s_u = location.href;
// Disabled bing redirect for now, perhaps that is the source of the CAPTCHA from google (win 10 call outs etc)
// SEE THE BODY HTML FOR THE NEW WORK AROUND NOW.
//
// Bing! redirect. Note this does not pass along the search string. Bing.com redirects to www.bing.com so no need to define bing.com
//var site_is_bing = /^.*\/\/(.+\.bing\..+?)\//.exec(s_u);
//if (site_is_bing) {
// var gotoGoogle = "https://www.google.com/webhp?safe=active"
// window.location.replace(gotoGoogle);
// document.getElementById("java_off").innerHTML = 'You are being redirected to Google!';
//}
// Parked MOSERs redirect
// Works for *.mosers.com
var moserscom = /^.*\/\/(.+\.mosers\.com)/.exec(s_u);
if (moserscom) {
window.location.replace("https://www.mosers.org");
document.getElementById("java_off").innerHTML = 'You are being redirected to the real MOSERS site!';
}
// Works for mosers.com
var moserscom = /^.*\/\/(mosers\.com)/.exec(s_u);
if (moserscom) {
window.location.replace("https://www.mosers.org");
document.getElementById("java_off").innerHTML = 'You are being redirected to the real MOSERS site!';
}
// Parked MCHCP redirects
// works for *.mchcp.com
var mchcpcom = /^.*\/\/(.+\.mchcp\.com)\//.exec(s_u);
if (mchcpcom) {
window.location.replace("https://www.mchcp.org");
document.getElementById("java_off").innerHTML = 'You are being redirected to the real MCHCP site!';
}
// works for mchcp.com
var mchcpcom = /^.*\/\/(mchcp\.com)\//.exec(s_u);
if (mchcpcom) {
window.location.replace("https://www.mchcp.org");
document.getElementById("java_off").innerHTML = 'You are being redirected to the real MCHCP site!';
}
// works for *.mymchcp.*
var mymchcporg = /^.*\/\/(.+\.mymchcp\..+?)\//.exec(s_u);
if (mymchcporg) {
window.location.replace("https://www.mchcp.org");
document.getElementById("java_off").innerHTML = 'You are being redirected to the real MCHCP site!';
}
// works for mymchcp.*
var mymchcporg = /^.*\/\/(mymchcp\..+?)\//.exec(s_u);
if (mymchcporg) {
window.location.replace("https://www.mchcp.org");
document.getElementById("java_off").innerHTML = 'You are being redirected to the real MCHCP site!';
}
</script>
<style>
#content {
border:3px solid#aaa;
background-color:#fff;
margin:1.5em;
padding:1.5em;
font-family:Tahoma,Helvetica,Arial,sans-serif;
font-size:1em;
}
h1 {
font-size:1.3em;
font-weight:bold;
color:#196390;
}
b {
font-weight:normal;
color:#196390;
}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Web Page Blocked</h1>
<p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p>
<p><b>User:</b> 10.58.180.180 </p>
<p><b>URL:</b> public.dhe.ibm.com/ </p>
<p><b>Category:</b> No Decrypt Websites </p>
<p><b>Policy:</b> Server Block All </p>
<BR><BR>
<script>
// Made by IH - 10:30 AM 12/31/2018
var aduser = "10.58.180.180"; // The domain\user returned from PAN. We must "fix" the issues caused by special characters:
// The "\" after the domain will disappear (escape char) or if combined with characters below creates a special character which we replace:
aduser = aduser.replace('\b', 'b'); // Replace "backspace" with "b"
aduser = aduser.replace('\f', 'f'); // Replace "form feed" with "f"
aduser = aduser.replace('\n', 'n'); // Replace "line feed" with "n"
aduser = aduser.replace('\r', 'r'); // Replace "carriage return" with "r"
aduser = aduser.replace('\t', 't'); // Replace "horizontal tab" with "t"
aduser = aduser.replace('\v', 'v'); // Replace "vertical tab" with "v"
aduser = aduser.replace('\0', '0'); // Replace "null character" with "0"
// We still need to put back the missing "\" so we search the start of string for matching domain and replace with a "friendly" "\":
aduser = aduser.replace(/^ads/i, 'ads%5C'); // Replace "ads" with "ads%5C" URL encode which renders as "ads\"
aduser = aduser.replace(/^bds/i, 'bds%5C'); // The i=ignore case.
aduser = aduser.replace(/^cds/i, 'cds%5C');
aduser = aduser.replace(/^extlcl/i, 'extlcl%5C');
aduser = aduser.replace(/^statemous/i, 'statemous%5C');
aduser = aduser.replace(/^auditor/i, 'auditor%5C');
aduser = aduser.replace(/^sto/i, 'sto%5C');
aduser = aduser.replace(/^modotds/i, 'modotds%5C');
aduser = aduser.replace(/^ago/i, 'ago%5C');
// Replaces any # in the username as that generates a false HTML bookmark target:
aduser = aduser.replace(/#/g, '%23'); // Replace (g=globally all instances) "#" as URL encoded "%23"
//Write in the click here email link. BING is first up:
if (RegExp(/^.*\/\/(.+\.bing\..+?)\//i).test(location.href) == true) { //Site was Bing! Tells them to go to Google:
document.write('Bing is not allowed, please <a href="https://www.google.com">click here</a> to proceed to Google.');
// * AGO **********************************************
} else if (RegExp(/^ago%5C/i).test(aduser) == true) { //Domain is AGO, serve the AGO email address:
document.write('If you believe you have been inappropriately blocked, please <a href="mailto:italerts@ago.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: ' + aduser + '%0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">click here</a> for assistance. ');
} else if (RegExp(/^10\.(1(1[6-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$/i).test(aduser) == true) { //IP AGO (10.116.0.0-10.117.255.255), serve the AGO email address:
document.write('If you believe you have been inappropriately blocked, please <a href="mailto:italerts@ago.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: ' + aduser + '%0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">click here</a> for assistance. ');
// * MODOT ********************************************
} else if (RegExp(/^modotds%5C/i).test(aduser) == true) { //Domain is MODOT, serve the MODOT email address:
document.write('If you believe you have been inappropriately blocked, please <a href="mailto:is.helpdesk@modot.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: ' + aduser + '%0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">click here</a> for assistance. ');
} else if (RegExp(/^10\.21\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$/i).test(aduser) == true) { //IP MODOT (10.21.0.0-10.21.255.255), serve the MODOT email address:
document.write('If you believe you have been inappropriately blocked, please <a href="mailto:is.helpdesk@modot.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: ' + aduser + '%0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">click here</a> for assistance. ');
} else if (RegExp(/^10\.([1-9]|1[0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$/i).test(aduser) == true) { //IP MODOT (10.1.0.0-10.11.255.255), serve the MODOT email address:
document.write('If you believe you have been inappropriately blocked, please <a href="mailto:is.helpdesk@modot.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: ' + aduser + '%0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">click here</a> for assistance. ');
} else { //Otherwise serve the OA email address:
document.write('If you believe you have been inappropriately blocked, please <a href="mailto:contentfiltering@oa.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: ' + aduser + '%0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">click here</a> for assistance. ');
}
//var aduser = "MODOTds\JohnDoe"; //TEST move to top etc for testing.
//document.write('USER\: ' + aduser + '\<BR\>' ); //TEST FOR MODOT USER FUNCTIONALITY
</script>
<!-- <A href="mailto:contentfiltering@oa.mo.gov?subject=Content Filtering Unblock Request&body=%0A%0ADO NOT MODIFY BELOW THIS LINE!!!!%0A********************************%0AUser: 10.58.180.180 %0ACategory: No Decrypt Websites %0APolicy: Server Block All %0AURL: public.dhe.ibm.com/ %0ADevice: PAN ">
click here</a>-->
</div>
</body>
</html>
* Curl_http_done: called premature == 0
* Closing connection 0
/root # echo $?
0
root #