AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only

  • 1.  yum update - no longer can reach IBM

    Posted Thu February 14, 2019 12:05 PM

    Originally posted by: peckjt


    Hi,

    After doing 'yum update' The ca-certificates-pcc was updated and now I see the following when I do 'yum update':

    # yum update
    anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
    Trying other mirror.
    anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
    Trying other mirror.
    anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
    Trying other mirror.
    Setting up Update Process
    No Packages marked for Update

    Because of the certificate issue, yum can not download from AIX freeware. I tried adding the certs from anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml">public.dhe.ibm.com to /var/ssl/certs, but that did not seem to make a difference.



  • 2.  Re: yum update - no longer can reach IBM

    Posted Thu February 14, 2019 01:58 PM

    Originally posted by: peckjt


    I was able to get around this by using sslverify=0 in my yum.conf file for the IBM repos. I would however like to get this fixed the right way.



  • 3.  Re: yum update - no longer can reach IBM

    Posted Thu February 14, 2019 11:41 PM

    Originally posted by: sanket


    Thank you for reporting the issue.

    We will look into this and update you soon.



  • 4.  Re: yum update - no longer can reach IBM

    Posted Fri February 15, 2019 05:08 AM

    Originally posted by: Ravikanth.sh


    Hi, Please paste the output of "rpm -qa" and check files *.0 present in  /var/ssl/certs.



  • 5.  Re: yum update - no longer can reach IBM

    Posted Fri February 15, 2019 09:28 AM

    Originally posted by: peckjt


    Here is the requested info:

    # rpm -qa
    fdupes-1.51-1.ppc
    python-boto-2.34.0-1.noarch
    python-jsonpointer-1.0.c1ec3df-1.noarch
    python-prettytable-0.7.2-1.noarch
    python-argparse-1.2.1-1.noarch
    python-jsonpatch-1.8-1.noarch
    python-requests-2.4.3-1.noarch
    python-setuptools-0.9.8-2.noarch
    yum-metadata-parser-1.1.4-2.ppc
    python-urlgrabber-3.10.1-1.noarch
    AIX-rpm-7.2.0.0-3.ppc
    zlib-1.2.11-1.ppc
    ncurses-6.1-2.ppc
    libffi-3.2.1-2.ppc
    bash-4.4-3.ppc
    readline-7.0-5.ppc
    cyrus-sasl-2.1.26-3.ppc
    glib2-2.56.1-2.ppc
    gdbm-1.12-1.ppc
    libssh2-1.8.0-3.ppc
    curl-7.62.0-1.ppc
    python-2.7.15-3.ppc
    pysqlite-2.8.3-1.ppc
    cloud-init-0.7.5-4.3.ppc
    python-pycurl-7.43.0-1.ppc
    expect-5.45-3.ppc
    libyaml-0.1.4-2.ppc
    less-487-1.ppc
    python-cheetah-2.4.4-2.ppc
    python-oauth-1.0.1-1.noarch
    bzip2-1.0.6-2.ppc
    libiconv-1.14-1.ppc
    python-xml-0.8.4-1.ppc
    python-configobj-5.0.5-1.noarch
    python-pyserial-2.7-1.ppc
    python-PyYAML-3.11-2.ppc
    python-iniparse-0.4-1.noarch
    libgcc-8.1.0-2.ppc
    libstdc++-8.1.0-2.ppc
    tcl-8.6.8-2.ppc
    db-6.2.32-2.ppc
    info-6.4-1.ppc
    sqlite-3.23.0-1.ppc
    openldap-2.4.46-1.ppc
    gettext-0.19.8.1-3.ppc
    tk-8.6.8-2.ppc
    ca-certificates-2017.07.17-1.ppc
    expat-2.2.4-1.ppc
    python-six-1.10.0-1.noarch
    yum-3.4.3-6.noarch
    python-devel-2.7.15-3.ppc
    python-tools-2.7.15-3.ppc
    gmp-6.1.2-1.ppc
    rsync-3.1.3-2.ppc
    git-2.18.0-1.ppc
    #

    # ls /var/ssl/certs/*.0
    ls: 0653-341 The file /var/ssl/certs/*.0 does not exist.



  • 6.  Re: yum update - no longer can reach IBM

    Posted Mon February 18, 2019 02:03 AM

    Originally posted by: Ravikanth.sh


    That means in your environment hashes for certificate files are not created at  file /var/ssl/certs/. Seems post install script failed due to some reasons. So you reinstall ca-certificates by "yum reinstall ca-certificates" if yum is working or manually download and install ca-certificates from toolbox by rpm way. Paste me the install log if it did not create hashes at   /var/ssl/certs/  i.e *.0 files.



  • 7.  Re: yum update - no longer can reach IBM

    Posted Mon February 18, 2019 12:32 PM

    Originally posted by: peckjt


    The reinstall did nothing. It is the same a before. I even tired this on another Linux system and the results are the same there are no *.0 files.

     

    # yum reinstall ca-certificates
    Setting up Reinstall Process
    AIX_Toolbox                                                                     | 2.9 kB  00:00:00     
    AIX_Toolbox/primary_db                                                          | 1.2 MB  00:00:00     
    AIX_Toolbox_72                                                                  | 2.9 kB  00:00:00     
    AIX_Toolbox_noarch                                                              | 2.9 kB  00:00:00     
    Resolving Dependencies
    --> Running transaction check
    ---> Package ca-certificates.ppc 0:2017.07.17-1 will be reinstalled
    --> Finished Dependency Resolution

    Dependencies Resolved

    =======================================================================================================
     Package                     Arch            Version                     Repository               Size
    =======================================================================================================
    Reinstalling:
     ca-certificates             ppc             2017.07.17-1                AIX_Toolbox             191 k

    Transaction Summary
    =======================================================================================================
    Reinstall     1 Package

    Total size: 191 k
    Installed size: 250 k
    Is this ok [y/N]: y
    Downloading Packages:
    Running Transaction Check
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : ca-certificates-2017.07.17-1.ppc                                                    1/1

    Installed:
      ca-certificates.ppc 0:2017.07.17-1                                                                   

    Complete!


    # ls /var/ssl/certs/*.0
    ls: 0653-341 The file /var/ssl/certs/*.0 does not exist.



  • 8.  Re: yum update - no longer can reach IBM

    Posted Tue February 19, 2019 04:15 AM

    Originally posted by: Ravikanth.sh


    Seems post install script is failing, we are not able to recreate the issue in our environment. In "/var/ssl/certs/ "  execute "grep "FILE: foreach $fname *" /usr/bin/c_rehash | grep "crt" >/dev/null 2>&1" ,if return code is 0, 

    execute following commands: 

        cp /usr/bin/c_rehash /usr/linux/bin/c_rehash
        sed 's#FILE: foreach .*#FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {#' /usr/linux/bin/c_rehash | tee /usr/linux/bin/c_rehash_bak >/dev/null 2>&1
        mv /usr/linux/bin/c_rehash_bak /usr/linux/bin/c_rehash
        chmod +x /usr/linux/bin/c_rehash
        /usr/linux/bin/c_rehash >/dev/null 2>&1

    check if hashes created at "/var/ssl/certs/"  i.e *.0 

    please refer spec file which is used to build ca-certificates for more info: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/ca-certificates-2017.07.17-1.spec