Originally posted by: peckjt

Hi,

After doing 'yum update' The ca-certificates-pcc was updated and now I see the following when I do 'yum update':

# yum update
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
Trying other mirror.
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
Trying other mirror.
anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"
Trying other mirror.
Setting up Update Process
No Packages marked for Update

Because of the certificate issue, yum can not download from AIX freeware. I tried adding the certs from anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml">public.dhe.ibm.com to /var/ssl/certs, but that did not seem to make a difference.

Originally posted by: peckjt

I was able to get around this by using sslverify=0 in my yum.conf file for the IBM repos. I would however like to get this fixed the right way.

Originally posted by: sanket

Thank you for reporting the issue.

We will look into this and update you soon.

Originally posted by: Ravikanth.sh

Hi, Please paste the output of "rpm -qa" and check files *.0 present in  /var/ssl/certs.

Originally posted by: peckjt

Here is the requested info:

# rpm -qa
fdupes-1.51-1.ppc
python-boto-2.34.0-1.noarch
python-jsonpointer-1.0.c1ec3df-1.noarch
python-prettytable-0.7.2-1.noarch
python-argparse-1.2.1-1.noarch
python-jsonpatch-1.8-1.noarch
python-requests-2.4.3-1.noarch
python-setuptools-0.9.8-2.noarch
yum-metadata-parser-1.1.4-2.ppc
python-urlgrabber-3.10.1-1.noarch
AIX-rpm-7.2.0.0-3.ppc
zlib-1.2.11-1.ppc
ncurses-6.1-2.ppc
libffi-3.2.1-2.ppc
bash-4.4-3.ppc
readline-7.0-5.ppc
cyrus-sasl-2.1.26-3.ppc
glib2-2.56.1-2.ppc
gdbm-1.12-1.ppc
libssh2-1.8.0-3.ppc
curl-7.62.0-1.ppc
python-2.7.15-3.ppc
pysqlite-2.8.3-1.ppc
cloud-init-0.7.5-4.3.ppc
python-pycurl-7.43.0-1.ppc
expect-5.45-3.ppc
libyaml-0.1.4-2.ppc
less-487-1.ppc
python-cheetah-2.4.4-2.ppc
python-oauth-1.0.1-1.noarch
bzip2-1.0.6-2.ppc
libiconv-1.14-1.ppc
python-xml-0.8.4-1.ppc
python-configobj-5.0.5-1.noarch
python-pyserial-2.7-1.ppc
python-PyYAML-3.11-2.ppc
python-iniparse-0.4-1.noarch
libgcc-8.1.0-2.ppc
libstdc++-8.1.0-2.ppc
tcl-8.6.8-2.ppc
db-6.2.32-2.ppc
info-6.4-1.ppc
sqlite-3.23.0-1.ppc
openldap-2.4.46-1.ppc
gettext-0.19.8.1-3.ppc
tk-8.6.8-2.ppc
ca-certificates-2017.07.17-1.ppc
expat-2.2.4-1.ppc
python-six-1.10.0-1.noarch
yum-3.4.3-6.noarch
python-devel-2.7.15-3.ppc
python-tools-2.7.15-3.ppc
gmp-6.1.2-1.ppc
rsync-3.1.3-2.ppc
git-2.18.0-1.ppc
#

# ls /var/ssl/certs/*.0
ls: 0653-341 The file /var/ssl/certs/*.0 does not exist.

Originally posted by: Ravikanth.sh

That means in your environment hashes for certificate files are not created at  file /var/ssl/certs/. Seems post install script failed due to some reasons. So you reinstall ca-certificates by "yum reinstall ca-certificates" if yum is working or manually download and install ca-certificates from toolbox by rpm way. Paste me the install log if it did not create hashes at   /var/ssl/certs/  i.e *.0 files.

Originally posted by: peckjt

The reinstall did nothing. It is the same a before. I even tired this on another Linux system and the results are the same there are no *.0 files.

# yum reinstall ca-certificates
Setting up Reinstall Process
AIX_Toolbox                                                                     | 2.9 kB  00:00:00     
AIX_Toolbox/primary_db                                                          | 1.2 MB  00:00:00     
AIX_Toolbox_72                                                                  | 2.9 kB  00:00:00     
AIX_Toolbox_noarch                                                              | 2.9 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.ppc 0:2017.07.17-1 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                     Arch            Version                     Repository               Size
=======================================================================================================
Reinstalling:
 ca-certificates             ppc             2017.07.17-1                AIX_Toolbox             191 k

Transaction Summary
=======================================================================================================
Reinstall     1 Package

Total size: 191 k
Installed size: 250 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ca-certificates-2017.07.17-1.ppc                                                    1/1

Installed:
  ca-certificates.ppc 0:2017.07.17-1                                                                   

Complete!

# ls /var/ssl/certs/*.0
ls: 0653-341 The file /var/ssl/certs/*.0 does not exist.

Originally posted by: Ravikanth.sh

Seems post install script is failing, we are not able to recreate the issue in our environment. In "/var/ssl/certs/ "  execute "grep "FILE: foreach $fname *" /usr/bin/c_rehash | grep "crt" >/dev/null 2>&1" ,if return code is 0, 

execute following commands: 

    cp /usr/bin/c_rehash /usr/linux/bin/c_rehash
    sed 's#FILE: foreach .*#FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {#' /usr/linux/bin/c_rehash | tee /usr/linux/bin/c_rehash_bak >/dev/null 2>&1
    mv /usr/linux/bin/c_rehash_bak /usr/linux/bin/c_rehash
    chmod +x /usr/linux/bin/c_rehash
    /usr/linux/bin/c_rehash >/dev/null 2>&1

check if hashes created at "/var/ssl/certs/"  i.e *.0 

please refer spec file which is used to build ca-certificates for more info: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/SPECS/ca-certificates-2017.07.17-1.spec