Hello all!
Here the comparison between the server which was not updated and one which was:
Not updated:
/opt/freeware/bin/curl -vvvvvv anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml
* Trying 170.225.15.112:443...
* Connected to public.dhe.ibm.com (170.225.15.112) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
* CApath: /var/ssl/certs/
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=New York; L=Armonk; O=International Business Machines Corporation; CN=public.dhe.ibm.com
* start date: Mar 7 00:00:00 2022 GMT
* expire date: Mar 7 23:59:59 2023 GMT
* subjectAltName: host "public.dhe.ibm.com" matched cert's "public.dhe.ibm.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
* SSL certificate verify ok.
* Server auth using Basic with user 'anonymous'
> GET /aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml HTTP/1.1
> Host: public.dhe.ibm.com
> Authorization: Basic YW5vbnltb3VzOmFub255bW91cw==
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 23 May 2022 08:44:11 GMT
< Last-Modified: Fri, 06 May 2022 13:03:30 GMT
< ETag: "4a4a7-a98-5de577c26ec80"
< Accept-Ranges: bytes
< Content-Length: 2712
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/xml
<
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
<revision>1651840271</revision>
Updated server (where I performed the CA import as described by @Philip Krab ):
curl -vvvvvv anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml
* Trying 170.225.15.112:443...
* Connected to public.dhe.ibm.com (170.225.15.112) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
* CApath: /var/ssl/certs/
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Since I never had to put any pem files from our company into /var/ssl/certs it seems that the fix has to come from @Rishita Saha !
"ca-certificates-2021.2.52-1.ppc installed
* Thu Nov 4 13:00:00 2021 Rishita Saha <risaha16@in.ibm.com> - 2021.2.52-1
- Update to latest version"
Thanks,
With kind regards,
------------------------------
Stephan Dietl
------------------------------
Original Message:
Sent: Tue May 17, 2022 10:28 AM
From: Stephan Dietl
Subject: YUM unusable after ca-certificates upgrade to 2021.2.52-1, breaks chain of trust
Hello!
When I update to the newest ca-certificates the post-install throws the following messages:
Transaction ID : 18Begin time : Mon May 16 05:25:09 2022Begin rpmdb : 75:efe729d81eb0a76dbeff4a75b41a289216f3f51cEnd time : 05:25:10 2022 (1 seconds)End rpmdb : 75:cd17380a815161619cb997a69d9578c050d4810aUser : System <unset>Return-Code : SuccessCommand Line : upgrade -yTransaction performed with: Installed yum-3.4.3-8.noarch @AIX_Toolbox_noarchPackages Altered: Updated ca-certificates-2020.06.01-2.ppc @?AIX_Toolbox Update 2021.2.52-1.ppc @AIX_Toolbox Updated libpng-1.6.27-3.ppc @?AIX_Toolbox Update 1.6.37-1.ppc @AIX_ToolboxScriptlet output: 1 Doing /var/ssl/certs 2 WARNING: objsign-ca-bundle.pem does not contain a certificate or CRL: skipping 3 email-ca-bundle.pem => a94d09e5.0 4 WARNING: Skipping duplicate certificate tls-ca-bundle.pem 5 Doing /var/ssl/64/certs 6 WARNING: objsign-ca-bundle.pem does not contain a certificate or CRL: skipping 7 email-ca-bundle.pem => a94d09e5.0 8 WARNING: Skipping duplicate certificate tls-ca-bundle.pem 9 /var/ssl/certs exists. Save it as /var/ssl/certs.orig. 10 warning: file /var/ssl/certs/tls-ca-bundle.pem: remove failed: A file or directory in the path name does not exist. 11 warning: file /var/ssl/certs/objsign-ca-bundle.pem: remove failed: A file or directory in the path name does not exist. 12 warning: file /var/ssl/certs/email-ca-bundle.pem: remove failed: A file or directory in the path name does not exist. 13 warning: file /var/ssl/certs/cacerts: remove failed: A file or directory in the path name does not exist. 14 warning: file /opt/freeware/etc/ssl/certs/thawte_Primary_Root_CA_-_G3.crt: remove failed: A file or directory in the path name does not exist. 15 warning: file /opt/freeware/etc/ssl/certs/thawte_Primary_Root_CA_-_G2.crt: remove failed: A file or directory in the path name does not exist. 16 warning: file /opt/freeware/etc/ssl/certs/thawte_Primary_Root_CA.crt: remove failed: A file or directory in the path name does not exist. 17 warning: file /opt/freeware/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt: remove failed: A file or directory in the path name does not exist. 18 warning: file /opt/freeware/etc/ssl/certs/VeriSign_Universal_Root_Certification_Authority.crt: remove failed: A file or directory in the path name does not exist. 19 warning: file /opt/freeware/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt: remove failed: A file or directory in the path name does not exist. 20 warning: file /opt/freeware/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt: remove failed: A file or directory in the path name does not exist. 21 warning: file /opt/freeware/etc/ssl/certs/Trustis_FPS_Root_CA.crt: remove failed: A file or directory in the path name does not exist. 22 warning: file /opt/freeware/etc/ssl/certs/Taiwan_GRCA.crt: remove failed: A file or directory in the path name does not exist. 23 warning: file /opt/freeware/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G3.crt: remove failed: A file or directory in the path name does not exist. 24 warning: file /opt/freeware/etc/ssl/certs/Staat_der_Nederlanden_Root_CA_-_G2.crt: remove failed: A file or directory in the path name does not exist. 25 warning: file /opt/freeware/etc/ssl/certs/Sonera_Class_2_Root_CA.crt: remove failed: A file or directory in the path name does not exist. 26 warning: file /opt/freeware/etc/ssl/certs/QuoVadis_Root_CA.crt: remove failed: A file or directory in the path name does not exist. 27 warning: file /opt/freeware/etc/ssl/certs/OISTE_WISeKey_Global_Root_GA_CA.crt: remove failed: A file or directory in the path name does not exist. 28 warning: file /opt/freeware/etc/ssl/certs/NetLock_Arany_=Class_Gold=_F?tan�s�tv�ny.crt: remove failed: A file or directory in the path name does not exist. 29 warning: file /opt/freeware/etc/ssl/certs/LuxTrust_Global_Root_2.crt: remove failed: A file or directory in the path name does not exist. 30 warning: file /opt/freeware/etc/ssl/certs/Global_Chambersign_Root_-_2008.crt: remove failed: A file or directory in the path name does not exist. 31 warning: file /opt/freeware/etc/ssl/certs/GeoTrust_Universal_CA_2.crt: remove failed: A file or directory in the path name does not exist. 32 warning: file /opt/freeware/etc/ssl/certs/GeoTrust_Universal_CA.crt: remove failed: A file or directory in the path name does not exist. 33 warning: file /opt/freeware/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G3.crt: remove failed: A file or directory in the path name does not exist. 34 warning: file /opt/freeware/etc/ssl/certs/GeoTrust_Primary_Certification_Authority_-_G2.crt: remove failed: A file or directory in the path name does not exist. 35 warning: file /opt/freeware/etc/ssl/certs/GeoTrust_Primary_Certification_Authority.crt: remove failed: A file or directory in the path name does not exist. 36 warning: file /opt/freeware/etc/ssl/certs/GeoTrust_Global_CA.crt: remove failed: A file or directory in the path name does not exist. 37 warning: file /opt/freeware/etc/ssl/certs/EE_Certification_Centre_Root_CA.crt: remove failed: A file or directory in the path name does not exist. 38 warning: file /opt/freeware/etc/ssl/certs/Chambers_of_Commerce_Root_-_2008.crt: remove failed: A file or directory in the path name does not exist. 39 warning: file /opt/freeware/etc/ssl/certs/AddTrust_External_Root.crt: remove failed: A file or directory in the path name does not exist.history info
After that the system can´t use yum because of curl certificate errno 14:
# yum upgradeanonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.Setting up Upgrade ProcessNo Packages marked for Update# yum install zshanonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc-7.2/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/noarch/repodata/repomd.xml: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package zsh.ppc 0:5.8-1 will be installed--> Finished Dependency ResolutionDependencies Resolved============================================================================================================================================================================================================================================== Package Arch Version Repository Size==============================================================================================================================================================================================================================================Installing: zsh ppc 5.8-1 AIX_Toolbox 4.6 MTransaction Summary==============================================================================================================================================================================================================================================Install 1 PackageTotal download size: 4.6 MInstalled size: 4.6 MIs this ok [y/N]: yDownloading Packages:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/zsh/zsh-5.8-1.aix6.1.ppc.rpm:">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/zsh/zsh-5.8-1.aix6.1.ppc.rpm: [Errno 14] curl#60 - "SSL certificate problem: self signed certificate in certificate chain"Trying other mirror.Error Downloading Packages: zsh-5.8-1.ppc: failure: zsh/zsh-5.8-1.aix6.1.ppc.rpm from AIX_Toolbox: [Errno 256] No more mirrors to try.
Setting sslverify=false gets rid of the errors and I can install/upgrade again, but reinstalling ca-certificates doesn´t help with the cURL errors, in contrast to this hint in IBM Support
Please advise how to react to this, I don´t want to switch off the TLS Verification for the YUM transactions, thanks!
With kind regards,
Stephan Dietl
------------------------------
Stephan Dietl
------------------------------