AIX Open Source

 View Only
Expand all | Collapse all

certificate issue

  • 1.  certificate issue

    Posted Thu June 16, 2022 04:46 PM
    I recently installed dnf but it seems to have stopped working for some reason. Initially I ran 'dnf update --allowerasing' and it completed ok.  When I try to install anything new I am getting a certificate error:

    # dnf install wget
    Last metadata expiration check: 4:37:30 ago on Thu Jun 16 09:58:51 MDT 2022.
    Dependencies resolved.
    ===========================================================================================================================
    Package Architecture Version Repository Size
    ===========================================================================================================================
    Installing:
    wget ppc 1.21.2-1 AIX_Toolbox 705 k

    Transaction Summary
    ===========================================================================================================================
    Install 1 Package

    Total download size: 705 k
    Installed size: 705 k
    Is this ok [y/N]: y
    Downloading Packages:
    [MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
    [MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
    [MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
    [MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
    [FAILED] wget-1.21.2-1.aix6.1.ppc.rpm: No more mirrors to try - All mirrors were already tried without success

    Error: Error downloading packages:
    Cannot download wget/wget-1.21.2-1.aix6.1.ppc.rpm: All mirrors were tried

    I tried to re-install the ca-certs:
    # rpm --reinstall ca-certificates-2021.2.52-1.aix6.1.ppc.rpm
    Doing /var/ssl/certs
    Doing /var/ssl/64/certs
    Doing /var/ssl/certs


    # oslevel -s
    7200-05-03-2148

    root@bison13 [/IPW/installs/aix_rpms]
    # dnf --version
    4.2.17
    Installed: dnf-0:4.2.17-32_50.ppc at Thu Jun 16 17:55:21 MST 2022
    Built : IBM AIX Toolbox <https://ibm.biz/AIXToolbox> at Thu Apr 21 10:10:15 MST 2022

    # rpm -qi curl
    Name : curl
    Version : 7.79.1
    Release : 1
    Architecture: ppc
    Install Date: Thu Jun 16 11:55:11 MDT 2022
    Group : Applications/Internet
    Size : 4567917
    License : MIT/X derivate
    Signature : (none)
    Source RPM : curl-7.79.1-1.src.rpm
    Build Date : Wed Oct 6 07:48:02 MDT 2021
    Build Host : pokndd5.pok.stglabs.ibm.com
    Relocations : /opt/freeware
    Packager : IBM AIX Toolbox <https://ibm.biz/AIXToolbox>
    URL : http://curl.haxx.se/
    Bug URL : https://ibm.biz/aixoss_forum
    Summary : get a file from a FTP or HTTP server.
    Description :
    curl is a client to get documents/files from servers, using any of the
    supported protocols. The command is designed to work without user
    interaction or any kind of interactivity.

    curl offers many useful tricks like proxy support, user authentication,
    ftp upload, HTTP post, file transfer resume and more.


    Note: this version is compiled with SSL support.


    # lslpp -l | grep ssl
    openssl.base 1.1.2.1200 COMMITTED Open Secure Socket Layer
    openssl.base 1.1.2.1200 COMMITTED Open Secure Socket Layer



    Thanks

    ------------------------------
    Adam Swartz
    ------------------------------


  • 2.  RE: certificate issue

    Posted Fri June 17, 2022 06:48 AM
    The new openssl 1.1.1 c_rehash script missed adding the support for .crt files which causes this issue. 
    You can run the below script to fix this issue. 

    grep "FILE: foreach $fname *" /usr/bin/c_rehash | grep "crt" >/dev/null 2>&1

    if [[ $? -ne 0 ]]

    then

        cp /usr/bin/c_rehash /usr/linux/bin/c_rehash

        sed 's#FILE: foreach .*#FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {#' /usr/linux/bin/c_rehash | tee /usr/linux/bin/c_rehash_bak >/dev/null 2>&1

        mv /usr/linux/bin/c_rehash_bak /usr/linux/bin/c_rehash

        chmod +x /usr/linux/bin/c_rehash

        /usr/linux/bin/c_rehash >/dev/null 2>&1

        rm /usr/linux/bin/c_rehash

    else

        /usr/bin/c_rehash >/dev/null 2>&1

    fi

    Openssl team is working on this issue and will release an updated openssl fileset soon. 
    From toolbox side, we are working on updating ca-certificates which will work even with this buggy openssl fileset also.

    ------------------------------
    Ayappan P
    ------------------------------



  • 3.  RE: certificate issue

    Posted Fri June 17, 2022 10:45 AM
    Thanks Ayappan.  I appreciate the script.  That got me working again!

    Thanks


    ------------------------------
    Adam Swartz
    ------------------------------



  • 4.  RE: certificate issue

    Posted Mon June 20, 2022 02:12 AM
    Ayappan you are great : your script was fine and my "dnf update" run again.
    Thanks a lot.
    Claude.


    ------------------------------
    Claude PRAT
    ------------------------------



  • 5.  RE: certificate issue

    Posted Mon June 27, 2022 03:16 AM
    Thank you!

    ------------------------------
    Leonardo Larsen Rocha
    ------------------------------



  • 6.  RE: certificate issue

    Posted Tue June 28, 2022 03:22 PM
    Latest fix for openssl (1.1.1.1201) made c_rehash work again as it should.

    ------------------------------
    Philip Krab
    ------------------------------



  • 7.  RE: certificate issue

    Posted Thu July 28, 2022 08:34 AM
    Thanks for the fix

    ------------------------------
    Hector Speight
    ------------------------------



  • 8.  RE: certificate issue

    IBM Champion
    Posted Mon March 13, 2023 04:33 AM

    Hello Ayappan, dear community,

    I just changed the config for the AIX_Toolbox repos to https and now having also the certificate errors.

    I already tried the script Ayappan provided and already installed the newest just published openssl version 3.0.8.
    Any recommendations would be very appreciated.

    best regards,
    Jörg



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------



  • 9.  RE: certificate issue

    IBM Champion
    Posted Mon March 13, 2023 04:54 AM

    reinstalled the ca-certificates and it works now...



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------



  • 10.  RE: certificate issue

    Posted Thu September 21, 2023 12:52 PM

    Thank you this fixed my issue also: I was getting an error loading cloud-init on AIX 7.1  .. no patches had been installed yet



    ------------------------------
    Karen Van Gogh
    Jack Henry and Associates
    kvangogh@jackhenry.com
    ------------------------------