certificate issue

View Only

Expand all | Collapse all

1. certificate issue

1 Like
Adam Swartz
Posted Thu June 16, 2022 04:46 PM

Reply
I recently installed dnf but it seems to have stopped working for some reason. Initially I ran 'dnf update --allowerasing' and it completed ok. When I try to install anything new I am getting a certificate error:

# dnf install wget
Last metadata expiration check: 4:37:30 ago on Thu Jun 16 09:58:51 MDT 2022.
Dependencies resolved.
===========================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================
Installing:
wget ppc 1.21.2-1 AIX_Toolbox 705 k

Transaction Summary
===========================================================================================================================
Install 1 Package

Total download size: 705 k
Installed size: 705 k
Is this ok [y/N]: y
Downloading Packages:
[MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
[MIRROR] wget-1.21.2-1.aix6.1.ppc.rpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm">https://anonymous:anonymous@public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/wget/wget-1.21.2-1.aix6.1.ppc.rpm [SSL certificate problem: self signed certificate in certificate chain]
[FAILED] wget-1.21.2-1.aix6.1.ppc.rpm: No more mirrors to try - All mirrors were already tried without success

Error: Error downloading packages:
Cannot download wget/wget-1.21.2-1.aix6.1.ppc.rpm: All mirrors were tried

I tried to re-install the ca-certs:
# rpm --reinstall ca-certificates-2021.2.52-1.aix6.1.ppc.rpm
Doing /var/ssl/certs
Doing /var/ssl/64/certs
Doing /var/ssl/certs

# oslevel -s
7200-05-03-2148

root@bison13 [/IPW/installs/aix_rpms]
# dnf --version
4.2.17
Installed: dnf-0:4.2.17-32_50.ppc at Thu Jun 16 17:55:21 MST 2022
Built : IBM AIX Toolbox <https://ibm.biz/AIXToolbox> at Thu Apr 21 10:10:15 MST 2022

# rpm -qi curl
Name : curl
Version : 7.79.1
Release : 1
Architecture: ppc
Install Date: Thu Jun 16 11:55:11 MDT 2022
Group : Applications/Internet
Size : 4567917
License : MIT/X derivate
Signature : (none)
Source RPM : curl-7.79.1-1.src.rpm
Build Date : Wed Oct 6 07:48:02 MDT 2021
Build Host : pokndd5.pok.stglabs.ibm.com
Relocations : /opt/freeware
Packager : IBM AIX Toolbox <https://ibm.biz/AIXToolbox>
URL : http://curl.haxx.se/
Bug URL : https://ibm.biz/aixoss_forum
Summary : get a file from a FTP or HTTP server.
Description :
curl is a client to get documents/files from servers, using any of the
supported protocols. The command is designed to work without user
interaction or any kind of interactivity.

curl offers many useful tricks like proxy support, user authentication,
ftp upload, HTTP post, file transfer resume and more.

Note: this version is compiled with SSL support.

# lslpp -l | grep ssl
openssl.base 1.1.2.1200 COMMITTED Open Secure Socket Layer
openssl.base 1.1.2.1200 COMMITTED Open Secure Socket Layer

Thanks

------------------------------
Adam Swartz
------------------------------
2. RE: certificate issue

3 Like
Ayappan P
Posted Fri June 17, 2022 06:48 AM

Reply
The new openssl 1.1.1 c_rehash script missed adding the support for .crt files which causes this issue.
You can run the below script to fix this issue.

grep "FILE: foreach $fname *" /usr/bin/c_rehash | grep "crt" >/dev/null 2>&1

if [[ $? -ne 0 ]]

then

    cp /usr/bin/c_rehash /usr/linux/bin/c_rehash

    sed 's#FILE: foreach .*#FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {#' /usr/linux/bin/c_rehash | tee /usr/linux/bin/c_rehash_bak >/dev/null 2>&1

    mv /usr/linux/bin/c_rehash_bak /usr/linux/bin/c_rehash

    chmod +x /usr/linux/bin/c_rehash

    /usr/linux/bin/c_rehash >/dev/null 2>&1

    rm /usr/linux/bin/c_rehash

else

    /usr/bin/c_rehash >/dev/null 2>&1

fi
Openssl team is working on this issue and will release an updated openssl fileset soon.
From toolbox side, we are working on updating ca-certificates which will work even with this buggy openssl fileset also.

------------------------------
Ayappan P
------------------------------

Original Message
3. RE: certificate issue

0 Like
Adam Swartz
Posted Fri June 17, 2022 10:45 AM

Reply
Thanks Ayappan. I appreciate the script. That got me working again!

Thanks

------------------------------
Adam Swartz
------------------------------

Original Message
4. RE: certificate issue

0 Like
Claude PRAT
Posted Mon June 20, 2022 02:12 AM

Reply
Ayappan you are great : your script was fine and my "dnf update" run again.
Thanks a lot.
Claude.

------------------------------
Claude PRAT
------------------------------

Original Message
5. RE: certificate issue

0 Like
Leonardo Larsen Rocha
Posted Mon June 27, 2022 03:16 AM

Reply
Thank you!

------------------------------
Leonardo Larsen Rocha
------------------------------

Original Message
6. RE: certificate issue

1 Like
Philip Krab
Posted Tue June 28, 2022 03:22 PM

Reply
Latest fix for openssl (1.1.1.1201) made c_rehash work again as it should.

------------------------------
Philip Krab
------------------------------

Original Message
7. RE: certificate issue

0 Like
Hector Speight
Posted Thu July 28, 2022 08:34 AM

Reply
Thanks for the fix

------------------------------
Hector Speight
------------------------------

Original Message
8. RE: certificate issue

0 Like
IBM Champion

Joerg Kauke
Posted Mon March 13, 2023 04:33 AM

Reply
Hello Ayappan, dear community,

I just changed the config for the AIX_Toolbox repos to https and now having also the certificate errors.

I already tried the script Ayappan provided and already installed the newest just published openssl version 3.0.8.
Any recommendations would be very appreciated.

best regards,
Jörg

------------------------------
Joerg Kauke
Unix Administrator
COOP Switzerland
------------------------------

Original Message
9. RE: certificate issue

0 Like
IBM Champion

Joerg Kauke
Posted Mon March 13, 2023 04:54 AM

Reply
reinstalled the ca-certificates and it works now...

------------------------------
Joerg Kauke
Unix Administrator
COOP Switzerland
------------------------------

Original Message
10. RE: certificate issue

0 Like
Karen Van Gogh
Posted Thu September 21, 2023 12:52 PM

Reply
Thank you this fixed my issue also: I was getting an error loading cloud-init on AIX 7.1 .. no patches had been installed yet

------------------------------
Karen Van Gogh
Jack Henry and Associates
kvangogh@jackhenry.com
------------------------------

Original Message

IBM Power

Connect, learn, share, and engage with IBM Power.

AIX Open Source

certificate issue

Adam SwartzThu June 16, 2022 04:46 PM

Ayappan PFri June 17, 2022 06:48 AM

Adam SwartzFri June 17, 2022 10:45 AM

Claude PRATMon June 20, 2022 02:12 AM

Leonardo Larsen RochaMon June 27, 2022 03:16 AM

Philip KrabTue June 28, 2022 03:22 PM

Hector SpeightThu July 28, 2022 08:34 AM

Joerg KaukeMon March 13, 2023 04:33 AM

Joerg KaukeMon March 13, 2023 04:54 AM

Karen Van GoghThu September 21, 2023 12:52 PM

1. certificate issue

2. RE: certificate issue

3. RE: certificate issue

4. RE: certificate issue

5. RE: certificate issue

6. RE: certificate issue

7. RE: certificate issue

8. RE: certificate issue

9. RE: certificate issue

10. RE: certificate issue