Re: [pca] Patch download fails
I get for example: Resolving aru-akam-secure.oracle.com... 104.64.51.207 Connecting to aru-akam-secure.oracle.com|104.64.51.207|:443... connected. ERROR: cannot verify aru-akam-secure.oracle.com's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. ERROR: certificate common name `download-secure.oracle.com' doesn't match requested host name `aru-akam-secure.oracle.com'. To connect to aru-akam-secure.oracle.com insecurely, use `--no-check-certificate'. Removing /tmp/pca.412347 Failed (Unknown Error) Failed (patch not found) On Mon, Mar 23, 2015 at 9:06 AM, Martin Paul martin.p...@univie.ac.at wrote: Thanks for providing the docs, Daniel! Doesn't look as if they were updated. Doc ID 1199543.1 (Patch download automation for Sun products using wget) was last updated 11-Feb-2014 and it does only mention the known certificates. Just to be sure - could you/somebody download and post getupdates.pem mentioned in that doc? BTW - Bernd Senf said that --wgetopt=--secure-protocol=TLSv1 was required for patch downloads to work as well - are you using a local copy of wget or the one provided with Solaris? See this note in the above document: IMPORTANT: https://getupdates.oracle.com web server does not fully support TLS 1.2. Only OpenSSL versions from branch 1.0.0 will work - Oracle Solaris does not deliver higher versions at this time. Customers who are trying to access the URL using latest wget/OpenSSL (ie. from www.opencsw.org) version with TLS 1.2 support may get connection failures. Best, Martin. -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
Thanks for providing the docs, Daniel! Doesn't look as if they were updated. Doc ID 1199543.1 (Patch download automation for Sun products using wget) was last updated 11-Feb-2014 and it does only mention the known certificates. Just to be sure - could you/somebody download and post getupdates.pem mentioned in that doc? BTW - Bernd Senf said that --wgetopt=--secure-protocol=TLSv1 was required for patch downloads to work as well - are you using a local copy of wget or the one provided with Solaris? See this note in the above document: IMPORTANT: https://getupdates.oracle.com web server does not fully support TLS 1.2. Only OpenSSL versions from branch 1.0.0 will work - Oracle Solaris does not deliver higher versions at this time. Customers who are trying to access the URL using latest wget/OpenSSL (ie. from www.opencsw.org) version with TLS 1.2 support may get connection failures. Best, Martin.
Re: [pca] Patch download fails
Upgraded to GNU Wget 1.15 built on solaris2.10 getting same errors. On Mon, Mar 23, 2015 at 10:41 AM, Jan Holzhueter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 14:55 schrieb Martin Paul: Am 23.03.2015 um 14:27 schrieb Ken Herold: I get for example: Resolving aru-akam-secure.oracle.com... 104.64.51.207 Connecting to aru-akam-secure.oracle.com|104.64.51.207|:443... connected. ERROR: cannot verify aru-akam-secure.oracle.com's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. Thanks! ERROR: certificate common name `download-secure.oracle.com' doesn't match requested host name `aru-akam-secure.oracle.com'. I'm not sure whether this a problem with the certificate itself or with wget. Anybody? the cert looks ok it does have a Common name and a few Alternatives Names: (SAN) Common namesdownload-secure.oracle.com Alternative names epd-akam-intl-secure.oracle.com epd-akam-us-secure.oracle.com dev-epd-akam-intl-secure.oracle.com dev-epd-akam-us-secure.oracle.com aru-akam-secure.oracle.com failover-aru-akam-secure.oracle.com dev-aru-akam-secure.oracle.com failover-dev-aru-akam-secure.oracle.com download-secure.oracle.com https://www.ssllabs.com/ssltest/analyze.html?d=aru-akam-secure.oracle.com Checking here: https://bugzilla.redhat.com/show_bug.cgi?id=674186 Looks like older wget dosn't work with SAN certificates. so either update wget or use --no-check-certificate (which of cause is not nice) Greetings Jan -- Jan Holzhüter Baltic Online Computer GmbH Firmensitz: Koppelberg 4-6, 24159 Kiel http://www.baltic-online.deTel.: +49 (0)431 54003-0 Geschäftsführer:Erik Cickovskis, Amtsgericht Kiel, HRB 3756 -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
Solved mine, too. Thanks!! On Mon, Mar 23, 2015 at 2:27 PM, Jan Holzhüter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 17:23 schrieb Chuck Floyd: same result with 1.16.3 from opencsw one peace is missing in the pca script. The root Certifitcate from Geo Trust. Matrin only added the intermediate one https://de.ssl-tools.net/certificates/casgk1-geotrust-global-ca If you add -BEGIN CERTIFICATE- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz dCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEH CIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7 csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAj Nvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdRe JivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQAB o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9 qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Qzxpe R+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWV Yrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot 2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeX xx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm Mw== -END CERTIFICATE- at the end of the script it does work (with the latest Version wget Version from opencsw. (The Oracle Provided on in /usr/sfw/bin/ still suffers the SAN Problem as it seems) Hope that helps. Greetings Jan -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
same result with 1.16.3 from opencsw On Mon, Mar 23, 2015 at 11:37 AM, Ken Herold kher...@hamilton.edu wrote: Upgraded to GNU Wget 1.15 built on solaris2.10 getting same errors. On Mon, Mar 23, 2015 at 10:41 AM, Jan Holzhueter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 14:55 schrieb Martin Paul: Am 23.03.2015 um 14:27 schrieb Ken Herold: I get for example: Resolving aru-akam-secure.oracle.com... 104.64.51.207 Connecting to aru-akam-secure.oracle.com|104.64.51.207|:443... connected. ERROR: cannot verify aru-akam-secure.oracle.com's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. Thanks! ERROR: certificate common name `download-secure.oracle.com' doesn't match requested host name `aru-akam-secure.oracle.com'. I'm not sure whether this a problem with the certificate itself or with wget. Anybody? the cert looks ok it does have a Common name and a few Alternatives Names: (SAN) Common namesdownload-secure.oracle.com Alternative names epd-akam-intl-secure.oracle.com epd-akam-us-secure.oracle.com dev-epd-akam-intl-secure.oracle.com dev-epd-akam-us-secure.oracle.com aru-akam-secure.oracle.com failover-aru-akam-secure.oracle.com dev-aru-akam-secure.oracle.com failover-dev-aru-akam-secure.oracle.com download-secure.oracle.com https://www.ssllabs.com/ssltest/analyze.html?d=aru-akam-secure.oracle.com Checking here: https://bugzilla.redhat.com/show_bug.cgi?id=674186 Looks like older wget dosn't work with SAN certificates. so either update wget or use --no-check-certificate (which of cause is not nice) Greetings Jan -- Jan Holzhüter Baltic Online Computer GmbH Firmensitz: Koppelberg 4-6, 24159 Kiel http://www.baltic-online.deTel.: +49 (0)431 54003-0 Geschäftsführer:Erik Cickovskis, Amtsgericht Kiel, HRB 3756 -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
Hi, Am 23.03.15 um 17:23 schrieb Chuck Floyd: same result with 1.16.3 from opencsw one peace is missing in the pca script. The root Certifitcate from Geo Trust. Matrin only added the intermediate one https://de.ssl-tools.net/certificates/casgk1-geotrust-global-ca If you add -BEGIN CERTIFICATE- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz dCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEH CIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7 csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAj Nvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdRe JivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQAB o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9 qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Qzxpe R+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWV Yrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot 2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeX xx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm Mw== -END CERTIFICATE- at the end of the script it does work (with the latest Version wget Version from opencsw. (The Oracle Provided on in /usr/sfw/bin/ still suffers the SAN Problem as it seems) Hope that helps. Greetings Jan signature.asc Description: OpenPGP digital signature
Re: [pca] Patch download fails
This works with wget vers 1.15 from my Linux desktop with the additional cert. On Mon, Mar 23, 2015 at 2:27 PM, Jan Holzhüter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 17:23 schrieb Chuck Floyd: same result with 1.16.3 from opencsw one peace is missing in the pca script. The root Certifitcate from Geo Trust. Matrin only added the intermediate one https://de.ssl-tools.net/certificates/casgk1-geotrust-global-ca If you add -BEGIN CERTIFICATE- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz dCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEH CIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7 csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAj Nvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdRe JivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQAB o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9 qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Qzxpe R+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWV Yrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot 2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeX xx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm Mw== -END CERTIFICATE- at the end of the script it does work (with the latest Version wget Version from opencsw. (The Oracle Provided on in /usr/sfw/bin/ still suffers the SAN Problem as it seems) Hope that helps. Greetings Jan