Re: [pca] Patch download fails
I don't think that Oracle will (soon) fix the problem on their side, so I pushed out a new stable version of PCA with the previously mentioned changes. If you are using /usr/sfw/bin/wget from stock Solaris, SSL certs will not be verified as of now. Depending on how paranoid you are, install and use a local version of wget 1.12 to avoid this. Martin.
Re: [pca] Patch download fails
I'm now in contact with Don O'Malley from Oracle and sent him details about the issue. I will delay the publishing of a new stable version of PCA until I know if and what Oracle will do about it. Until then, feel free to use the development version of PCA and report any problems you should have with that. Martin.
Re: [pca] Patch download fails
Martin, I do not remember whether the listserv allows attachments but I ran the current dev pca on x86 Solaris 10 (so I used 151616) - the output is attached. Thanks, Glen -Original Message- From: pca [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: Tuesday, March 24, 2015 2:59 AM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] Patch download fails Thanks Jan for the detailed analysis, that makes perfect sense! I have made two changes to the development version of PCA: http://www.par.univie.ac.at/solaris/pca/develop/pca - Add the GeoTrust CA cert - Use --no-check-certificate with wget versions = 1.12 The bug with recognizing alternative names in certs seems to be fixed in wget 1.13.1 onwards. For wget versions = 1.12 I have no choice but turning off certificate checks. That's ugly, but if Oracle doesn't change the certificate, there is no other choice. Can somebody please check whether the latest wget patches for Solaris (125215-05 and 125216-05) provide a version of wget newer than 1.12, and if so, whether patch downloads work with the current development version of PCA? I'd also like to encourage anybody to test the new version with other versions of wget, and see whether it works in all environments. If patch downloads fail, please post output of pca --debug -d 151615-01. Best, Martin. sudo ~/pcatest --debug -d 151616-01 --xrefdir=/var/tmp/pcatmp --patchdir=/var/tmp/pcatmp Option download: 1 Option xrefdir: /var/tmp/pcatmp Option patchdir: /var/tmp/pcatmp Option debug: 1 Command: /home/gunselmg/pcatest ARGV: 151616-01 Version: 20150324-01 CWD: /home/gunselmg Found /usr/sfw/bin/wget (1.12, 11200, https) Using /usr/sfw/bin/wget Found /usr/bin/uname Prerequisites for threads not met, setting threads to 0 Never update Expanded patch list: 151616-01 xref mtime: Mon Mar 23 21:51:05 2015 xref now : Tue Mar 24 08:46:39 2015 xref ctime: Tue Mar 24 08:40:53 2015 xref age : 346 Local file /var/tmp/pcatmp/patchdiag.xref is up to date osname from uname: SunOS Reading from /usr/bin/showrev -p 2/dev/null patchdiag.xref size: 2319110 Using /var/tmp/pcatmp/patchdiag.xref from Mar/23/15 All operands are fully qualified patch IDs plus revisions Host: beaker (SunOS 5.10/Generic_150401-17/i386/i86pc) List: 151616-01 (1/0) Patch IR CR RSB Age Synopsis -- -- - -- --- --- --- 151616 -- 01 R-- 10 SunOS 5.10_x86: fcp patch Looking for 151616-01 (1/1) Trying Oracle Please enter My Oracle Support Account User: x Please enter My Oracle Support Account Password: Trying https://getupdates.oracle.com/ (1/1) src: oracle, srcurl: Adding to /tmp/pca.834122: header=Authorization: Basic base64-user-passwd /usr/sfw/bin/wget --progress=dot:binary --ca-certificate=/home/gunselmg/pcatest --no-check-certificate --secure-protocol=TLSv1 -O /var/tmp/pcatmp/151616-01.zip https://getupdates.oracle.com/all_unsigned/151616-01.zip; --2015-03-24 08:47:22-- https://getupdates.oracle.com/all_unsigned/151616-01.zip Resolving getupdates.oracle.com... 141.146.44.51 Connecting to getupdates.oracle.com|141.146.44.51|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Cookie coming from updates.oracle.com attempted to set domain to updates.oracle.com Location: https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?site2pstoretoken=v1.2~E4066BF0~7973EDCCC7676D5131DC3CB89FC703B8A50E56110A28E6BEC73AB9FC226E462809BE21F38034C504C5E78D7AA68B6D81CC011E23F2DC5C9971A1C3C8D329C9AA94242F320573B7C536D11AE8BF4D2061B4B42C5B5391182F29DC70BA0174C9B88A9A466F75967FDA9CCC2C57D5D133512D8FA53EC9249B64AC0734929B373A9AF3227FD8587F658080C80DEF7EA311C4D06B8C3C1E41E73696179CB467D9B74D3FA35273D87844223DD24CF11C2DB9E451CF8D4C11D4ACC1FBFF63A3A94D7759 [following] --2015-03-24 08:47:23-- https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login?site2pstoretoken=v1.2~E4066BF0~7973EDCCC7676D5131DC3CB89FC703B8A50E56110A28E6BEC73AB9FC226E462809BE21F38034C504C5E78D7AA68B6D81CC011E23F2DC5C9971A1C3C8D329C9AA94242F320573B7C536D11AE8BF4D2061B4B42C5B5391182F29DC70BA0174C9B88A9A466F75967FDA9CCC2C57D5D133512D8FA53EC9249B64AC0734929B373A9AF3227FD8587F658080C80DEF7EA311C4D06B8C3C1E41E73696179CB467D9B74D3FA35273D87844223DD24CF11C2DB9E451CF8D4C11D4ACC1FBFF63A3A94D7759 Resolving login.oracle.com... 209.17.4.8 Connecting to login.oracle.com|209.17.4.8|:443... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://updates.oracle.com/osso_login_success?urlc=v1.2%7ED9C6954E588E6E09A9829821A9844A75D18EBC3C9458252234D4E895B9C754E09A510205ED1727EC7FD19F36EB74088BFBE45850CE107E46D884FC4D5D1C494FA2825B599B3E58396EFBED0CBD92E255F095D4BB5653841DAEFB19FC38803D7AE301EB6F97553120CF766E73594835FCFBC58334F0723B4EA0AA730D3B945
Re: [pca] Patch download fails
Am 24.03.2015 um 11:31 schrieb Chuck Floyd: The wget version is 1.12 with patch 125215-05 on Solaris 10 SPARC. No joy. Thanks for taking a look. I kind of expected that :-/ So Oracle should either change the certificate or provide an updated version of wget. The first option would be better, as everything would immediately work again on all systems. The second option would require an install of a new wget patch on all systems to make it work again. We probably will see neither of these solutions. Martin.
Re: [pca] Patch download fails
Thanks Jan for the detailed analysis, that makes perfect sense! I have made two changes to the development version of PCA: http://www.par.univie.ac.at/solaris/pca/develop/pca - Add the GeoTrust CA cert - Use --no-check-certificate with wget versions = 1.12 The bug with recognizing alternative names in certs seems to be fixed in wget 1.13.1 onwards. For wget versions = 1.12 I have no choice but turning off certificate checks. That's ugly, but if Oracle doesn't change the certificate, there is no other choice. Can somebody please check whether the latest wget patches for Solaris (125215-05 and 125216-05) provide a version of wget newer than 1.12, and if so, whether patch downloads work with the current development version of PCA? I'd also like to encourage anybody to test the new version with other versions of wget, and see whether it works in all environments. If patch downloads fail, please post output of pca --debug -d 151615-01. Best, Martin.
Re: [pca] Patch download fails
I get for example: Resolving aru-akam-secure.oracle.com... 104.64.51.207 Connecting to aru-akam-secure.oracle.com|104.64.51.207|:443... connected. ERROR: cannot verify aru-akam-secure.oracle.com's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. ERROR: certificate common name `download-secure.oracle.com' doesn't match requested host name `aru-akam-secure.oracle.com'. To connect to aru-akam-secure.oracle.com insecurely, use `--no-check-certificate'. Removing /tmp/pca.412347 Failed (Unknown Error) Failed (patch not found) On Mon, Mar 23, 2015 at 9:06 AM, Martin Paul martin.p...@univie.ac.at wrote: Thanks for providing the docs, Daniel! Doesn't look as if they were updated. Doc ID 1199543.1 (Patch download automation for Sun products using wget) was last updated 11-Feb-2014 and it does only mention the known certificates. Just to be sure - could you/somebody download and post getupdates.pem mentioned in that doc? BTW - Bernd Senf said that --wgetopt=--secure-protocol=TLSv1 was required for patch downloads to work as well - are you using a local copy of wget or the one provided with Solaris? See this note in the above document: IMPORTANT: https://getupdates.oracle.com web server does not fully support TLS 1.2. Only OpenSSL versions from branch 1.0.0 will work - Oracle Solaris does not deliver higher versions at this time. Customers who are trying to access the URL using latest wget/OpenSSL (ie. from www.opencsw.org) version with TLS 1.2 support may get connection failures. Best, Martin. -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
Thanks for providing the docs, Daniel! Doesn't look as if they were updated. Doc ID 1199543.1 (Patch download automation for Sun products using wget) was last updated 11-Feb-2014 and it does only mention the known certificates. Just to be sure - could you/somebody download and post getupdates.pem mentioned in that doc? BTW - Bernd Senf said that --wgetopt=--secure-protocol=TLSv1 was required for patch downloads to work as well - are you using a local copy of wget or the one provided with Solaris? See this note in the above document: IMPORTANT: https://getupdates.oracle.com web server does not fully support TLS 1.2. Only OpenSSL versions from branch 1.0.0 will work - Oracle Solaris does not deliver higher versions at this time. Customers who are trying to access the URL using latest wget/OpenSSL (ie. from www.opencsw.org) version with TLS 1.2 support may get connection failures. Best, Martin.
Re: [pca] Patch download fails
Upgraded to GNU Wget 1.15 built on solaris2.10 getting same errors. On Mon, Mar 23, 2015 at 10:41 AM, Jan Holzhueter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 14:55 schrieb Martin Paul: Am 23.03.2015 um 14:27 schrieb Ken Herold: I get for example: Resolving aru-akam-secure.oracle.com... 104.64.51.207 Connecting to aru-akam-secure.oracle.com|104.64.51.207|:443... connected. ERROR: cannot verify aru-akam-secure.oracle.com's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. Thanks! ERROR: certificate common name `download-secure.oracle.com' doesn't match requested host name `aru-akam-secure.oracle.com'. I'm not sure whether this a problem with the certificate itself or with wget. Anybody? the cert looks ok it does have a Common name and a few Alternatives Names: (SAN) Common namesdownload-secure.oracle.com Alternative names epd-akam-intl-secure.oracle.com epd-akam-us-secure.oracle.com dev-epd-akam-intl-secure.oracle.com dev-epd-akam-us-secure.oracle.com aru-akam-secure.oracle.com failover-aru-akam-secure.oracle.com dev-aru-akam-secure.oracle.com failover-dev-aru-akam-secure.oracle.com download-secure.oracle.com https://www.ssllabs.com/ssltest/analyze.html?d=aru-akam-secure.oracle.com Checking here: https://bugzilla.redhat.com/show_bug.cgi?id=674186 Looks like older wget dosn't work with SAN certificates. so either update wget or use --no-check-certificate (which of cause is not nice) Greetings Jan -- Jan Holzhüter Baltic Online Computer GmbH Firmensitz: Koppelberg 4-6, 24159 Kiel http://www.baltic-online.deTel.: +49 (0)431 54003-0 Geschäftsführer:Erik Cickovskis, Amtsgericht Kiel, HRB 3756 -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
Solved mine, too. Thanks!! On Mon, Mar 23, 2015 at 2:27 PM, Jan Holzhüter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 17:23 schrieb Chuck Floyd: same result with 1.16.3 from opencsw one peace is missing in the pca script. The root Certifitcate from Geo Trust. Matrin only added the intermediate one https://de.ssl-tools.net/certificates/casgk1-geotrust-global-ca If you add -BEGIN CERTIFICATE- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz dCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEH CIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7 csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAj Nvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdRe JivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQAB o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9 qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Qzxpe R+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWV Yrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot 2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeX xx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm Mw== -END CERTIFICATE- at the end of the script it does work (with the latest Version wget Version from opencsw. (The Oracle Provided on in /usr/sfw/bin/ still suffers the SAN Problem as it seems) Hope that helps. Greetings Jan -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
same result with 1.16.3 from opencsw On Mon, Mar 23, 2015 at 11:37 AM, Ken Herold kher...@hamilton.edu wrote: Upgraded to GNU Wget 1.15 built on solaris2.10 getting same errors. On Mon, Mar 23, 2015 at 10:41 AM, Jan Holzhueter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 14:55 schrieb Martin Paul: Am 23.03.2015 um 14:27 schrieb Ken Herold: I get for example: Resolving aru-akam-secure.oracle.com... 104.64.51.207 Connecting to aru-akam-secure.oracle.com|104.64.51.207|:443... connected. ERROR: cannot verify aru-akam-secure.oracle.com's certificate, issued by `/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA': Unable to locally verify the issuer's authority. Thanks! ERROR: certificate common name `download-secure.oracle.com' doesn't match requested host name `aru-akam-secure.oracle.com'. I'm not sure whether this a problem with the certificate itself or with wget. Anybody? the cert looks ok it does have a Common name and a few Alternatives Names: (SAN) Common namesdownload-secure.oracle.com Alternative names epd-akam-intl-secure.oracle.com epd-akam-us-secure.oracle.com dev-epd-akam-intl-secure.oracle.com dev-epd-akam-us-secure.oracle.com aru-akam-secure.oracle.com failover-aru-akam-secure.oracle.com dev-aru-akam-secure.oracle.com failover-dev-aru-akam-secure.oracle.com download-secure.oracle.com https://www.ssllabs.com/ssltest/analyze.html?d=aru-akam-secure.oracle.com Checking here: https://bugzilla.redhat.com/show_bug.cgi?id=674186 Looks like older wget dosn't work with SAN certificates. so either update wget or use --no-check-certificate (which of cause is not nice) Greetings Jan -- Jan Holzhüter Baltic Online Computer GmbH Firmensitz: Koppelberg 4-6, 24159 Kiel http://www.baltic-online.deTel.: +49 (0)431 54003-0 Geschäftsführer:Erik Cickovskis, Amtsgericht Kiel, HRB 3756 -- Ken Herold Director, Library Information Systems Hamilton College 198 College Hill Road Clinton, NY 13323 315-859-4487 kher...@hamilton.edu
Re: [pca] Patch download fails
Hi, Am 23.03.15 um 17:23 schrieb Chuck Floyd: same result with 1.16.3 from opencsw one peace is missing in the pca script. The root Certifitcate from Geo Trust. Matrin only added the intermediate one https://de.ssl-tools.net/certificates/casgk1-geotrust-global-ca If you add -BEGIN CERTIFICATE- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz dCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEH CIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7 csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAj Nvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdRe JivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQAB o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9 qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Qzxpe R+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWV Yrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot 2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeX xx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm Mw== -END CERTIFICATE- at the end of the script it does work (with the latest Version wget Version from opencsw. (The Oracle Provided on in /usr/sfw/bin/ still suffers the SAN Problem as it seems) Hope that helps. Greetings Jan signature.asc Description: OpenPGP digital signature
Re: [pca] Patch download fails
This works with wget vers 1.15 from my Linux desktop with the additional cert. On Mon, Mar 23, 2015 at 2:27 PM, Jan Holzhüter j...@baltic-online.de wrote: Hi, Am 23.03.15 um 17:23 schrieb Chuck Floyd: same result with 1.16.3 from opencsw one peace is missing in the pca script. The root Certifitcate from Geo Trust. Matrin only added the intermediate one https://de.ssl-tools.net/certificates/casgk1-geotrust-global-ca If you add -BEGIN CERTIFICATE- MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYT AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz dCBHbG9iYWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEH CIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlC GDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7 csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAj Nvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdRe JivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQAB o1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTAephojYn7qwVkDBF9 qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjANBgkq hkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKInZ57Qzxpe R+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfStQWV Yrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot 2/Unhw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeX xx12E6nV5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvm Mw== -END CERTIFICATE- at the end of the script it does work (with the latest Version wget Version from opencsw. (The Oracle Provided on in /usr/sfw/bin/ still suffers the SAN Problem as it seems) Hope that helps. Greetings Jan
[pca] Patch download fails
Once again Oracle has changed its patch download infrastructure causing PCA to fail when trying to download patches. If you see download errors please try to use PCA with --wgetopt=--no-check-certificate. Unfortunately I can not take a closer look at that right now for personal reasons, so do not expect an updated version of PCA in the next days. Best, Martin.
Re: [pca] pca patch download fails with Unknown error/patch not found
Martin Paul and Martin Wismer: Thanks for your replies! I downloaded and installed wget (and all required dependency software) from sunfreeware.com on two different Sun servers. The pca.perl script successfully downloaded most of the recommended security patches, but about a third failed to download with the Failed (Unknown Error) message: # ./pca.perl -d -P /usr/local/patches missingrs Using /var/tmp/patchdiag.xref from Oct/02/11 Host: (SunOS 5.10/Generic_139555-08/sparc/sun4v) List: missingrs (171/55678) ... Trying https://getupdates.oracle.com/ (zip) (1/1) ... Looking for 147436-01 (170/171) Trying Oracle Trying https://getupdates.oracle.com/ (zip) (1/1) Failed (Unknown Error) Trying https://getupdates.oracle.com/ (tar.Z) (1/1) Failed (Error 404: Not Found) Failed (patch not found) -- 147440 -- 03 RS- 5 SunOS 5.10: Solaris kernel patch Looking for 147440-03 (171/171) Trying Oracle Trying https://getupdates.oracle.com/ (zip) (1/1) Done -- Download Summary: 171 total, 120 successful, 0 skipped, 51 failed However, you were correct about using /usr/sfw/bin/wget. I moved the sunfreeware wget out of the way, and put a link in /usr/local/bin to point to /usr/sfw/bin/wget. Then I ran pca.perl again. Those missing patches are downloading without error now! Thanks a lot for your help! Lisa -Original Message- From: pca-boun...@lists.univie.ac.at [mailto:pca-boun...@lists.univie.ac.at] On Behalf Of Martin Paul Sent: Tuesday, September 06, 2011 5:07 AM To: PCA (Patch Check Advanced) Discussion Subject: Re: [pca] pca patch download fails with Unknown error/patch not found Martin.Wismer. wrote: There are also some new wget Releases. 1.13 and later needs some new Libraries. What's the changes with 1.13.3 I don't know jet. Ah, I hadn't noticed that. So I tried to compile wget 1.13.3 on a vanilla Solaris 10 system, and it failed with compiler errors. This seems to be due to the change that wget now uses GNU TSL instead of OpenSSL by default. But even when forcing it to use OpenSSL again (./configure --with-ssl=openssl), it failed with some linker error. Wonderful! :-( So more than ever I recommend using the version of wget which is bundled with Solaris (as /usr/sfw/bin/wget) with PCA. Martin.
Re: [pca] pca patch download fails with Unknown error/patch not found
Hello Martin, There are also some new wget Releases. 1.13 and later needs some new Libraries. What's the changes with 1.13.3 I don't know jet. Greetings / Güsse aus der sonnigen Schweiz Martin.Wismer.. On 05.09.2011 14:22, Martin Paul wrote: Hi Lisa, sorry for the late reply, I was out of town. It seems as if it's a problem with the wget binary (/usr/local/bin/wget) on your system: /usr/local/bin/wget --progress=dot:binary https://getupdates.oracle.com/all_unsigned/119254-81.zip; --ca-certificate=./pca.perl -O /usr/local/bin/./119254-81.tmp --2011-09-01 16:28:01-- https://getupdates.oracle.com/all_unsigned/119254-81.zip idn_decode failed (9): `System iconv failed' Resolving getupdates.oracle.com... 141.146.44.51 idn_decode failed (9): `System iconv failed' Connecting to getupdates.oracle.com|141.146.44.51|:443... connected. GnuTLS: ASN1 parser: Element was not found. Unable to establish SSL connection. Usually, you have a perfectly working wget binary available on any Solaris system, under /usr/sfw/bin/wget. Please try again with pca --debug --wget /usr/sfw/bin/wget --download 119254. Martin.
Re: [pca] pca patch download fails with Unknown error/patch not found
Hi Lisa, sorry for the late reply, I was out of town. It seems as if it's a problem with the wget binary (/usr/local/bin/wget) on your system: /usr/local/bin/wget --progress=dot:binary https://getupdates.oracle.com/all_unsigned/119254-81.zip; --ca-certificate=./pca.perl -O /usr/local/bin/./119254-81.tmp --2011-09-01 16:28:01-- https://getupdates.oracle.com/all_unsigned/119254-81.zip idn_decode failed (9): `System iconv failed' Resolving getupdates.oracle.com... 141.146.44.51 idn_decode failed (9): `System iconv failed' Connecting to getupdates.oracle.com|141.146.44.51|:443... connected. GnuTLS: ASN1 parser: Element was not found. Unable to establish SSL connection. Usually, you have a perfectly working wget binary available on any Solaris system, under /usr/sfw/bin/wget. Please try again with pca --debug --wget /usr/sfw/bin/wget --download 119254. Martin.