Solaris won't update because ddt-incorporation is using a self-signed certifcate












4















I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local.



I'm catching this error:



$ sudo pkg update

Creating Plan (Package planning:  1/10): -

pkg update: Chain was rooted in an untrusted self-signed certificate.

The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z


According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.



The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation

pkg set-publisher: requires a publisher name

Usage:

    pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]

        [-g origin_to_add|--add-origin=origin_to_add ...]

        [-G origin_to_remove|--remove-origin=origin_to_remove ...]

    ....


And:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation sun

pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation


I've tried other combinations, like prepending pkg:// and using the full name but the problems persist.



How do I get beyond this error?






solaris software-updates pkg







share|improve this question

























  • Have you tried using the full path to solaris/consolidation/ddt/ddt-incorporation?

    – Andrew Henle
    Aug 29 '18 at 10:18











  • FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.

    – Stéphane Chazelas
    Aug 29 '18 at 10:29








  • 1





    It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html

    – Stéphane Chazelas
    Aug 29 '18 at 10:59
















4















I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local.



I'm catching this error:



$ sudo pkg update

Creating Plan (Package planning:  1/10): -

pkg update: Chain was rooted in an untrusted self-signed certificate.

The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z


According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.



The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation

pkg set-publisher: requires a publisher name

Usage:

    pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]

        [-g origin_to_add|--add-origin=origin_to_add ...]

        [-G origin_to_remove|--remove-origin=origin_to_remove ...]

    ....


And:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation sun

pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation


I've tried other combinations, like prepending pkg:// and using the full name but the problems persist.



How do I get beyond this error?






solaris software-updates pkg







share|improve this question

























  • Have you tried using the full path to solaris/consolidation/ddt/ddt-incorporation?

    – Andrew Henle
    Aug 29 '18 at 10:18











  • FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.

    – Stéphane Chazelas
    Aug 29 '18 at 10:29








  • 1





    It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html

    – Stéphane Chazelas
    Aug 29 '18 at 10:59














4












4








4








I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local.



I'm catching this error:



$ sudo pkg update

Creating Plan (Package planning:  1/10): -

pkg update: Chain was rooted in an untrusted self-signed certificate.

The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z


According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.



The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation

pkg set-publisher: requires a publisher name

Usage:

    pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]

        [-g origin_to_add|--add-origin=origin_to_add ...]

        [-G origin_to_remove|--remove-origin=origin_to_remove ...]

    ....


And:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation sun

pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation


I've tried other combinations, like prepending pkg:// and using the full name but the problems persist.



How do I get beyond this error?






solaris software-updates pkg







share|improve this question
















I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local.



I'm catching this error:



$ sudo pkg update

Creating Plan (Package planning:  1/10): -

pkg update: Chain was rooted in an untrusted self-signed certificate.

The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z


According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.



The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation

pkg set-publisher: requires a publisher name

Usage:

    pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]

        [-g origin_to_add|--add-origin=origin_to_add ...]

        [-G origin_to_remove|--remove-origin=origin_to_remove ...]

    ....


And:



$ sudo pkg set-publisher --approve-ca-cert  solaris/consolidation/ddt/ddt-incorporation sun

pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation


I've tried other combinations, like prepending pkg:// and using the full name but the problems persist.



How do I get beyond this error?






solaris software-updates pkg




solaris software-updates pkg






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 29 '18 at 3:57







jww

















asked Aug 29 '18 at 3:27









jwwjww

1,60732267




1,60732267













  • Have you tried using the full path to solaris/consolidation/ddt/ddt-incorporation?

    – Andrew Henle
    Aug 29 '18 at 10:18











  • FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.

    – Stéphane Chazelas
    Aug 29 '18 at 10:29








  • 1





    It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html

    – Stéphane Chazelas
    Aug 29 '18 at 10:59



















  • Have you tried using the full path to solaris/consolidation/ddt/ddt-incorporation?

    – Andrew Henle
    Aug 29 '18 at 10:18











  • FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.

    – Stéphane Chazelas
    Aug 29 '18 at 10:29








  • 1





    It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html

    – Stéphane Chazelas
    Aug 29 '18 at 10:59

















Have you tried using the full path to solaris/consolidation/ddt/ddt-incorporation?

– Andrew Henle
Aug 29 '18 at 10:18





Have you tried using the full path to solaris/consolidation/ddt/ddt-incorporation?

– Andrew Henle
Aug 29 '18 at 10:18













FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.

– Stéphane Chazelas
Aug 29 '18 at 10:29







FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.

– Stéphane Chazelas
Aug 29 '18 at 10:29






1




1





It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html

– Stéphane Chazelas
Aug 29 '18 at 10:59





It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html

– Stéphane Chazelas
Aug 29 '18 at 10:59










5 Answers
5






active

oldest

votes


















4














It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.






share|improve this answer
























  • So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

    – Tanz87
    Sep 7 '18 at 9:03











  • @Tanz87 unfortunately, that is correct.

    – alanc
    Sep 9 '18 at 21:35



















2














I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.



pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.



In my case, it's as easy as



cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem

svcadm restart system/ca-certificates


The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...



EDIT: the rest of what you're probably trying to do is...



If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:



pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z

vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*


Remove the dependency:



depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin


Publish back to your local repo:



pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest

pkgrepo -s /path/to/solaris11_4 rebuild


Then run the upgrade.



You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.






share|improve this answer

































    0














    The following command will install 11.3 sru21 which will install new CA.
    DDT-incorporation is a diagnostic package which has explorer etc..



    pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0



    Later you can install the individual package if required or subsequent pkg update will not fail.
    pkg install ddt-incorporation






    share|improve this answer


























    • You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

      – G-Man
      Nov 14 '18 at 18:25



















    0














    To resolve the pkg update issue:
    Specify the exact version of the "package involved".



    pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35



    or simply reject it:



    pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35





    share








    New contributor




    GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.




























      -1














      pkg uninstall consolidation/ddt/ddt-incorporation support/explorer





      share|improve this answer


























      • In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

        – Stéphane Chazelas
        Aug 29 '18 at 10:46











      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465416%2fsolaris-wont-update-because-ddt-incorporation-is-using-a-self-signed-certifcate%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      4














      It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.






      share|improve this answer
























      • So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

        – Tanz87
        Sep 7 '18 at 9:03











      • @Tanz87 unfortunately, that is correct.

        – alanc
        Sep 9 '18 at 21:35
















      4














      It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.






      share|improve this answer
























      • So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

        – Tanz87
        Sep 7 '18 at 9:03











      • @Tanz87 unfortunately, that is correct.

        – alanc
        Sep 9 '18 at 21:35














      4












      4








      4







      It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.






      share|improve this answer













      It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Aug 29 '18 at 21:51









      alancalanc

      2,6431122




      2,6431122













      • So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

        – Tanz87
        Sep 7 '18 at 9:03











      • @Tanz87 unfortunately, that is correct.

        – alanc
        Sep 9 '18 at 21:35



















      • So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

        – Tanz87
        Sep 7 '18 at 9:03











      • @Tanz87 unfortunately, that is correct.

        – alanc
        Sep 9 '18 at 21:35

















      So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

      – Tanz87
      Sep 7 '18 at 9:03





      So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?

      – Tanz87
      Sep 7 '18 at 9:03













      @Tanz87 unfortunately, that is correct.

      – alanc
      Sep 9 '18 at 21:35





      @Tanz87 unfortunately, that is correct.

      – alanc
      Sep 9 '18 at 21:35













      2














      I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.



      pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.



      In my case, it's as easy as



      cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
      
svcadm restart system/ca-certificates


      The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...



      EDIT: the rest of what you're probably trying to do is...



      If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:



      pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
      
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*


      Remove the dependency:



      depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin


      Publish back to your local repo:



      pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
      
pkgrepo -s /path/to/solaris11_4 rebuild


      Then run the upgrade.



      You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.






      share|improve this answer






























        2














        I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.



        pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.



        In my case, it's as easy as



        cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
        
svcadm restart system/ca-certificates


        The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...



        EDIT: the rest of what you're probably trying to do is...



        If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:



        pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
        
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*


        Remove the dependency:



        depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin


        Publish back to your local repo:



        pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
        
pkgrepo -s /path/to/solaris11_4 rebuild


        Then run the upgrade.



        You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.






        share|improve this answer




























          2












          2








          2







          I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.



          pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.



          In my case, it's as easy as



          cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
          
svcadm restart system/ca-certificates


          The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...



          EDIT: the rest of what you're probably trying to do is...



          If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:



          pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
          
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*


          Remove the dependency:



          depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin


          Publish back to your local repo:



          pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
          
pkgrepo -s /path/to/solaris11_4 rebuild


          Then run the upgrade.



          You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.






          share|improve this answer















          I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.



          pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.



          In my case, it's as easy as



          cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
          
svcadm restart system/ca-certificates


          The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...



          EDIT: the rest of what you're probably trying to do is...



          If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:



          pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
          
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*


          Remove the dependency:



          depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin


          Publish back to your local repo:



          pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
          
pkgrepo -s /path/to/solaris11_4 rebuild


          Then run the upgrade.



          You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Sep 25 '18 at 7:14

























          answered Sep 12 '18 at 7:16









          jpmjpm

          212




          212























              0














              The following command will install 11.3 sru21 which will install new CA.
              DDT-incorporation is a diagnostic package which has explorer etc..



              pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0



              Later you can install the individual package if required or subsequent pkg update will not fail.
              pkg install ddt-incorporation






              share|improve this answer


























              • You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

                – G-Man
                Nov 14 '18 at 18:25
















              0














              The following command will install 11.3 sru21 which will install new CA.
              DDT-incorporation is a diagnostic package which has explorer etc..



              pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0



              Later you can install the individual package if required or subsequent pkg update will not fail.
              pkg install ddt-incorporation






              share|improve this answer


























              • You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

                – G-Man
                Nov 14 '18 at 18:25














              0












              0








              0







              The following command will install 11.3 sru21 which will install new CA.
              DDT-incorporation is a diagnostic package which has explorer etc..



              pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0



              Later you can install the individual package if required or subsequent pkg update will not fail.
              pkg install ddt-incorporation






              share|improve this answer















              The following command will install 11.3 sru21 which will install new CA.
              DDT-incorporation is a diagnostic package which has explorer etc..



              pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0



              Later you can install the individual package if required or subsequent pkg update will not fail.
              pkg install ddt-incorporation







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Nov 15 '18 at 20:54

























              answered Nov 14 '18 at 17:58









              Manja-solarisManja-solaris

              11




              11













              • You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

                – G-Man
                Nov 14 '18 at 18:25



















              • You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

                – G-Man
                Nov 14 '18 at 18:25

















              You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

              – G-Man
              Nov 14 '18 at 18:25





              You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration).  What do you mean?  Please do not respond in comments; edit your answer to make it clearer and more complete.

              – G-Man
              Nov 14 '18 at 18:25











              0














              To resolve the pkg update issue:
              Specify the exact version of the "package involved".



              pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35



              or simply reject it:



              pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35





              share








              New contributor




              GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.

























                0














                To resolve the pkg update issue:
                Specify the exact version of the "package involved".



                pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35



                or simply reject it:



                pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35





                share








                New contributor




                GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.























                  0












                  0








                  0







                  To resolve the pkg update issue:
                  Specify the exact version of the "package involved".



                  pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35



                  or simply reject it:



                  pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35





                  share








                  New contributor




                  GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.










                  To resolve the pkg update issue:
                  Specify the exact version of the "package involved".



                  pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35



                  or simply reject it:



                  pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35






                  share








                  New contributor




                  GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.








                  share


                  share






                  New contributor




                  GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.









                  answered 9 mins ago









                  GopiKrishna JagadamGopiKrishna Jagadam

                  1




                  1




                  New contributor




                  GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.





                  New contributor





                  GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






                  GopiKrishna Jagadam is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.























                      -1














                      pkg uninstall consolidation/ddt/ddt-incorporation support/explorer





                      share|improve this answer


























                      • In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

                        – Stéphane Chazelas
                        Aug 29 '18 at 10:46
















                      -1














                      pkg uninstall consolidation/ddt/ddt-incorporation support/explorer





                      share|improve this answer


























                      • In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

                        – Stéphane Chazelas
                        Aug 29 '18 at 10:46














                      -1












                      -1








                      -1







                      pkg uninstall consolidation/ddt/ddt-incorporation support/explorer





                      share|improve this answer















                      pkg uninstall consolidation/ddt/ddt-incorporation support/explorer






                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Aug 29 '18 at 10:12









                      Jeff Schaller

                      40.1k1054126




                      40.1k1054126










                      answered Aug 29 '18 at 9:25









                      VladoVlado

                      1




                      1













                      • In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

                        – Stéphane Chazelas
                        Aug 29 '18 at 10:46



















                      • In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

                        – Stéphane Chazelas
                        Aug 29 '18 at 10:46

















                      In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

                      – Stéphane Chazelas
                      Aug 29 '18 at 10:46





                      In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full doesn't help).

                      – Stéphane Chazelas
                      Aug 29 '18 at 10:46


















                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465416%2fsolaris-wont-update-because-ddt-incorporation-is-using-a-self-signed-certifcate%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      -

                      Popular posts from this blog

                      Loup dans la culture

                      Image
                      Loups sur une enluminure du Bestiaire d'Aberdeen Le loup est l'animal le plus emblématique de l'histoire de l'Eurasie, il était à l'honneur durant l'Antiquité chez la totalité des anciens peuples européens [ 1 ] . Sommaire 1 Le loup dans la mythologie 2 Les loups dans le folklore 2.1 L'évolution des mentalités 2.2 Le loup dans la psychanalyse 3 Le loup dans les œuvres culturelles 3.1 Le loup dans la littérature 3.1.1 Fables 3.1.2 Poésie 3.1.3 Romans 3.1.4 Littérature jeunesse 3.1.4.1 Quelques titres d'albums contemporains 3.1.5 Bande dessinée 3.2 Le loup à l'écran 3.2.1 Le cinéma et la télévision 3.2.2 Documentaires 3.2.3 Dessins animés 3.2.4 Jeux vidéo 3.3 Le loup en peinture et en sculpture 3.4 Le loup dans les œuvres musicales 4 Le loup et les noms propres 5 Bibliographie 6 Notes et références 7 Voir aussi 7.1 Articles connexes
                      Read more

                      How to solve the problem of ntp “Unable to contact time server” from KDE?

                      Image
                      1 0 I want to set date and time automatically but this error appears when I try to .. I'm using openSUSE, I tried different servers but it didn't work either, help please! It doesn't seem to be a network problem: $ ping pool.ntp.org 64 bytes from 41.78.128.17: icmp_seq=1 ttl=41 time=260 ms To the question of whether ntpd is installed and running: $ ps -C ntpd PID TTY TIME CMD i.e. there's no ntpd process running. $ rpm -qa | grep ntp yast2-ntp-client-3.1.12-1.7.noarch ntp-4.2.6p5-25.2.1.i586 Further information from the comments: $ sudo ntpdate pool.ntp.org 25 Sep 19:41:51 ntpdate[3162]: no server suitable for synchronization found networking kde opensuse ntp ntpd sh
                      Read more

                      Connection limited (no internet access)

                      Image
                      -1 My laptop is running on Windows 10 ، My wifi adapter is tenda V7TW311M ,My router is D-Link , When I connect to the internet I get connection limited with yellow triangle , and no ipv4 address in ipconfig ,Ihave tried manually setting the ipv4 address When dhcp works there is no ipv4 , When I select ipv4 manually dhcp is turned off , I tried an update my wifi to the Latest version But the same problem remained . networking wifi internet net share | improve this question asked 13 mins ago Souchi Souchi 1 1
                      Read more