Solaris won't update because ddt-incorporation is using a self-signed certifcate
I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local
.
I'm catching this error:
$ sudo pkg update
Creating Plan (Package planning: 1/10): -
pkg update: Chain was rooted in an untrusted self-signed certificate.
The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z
According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.
The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation
pkg set-publisher: requires a publisher name
Usage:
pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]
[-g origin_to_add|--add-origin=origin_to_add ...]
[-G origin_to_remove|--remove-origin=origin_to_remove ...]
....
And:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation sun
pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation
I've tried other combinations, like prepending pkg://
and using the full name but the problems persist.
How do I get beyond this error?
solaris software-updates pkg
add a comment |
I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local
.
I'm catching this error:
$ sudo pkg update
Creating Plan (Package planning: 1/10): -
pkg update: Chain was rooted in an untrusted self-signed certificate.
The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z
According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.
The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation
pkg set-publisher: requires a publisher name
Usage:
pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]
[-g origin_to_add|--add-origin=origin_to_add ...]
[-G origin_to_remove|--remove-origin=origin_to_remove ...]
....
And:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation sun
pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation
I've tried other combinations, like prepending pkg://
and using the full name but the problems persist.
How do I get beyond this error?
solaris software-updates pkg
Have you tried using the full path tosolaris/consolidation/ddt/ddt-incorporation
?
– Andrew Henle
Aug 29 '18 at 10:18
FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.
– Stéphane Chazelas
Aug 29 '18 at 10:29
1
It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html
– Stéphane Chazelas
Aug 29 '18 at 10:59
add a comment |
I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local
.
I'm catching this error:
$ sudo pkg update
Creating Plan (Package planning: 1/10): -
pkg update: Chain was rooted in an untrusted self-signed certificate.
The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z
According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.
The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation
pkg set-publisher: requires a publisher name
Usage:
pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]
[-g origin_to_add|--add-origin=origin_to_add ...]
[-G origin_to_remove|--remove-origin=origin_to_remove ...]
....
And:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation sun
pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation
I've tried other combinations, like prepending pkg://
and using the full name but the problems persist.
How do I get beyond this error?
solaris software-updates pkg
I'm trying to update my Solaris 11.3 x86 system. The system hasSun/Oracle software on it, including Sun Developer Studio and Sun SSH server. It does not have other software on it, and I don't have anything in /usr/local
.
I'm catching this error:
$ sudo pkg update
Creating Plan (Package planning: 1/10): -
pkg update: Chain was rooted in an untrusted self-signed certificate.
The package involved is pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z
According to Packaging and Delivering Software With the Image Packaging System | Untrusted Self-Signed Certificate, the docs say it is because of using a self-signed OpenSSL certificate. Another similar page is Troubleshooting Signed Packages, but it rehashes the earlier page and adds nothing new. The Oracle docs on updating a package is at Updating a Package but it does not appear to provide the information I need.
The Sun article lacks step-by-step instructions to clear the issue. I'm trying to get Solaris to trust the Sun certificate but I can't get beyond usage errors:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation
pkg set-publisher: requires a publisher name
Usage:
pkg set-publisher [-Ped] [-k ssl_key] [-c ssl_cert]
[-g origin_to_add|--add-origin=origin_to_add ...]
[-G origin_to_remove|--remove-origin=origin_to_remove ...]
....
And:
$ sudo pkg set-publisher --approve-ca-cert solaris/consolidation/ddt/ddt-incorporation sun
pkg set-publisher: Could not find /export/home/jwalton/solaris/consolidation/ddt/ddt-incorporation
I've tried other combinations, like prepending pkg://
and using the full name but the problems persist.
How do I get beyond this error?
solaris software-updates pkg
solaris software-updates pkg
edited Aug 29 '18 at 3:57
jww
asked Aug 29 '18 at 3:27
jwwjww
1,60732267
1,60732267
Have you tried using the full path tosolaris/consolidation/ddt/ddt-incorporation
?
– Andrew Henle
Aug 29 '18 at 10:18
FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.
– Stéphane Chazelas
Aug 29 '18 at 10:29
1
It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html
– Stéphane Chazelas
Aug 29 '18 at 10:59
add a comment |
Have you tried using the full path tosolaris/consolidation/ddt/ddt-incorporation
?
– Andrew Henle
Aug 29 '18 at 10:18
FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.
– Stéphane Chazelas
Aug 29 '18 at 10:29
1
It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html
– Stéphane Chazelas
Aug 29 '18 at 10:59
Have you tried using the full path to
solaris/consolidation/ddt/ddt-incorporation
?– Andrew Henle
Aug 29 '18 at 10:18
Have you tried using the full path to
solaris/consolidation/ddt/ddt-incorporation
?– Andrew Henle
Aug 29 '18 at 10:18
FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.
– Stéphane Chazelas
Aug 29 '18 at 10:29
FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.
– Stéphane Chazelas
Aug 29 '18 at 10:29
1
1
It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html
– Stéphane Chazelas
Aug 29 '18 at 10:59
It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html
– Stéphane Chazelas
Aug 29 '18 at 10:59
add a comment |
5 Answers
5
active
oldest
votes
It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
add a comment |
I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.
pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.
In my case, it's as easy as
cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
svcadm restart system/ca-certificates
The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...
EDIT: the rest of what you're probably trying to do is...
If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:
pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*
Remove the dependency:
depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin
Publish back to your local repo:
pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
pkgrepo -s /path/to/solaris11_4 rebuild
Then run the upgrade.
You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.
add a comment |
The following command will install 11.3 sru21 which will install new CA.
DDT-incorporation is a diagnostic package which has explorer etc..
pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0
Later you can install the individual package if required or subsequent pkg update will not fail.
pkg install ddt-incorporation
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
add a comment |
To resolve the pkg update issue:
Specify the exact version of the "package involved".
pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35
or simply reject it:
pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35
New contributor
add a comment |
pkg uninstall consolidation/ddt/ddt-incorporation support/explorer
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).
– Stéphane Chazelas
Aug 29 '18 at 10:46
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465416%2fsolaris-wont-update-because-ddt-incorporation-is-using-a-self-signed-certifcate%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
add a comment |
It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
add a comment |
It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.
It's not self-signed, but it's not signed by a certificate authority that the Solaris 11.3 GA version knows about. Support for the new certificate authority is one of the reasons you need to first update to Solaris 11.3 SRU 23 or later before you can upgrade to Solaris 11.4, as documented in the upgrade instructions.
answered Aug 29 '18 at 21:51
alancalanc
2,6431122
2,6431122
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
add a comment |
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
So does this effectively mean that people without a support contract (i.e. no access to the SRU releases) can't upgrade from Solaris 11.3 to 11.4, and instead must do a clean install?
– Tanz87
Sep 7 '18 at 9:03
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
@Tanz87 unfortunately, that is correct.
– alanc
Sep 9 '18 at 21:35
add a comment |
I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.
pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.
In my case, it's as easy as
cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
svcadm restart system/ca-certificates
The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...
EDIT: the rest of what you're probably trying to do is...
If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:
pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*
Remove the dependency:
depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin
Publish back to your local repo:
pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
pkgrepo -s /path/to/solaris11_4 rebuild
Then run the upgrade.
You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.
add a comment |
I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.
pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.
In my case, it's as easy as
cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
svcadm restart system/ca-certificates
The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...
EDIT: the rest of what you're probably trying to do is...
If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:
pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*
Remove the dependency:
depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin
Publish back to your local repo:
pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
pkgrepo -s /path/to/solaris11_4 rebuild
Then run the upgrade.
You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.
add a comment |
I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.
pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.
In my case, it's as easy as
cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
svcadm restart system/ca-certificates
The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...
EDIT: the rest of what you're probably trying to do is...
If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:
pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*
Remove the dependency:
depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin
Publish back to your local repo:
pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
pkgrepo -s /path/to/solaris11_4 rebuild
Then run the upgrade.
You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.
I think I know exactly what you're trying to do, but you'll also fail at the next step which is where I'm up to.
pkg(1) stashes a copy of the certificate chain in /var/pkg/publisher/(publisher name)/certs, so you'll have the signing and root certificate in /var/pkg/publisher/solaris/certs. Copy the root certificate to the CA certificate directory in /etc/certs/CA/ and then pkg(1) will trust the certificate chain.
In my case, it's as easy as
cp /var/pkg/publisher/solaris/certs/370b6b4fba7b0ad472465ffe9377f8f6040b2cfd /etc/certs/CA/temp-solaris-object-signing.pem
svcadm restart system/ca-certificates
The next hurdle you'll find is that pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0 has an origin root-image dependency on pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 (see https://docs.oracle.com/cd/E53394_01/html/E54820/dependtypes.html#PKDEVglumq for details about pkg dependencies). There is probably a very good reason that is there...
EDIT: the rest of what you're probably trying to do is...
If you choose to ignore that giant red flag, and don't mind your Solaris 11.3 system becoming unsupportable (probably because you don't have a support contract in order to download 11.3SRU23), you can do something like:
pkgrecv -s /path/to/solaris11_4 -d /var/tmp/sol114 --raw pkg://solaris/system/core-os@11.4,5.11-11.4.0.0.1.15.0:20180817T002753Z
vi /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest*
Remove the dependency:
depend fmri=pkg:/system/core-os@0.5.11-0.175.3.23.0.4.0 root-image=true type=origin
Publish back to your local repo:
pkgsend publish -s /path/to/solaris11_4 -d /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T0023Z/ /var/tmp/sol114/system%2Fcore-os/11.4%2C5.11-11.4.0.0.1.15.0%3A20180817T002753Z/manifest
pkgrepo -s /path/to/solaris11_4 rebuild
Then run the upgrade.
You need to ensure that /var/tmp is completely empty before upgrading because it seems to create a new ZFS dataset for /var/tmp during the upgrade, otherwise it seems to work fine with a couple of fixable errors. YMMV, I tested this on an old T4-2 SPARC system (not x86), so I don't know if there are other quirks around GRUB upgrades etc.
edited Sep 25 '18 at 7:14
answered Sep 12 '18 at 7:16
jpmjpm
212
212
add a comment |
add a comment |
The following command will install 11.3 sru21 which will install new CA.
DDT-incorporation is a diagnostic package which has explorer etc..
pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0
Later you can install the individual package if required or subsequent pkg update will not fail.
pkg install ddt-incorporation
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
add a comment |
The following command will install 11.3 sru21 which will install new CA.
DDT-incorporation is a diagnostic package which has explorer etc..
pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0
Later you can install the individual package if required or subsequent pkg update will not fail.
pkg install ddt-incorporation
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
add a comment |
The following command will install 11.3 sru21 which will install new CA.
DDT-incorporation is a diagnostic package which has explorer etc..
pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0
Later you can install the individual package if required or subsequent pkg update will not fail.
pkg install ddt-incorporation
The following command will install 11.3 sru21 which will install new CA.
DDT-incorporation is a diagnostic package which has explorer etc..
pkg update --reject ddt-incorporation --accept entire@0.5.11-0.175.3.21.0.5.0
Later you can install the individual package if required or subsequent pkg update will not fail.
pkg install ddt-incorporation
edited Nov 15 '18 at 20:54
answered Nov 14 '18 at 17:58
Manja-solarisManja-solaris
11
11
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
add a comment |
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
You are apparently showing a command that is obviously not a valid command — it has unquoted parentheses (and not in an allowed configuration). What do you mean? Please do not respond in comments; edit your answer to make it clearer and more complete.
– G-Man
Nov 14 '18 at 18:25
add a comment |
To resolve the pkg update issue:
Specify the exact version of the "package involved".
pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35
or simply reject it:
pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35
New contributor
add a comment |
To resolve the pkg update issue:
Specify the exact version of the "package involved".
pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35
or simply reject it:
pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35
New contributor
add a comment |
To resolve the pkg update issue:
Specify the exact version of the "package involved".
pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35
or simply reject it:
pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35
New contributor
To resolve the pkg update issue:
Specify the exact version of the "package involved".
pkg update --reject pkg://solaris/consolidation/ddt/ddt-incorporation@18.3.18.7.13,0.5.11-11.4.0.0.1.11.0:20180718T212443Z entire@0.5.11-0.175.3.35
or simply reject it:
pkg update consolidation/ddt/ddt-incorporation@18.3.18.7.4-0.175.3.35.0.1.0 entire@0.5.11-0.175.3.35
New contributor
New contributor
answered 9 mins ago
GopiKrishna JagadamGopiKrishna Jagadam
1
1
New contributor
New contributor
add a comment |
add a comment |
pkg uninstall consolidation/ddt/ddt-incorporation support/explorer
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).
– Stéphane Chazelas
Aug 29 '18 at 10:46
add a comment |
pkg uninstall consolidation/ddt/ddt-incorporation support/explorer
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).
– Stéphane Chazelas
Aug 29 '18 at 10:46
add a comment |
pkg uninstall consolidation/ddt/ddt-incorporation support/explorer
pkg uninstall consolidation/ddt/ddt-incorporation support/explorer
edited Aug 29 '18 at 10:12
Jeff Schaller
40.1k1054126
40.1k1054126
answered Aug 29 '18 at 9:25
VladoVlado
1
1
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).
– Stéphane Chazelas
Aug 29 '18 at 10:46
add a comment |
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).
– Stéphane Chazelas
Aug 29 '18 at 10:46
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (
pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).– Stéphane Chazelas
Aug 29 '18 at 10:46
In my case, after removing those two packages (support/explorer depending on ddt-incorporation), I still get the error for other packages (
pkg://solaris/library/python/pyatspi-27@2.30.0,5.11-11.4.0.0.1.9.0:20180618T175853Z
), suggesting that it's not only about those packages but that we need somehow to let Solaris know about the new oracle root certificate (pkg refresh --full
doesn't help).– Stéphane Chazelas
Aug 29 '18 at 10:46
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465416%2fsolaris-wont-update-because-ddt-incorporation-is-using-a-self-signed-certifcate%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you tried using the full path to
solaris/consolidation/ddt/ddt-incorporation
?– Andrew Henle
Aug 29 '18 at 10:18
FWIW, I get the same error here when trying to update a Solaris virtualbox VM with nothing fancy on it. Suggesting Oracle have messed up something somewhere.
– Stéphane Chazelas
Aug 29 '18 at 10:29
1
It's probably a matter of going through the steps described at docs.oracle.com/cd/E37838_01/html/E60977/gmpdi.html
– Stéphane Chazelas
Aug 29 '18 at 10:59