Go to main content

Updating Systems and Adding Software in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Cannot Access Publisher or Repository

The errors discussed in this section are related to an inability to access the URI of the publisher.

Configuring Publishers in Oracle Enterprise Manager Ops Center

If you are using Ops Center, the IPS package repository is called the Oracle Solaris Software Update Library. For information about how to update the library, see the Oracle Solaris sections of the Software Library section of the Oracle Enterprise Manager Ops Center configuration reference manual.

To associate new certificates with the solaris publisher, use the Configure Parent Repos and Add Content actions in the Library → Oracle Solaris section of the Ops Center BUI.

See the Firewall Rules section of the Oracle Enterprise Manager Ops Center Ports and Protocols guide for firewall rules to allow systems to access the external IPS repository. This list can also be useful if you are not using Ops Center.

Cannot Access Package Repository

Error messages:

  • Couldn't resolve host

  • Unable to contact any configured publishers

  • Unable to contact valid package repository

  • Origin URIs do not appear to point to a valid pkg repository

  • Framework error: code: E_COULDNT_CONNECT (7) reason: Failed to connect

Use the pkg publisher command to display the URIs of your publishers. See the LOCATION column or the URI row in the following examples:

$ pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F http://pkg.oracle.com/solaris/release/
$ pkg publisher solaris
            Publisher: solaris
                Alias:
           Origin URI: http://pkg.oracle.com/solaris/release/

If publishers are listed that you are no longer using, either disable or remove those publishers:

$ pkg set-publisher --disable publisher
$ pkg unset-publisher publisher

For publishers that you are using, make sure the URIs are correct.

  • Try to view each publisher origin location in a browser or ping that location.

  • Try to list packages at that origin by using the pkgrepo list command.

If an origin location is not correct, use the -G and -g options of the pkg set-publisher command together to change the URI.

If a publisher has more than one origin, all origin locations must be accessible. If any origin location is not accessible, use the -G option of the pkg set-publisher command to remove that origin.

If a publisher is configured in a non-global zone, all locations for that publisher must be accessible from the global zone even if that publisher is not configured in the global zone.

If the image has non-global zones, see the instructions for non-global zones in Location Not Found.

SSL Certificate Problem

Error messages:

  • Framework error: code: 35 reason: SSL routines

  • Framework error: code: 60 reason: SSL certificate problem, verify that the CA cert is OK

  • Framework error: code: 60 reason: SSL certificate problem: self signed certificate


Note -  A repository that requires a client SSL certificate cannot be specified by using a -g option with a pkg installation command.

Take one or more of the following actions if the pkg command displays a message about an SSL problem:

  • Make sure the time and date are correct on the system.

  • Make sure the key and certificate required by the publisher origin are installed and are not expired.

    Information about how to obtain a key and certificate should be included with other information about the secure repository. For example, use the https://pkg-register.oracle.com/ site to obtain a key and certificate for the https://pkg.oracle.com/solaris/support/ Oracle Solaris support repository.

    Use the -k and -c options with the pkg set-publisher command to install the key and certificate files for this publisher. Each publisher can have only one key and certificate specified. If a publisher has multiple secure origins configured, all secure origins share the one key and certificate.

    $ pkg set-publisher -k /tmp/keyfile -c /tmp/certfile publisher-name

    Use the pkg publisher command for the publisher to verify that the key and certificate files are installed and are not expired.

    $ pkg publisher solaris
    
                Publisher: solaris
                    Alias:
               Origin URI: https://pkg.oracle.com/solaris/support/
                  SSL Key: /var/pkg/ssl/keyfile
                 SSL Cert: /var/pkg/ssl/certfile
     Cert. Effective Date: July  1, 2015 04:47:13 PM
    Cert. Expiration Date: July  8, 2017 04:47:13 PM
              Client UUID: client-uuid
          Catalog Updated: May 11, 2016 03:28:43 PM
                  Enabled: Yes
               Properties:
                           proxied-urls = []
                           signature-policy = require-signatures

    If the key or certificate is expired, an error message such as the following is shown:

    Certificate '/var/pkg/ssl/certfile' has expired.
      Please install a valid certificate.
  • Make sure the key and certificate work with the specified origin.

    The following command fails because the specified origin requires a key and certificate:

    $ pkgrepo info -s https://pkg.oracle.com/solaris/support/

    The following command succeeds because the key and certificate file names copied from the pkg publisher publisher-name output are valid:

    $ pkgrepo info -s https://pkg.oracle.com/solaris/support/ \
    > --key /var/pkg/ssl/keyfile --cert /var/pkg/ssl/certfile
    PUBLISHER PACKAGES STATUS           UPDATED
    solaris   6711     online           2016-05-19T19:00:10.152688Z
  • Make sure the CA certificate is not corrupted.

    Verify the crypto/ca-certificates package.

    $ pkg verify crypto/ca-certificates

    If any problems are reported, perform the following steps:

    • Fix the crypto/ca-certificates package.

      $ pkg fix crypto/ca-certificates
    • Refresh the system/ca-certificates SMF service.

      $ svcadm refresh svc:/system/ca-certificates:default
  • Check proxies and firewalls.

    If your site requires a proxy for external locations, use the --proxy option of the pkg set-publisher command to set that proxy. See Specifying a Proxy for instructions.

    See the Firewall Rules section of the Oracle Enterprise Manager Ops Center Ports and Protocols guide for firewall rules to allow systems to access the external IPS repository. This list can also be useful if you are not using Ops Center.

  • If you are using a self-signed certificate, add the CA certificate to the system as described in Creating a Self-Signed Server Certificate Authority in Creating Package Repositories in Oracle Solaris 11.4

  • If you are using Ops Center, see Configuring Publishers in Oracle Enterprise Manager Ops Center.

Location Not Found

Error message: http protocol error: code: 404 reason: Not Found

Check your publisher URIs as described in Cannot Access Package Repository. If you can view or ping the location successfully, use the pkgrepo list command to try to show one of the packages in the repository.

If the URI is a file-based repository, make sure the files and directories are readable by the pkg5srv user. You can use the pkgrepo verify command to check whether the repository is readable by the pkg5srv user.

Check your web server configuration. See Chapter 5, Running the Package Depot Server Behind a Web Server in Creating Package Repositories in Oracle Solaris 11.4 for more information.

  • If you run the package depot server behind an Apache web server instance, include the following setting in your httpd.conf file to not decode encoded forward slashes:

    AllowEncodedSlashes NoDecode
  • Set the depot server pkg/proxy_base to the URL of the repository on the Apache server:

    $ svccfg -s pkg/server:repo setprop pkg/proxy_base = astring: http://pkg.example.com/myrepo
    $ svcadm refresh pkg/server:repo

If the problem occurs in a non-global zone, take the following troubleshooting steps. Remember that non-global zones use a special package repository called the system repository. See the pkg.sysrepo(8) man page for more information about the system repository.

  • You cannot use the -g option in an image that has non-global zones. Instead, use the pkg set-publisher command to explicitly add that publisher and origin.

  • Make sure the files and directories in file-based repositories are readable by the pkg5srv user. The pkg5srv user runs the system-repository Apache instance. See Relationship Between Global and Non-Global Zones for examples that show how to find the location of a system repository.

  • If your site requires a proxy to access external locations, make sure the proxy has been specified correctly for publishers in the global zone. Use the --proxy option of the pkg set-publisher command to specify the proxy. See Specifying a Proxy for instructions. One way to check your proxy is to make sure you get no access error messages from the pkg refresh --full command.

  • Make sure the service svc:/application/pkg/system-repository:default is online in the global zone.

  • Make sure the service svc:/application/pkg/zones-proxyd:default is online in the global zone and the service svc:/application/pkg/zones-proxy-client:default is online in the non-global zone.

  • In the global zone, check the log files in /var/log/pkg/sysrepo/* for any permissions errors reported when trying to read files. Check for 404 or 503 errors reported in /var/log/pkg/sysrepo/access_log. Check for errors reported in /var/log/pkg/sysrepo/error_log.

  • In the global zone, verify that localhost is set to 127.0.0.1 in the /etc/hosts file. Verify that Listen is set to 127.0.0.1:1008 and ServerName is set to 127.0.0.1 in the /system/volatile/pkg/sysrepo/sysrepo_httpd.conf file.

  • In the global zone, check whether the file /system/volatile/pkg/sysrepo/sysrepo_httpd.conf contains Alias lines of the following form:

    $ grep Alias /system/volatile/pkg/sysrepo/sysrepo_httpd.conf
    WSGIScriptAlias /wsgi_p5p /etc/pkg/sysrepo/sysrepo_p5p.py

    If the sysrepo_httpd.conf file has no Alias lines, restart the sysrepo service:

    $ svcadm restart svc:/application/pkg/system-repository:default

Service Is Not Available

Error message: http protocol error: code: 503 reason: Service Unavailable

Use the pkg publisher command to find the location of the package repository that you are trying to use, and examine SMF services on that system. Use the following command to identify any package repository SMF service instances that are enabled but not running and any instances that are preventing another enabled instance from running:

$ svcs -xv pkg/server
svc:/application/pkg/server: default (image packaging repository)
 State: online since July 25, 2013 07:53:50 AM PDT
   See: /var/svc/log/application-pkg-server:default.log
Impact: None.

If any service is reporting a problem, check the log file listed in the svcs output to determine the specific problem.

Make sure that the inst_root property, the port property, and other properties are set correctly.

$ svcprop -p pkg pkg/server:default
$ svcprop -p pkg/inst_root -p pkg/port pkg/server:default
/var/share/pkgrepos/solaris
80

If necessary, use the svccfg command to reset property values, as shown in the following example:

$ svccfg -s pkg/server:default setprop pkg/port=1008

Use the svcadm command to clear, refresh, restart, and enable the service instance as necessary.