SSL Certificate Problem

Error messages:

• Framework error: code: 35 reason: SSL routines

• Framework error: code: 60 reason: SSL certificate problem, verify that the CA cert is OK

• Framework error: code: 60 reason: SSL certificate problem: self signed certificate

Note:

A repository that requires a client SSL certificate cannot be specified by using a -g option with a pkg installation command.

Take one or more of the following actions if the pkg command displays a message about an SSL problem:

• Make sure the time and date are correct on the system.

• Make sure the key and certificate required by the publisher origin are installed and are not expired.

  Information about how to obtain a key and certificate should be included with other information about the secure repository. For example, use the https://pkg-register.oracle.com/ site to obtain a key and certificate for the https://pkg.oracle.com/solaris/support/ Oracle Solaris support repository.

  Use the -k and -c options with the pkg set-publisher command to install the key and certificate files for this publisher. Each publisher can have only one key and certificate specified. If a publisher has multiple secure origins configured, all secure origins share the one key and certificate.

  $ pkg set-publisher -k /tmp/keyfile -c /tmp/certfile publisher-name

  Use the pkg publisher command for the publisher to verify that the key and certificate files are installed and are not expired.

  $ pkg publisher solaris
  
              Publisher: solaris
                  Alias:
             Origin URI: https://pkg.oracle.com/solaris/support/
                SSL Key: /var/pkg/ssl/keyfile
               SSL Cert: /var/pkg/ssl/certfile
   Cert. Effective Date: July  1, 2015 04:47:13 PM
  Cert. Expiration Date: July  8, 2017 04:47:13 PM
            Client UUID: client-uuid
        Catalog Updated: May 11, 2016 03:28:43 PM
                Enabled: Yes
             Properties:
                         proxied-urls = []
                         signature-policy = require-signatures

  If the key or certificate is expired, an error message such as the following is shown:

  Certificate '/var/pkg/ssl/certfile' has expired.
    Please install a valid certificate.

• Make sure the key and certificate work with the specified origin.

  The following command fails because the specified origin requires a key and certificate:

  $ pkgrepo info -s https://pkg.oracle.com/solaris/support/

  The following command succeeds because the key and certificate file names copied from the pkg publisher publisher-name output are valid:

  $ pkgrepo info -s https://pkg.oracle.com/solaris/support/ \
  > --key /var/pkg/ssl/keyfile --cert /var/pkg/ssl/certfile
  
  PUBLISHER PACKAGES STATUS           UPDATED
  solaris   6711     online           2016-05-19T19:00:10.152688Z

• Make sure the CA certificate is not corrupted.

  Verify the crypto/ca-certificates package.

  $ pkg verify crypto/ca-certificates

  If any problems are reported, perform the following steps:

  • Fix the crypto/ca-certificates package.

    $ pkg fix crypto/ca-certificates

  • Refresh the system/ca-certificates SMF service.

    $ svcadm refresh svc:/system/ca-certificates:default

• Check proxies and firewalls.

  If your site requires a proxy for external locations, use the --proxy option of the pkg set-publisher command to set that proxy. See Specifying a Proxy for instructions.

  See the Firewall Rules section of the Oracle Enterprise Manager Ops Center Ports and Protocols guide for firewall rules to allow systems to access the external IPS repository. This list can also be useful if you are not using Ops Center.

• If you are using a self-signed certificate, add the CA certificate to the system as described in Creating a Self-Signed Server Certificate Authority in Creating Package Repositories in Oracle Solaris 11.4.

• If you are using Ops Center, see Configuring Publishers in Oracle Enterprise Manager Ops Center.