SSL Certificate Problem
Error messages:
-
Framework error: code: 35 reason: SSL routines
-
Framework error: code: 60 reason: SSL certificate problem, verify that the CA cert is OK
-
Framework error: code: 60 reason: SSL certificate problem: self signed certificate
Note:
A repository that requires a client SSL certificate cannot be specified by using a-g
option with a pkg
installation command.
Take one or more of the following actions if the pkg
command displays a message about an SSL problem:
-
Make sure the time and date are correct on the system.
-
Make sure the key and certificate required by the publisher origin are installed and are not expired.
Information about how to obtain a key and certificate should be included with other information about the secure repository. For example, use the
https://pkg-register.oracle.com/
site to obtain a key and certificate for thehttps://pkg.oracle.com/solaris/support/
Oracle Solaris support repository.Use the
-k
and-c
options with thepkg set-publisher
command to install the key and certificate files for this publisher. Each publisher can have only one key and certificate specified. If a publisher has multiple secure origins configured, all secure origins share the one key and certificate.$ pkg set-publisher -k /tmp/keyfile -c /tmp/certfile publisher-name
Use the
pkg publisher
command for the publisher to verify that the key and certificate files are installed and are not expired.$ pkg publisher solaris Publisher: solaris Alias: Origin URI: https://pkg.oracle.com/solaris/support/ SSL Key: /var/pkg/ssl/keyfile SSL Cert: /var/pkg/ssl/certfile Cert. Effective Date: July 1, 2015 04:47:13 PM Cert. Expiration Date: July 8, 2017 04:47:13 PM Client UUID: client-uuid Catalog Updated: May 11, 2016 03:28:43 PM Enabled: Yes Properties: proxied-urls = [] signature-policy = require-signatures
If the key or certificate is expired, an error message such as the following is shown:
Certificate '/var/pkg/ssl/certfile' has expired. Please install a valid certificate.
-
Make sure the key and certificate work with the specified origin.
The following command fails because the specified origin requires a key and certificate:
$ pkgrepo info -s https://pkg.oracle.com/solaris/support/
The following command succeeds because the key and certificate file names copied from the
pkg publisher
publisher-name output are valid:$ pkgrepo info -s https://pkg.oracle.com/solaris/support/ \ > --key /var/pkg/ssl/keyfile --cert /var/pkg/ssl/certfile PUBLISHER PACKAGES STATUS UPDATED solaris 6711 online 2016-05-19T19:00:10.152688Z
-
Make sure the CA certificate is not corrupted.
Verify the
crypto/ca-certificates
package.$ pkg verify crypto/ca-certificates
If any problems are reported, perform the following steps:
-
Fix the
crypto/ca-certificates
package.$ pkg fix crypto/ca-certificates
-
Refresh the
system/ca-certificates
SMF service.$ svcadm refresh svc:/system/ca-certificates:default
-
-
Check proxies and firewalls.
If your site requires a proxy for external locations, use the
--proxy
option of thepkg set-publisher
command to set that proxy. See Specifying a Proxy for instructions.See the Firewall Rules section of the Oracle Enterprise Manager Ops Center Ports and Protocols guide for firewall rules to allow systems to access the external IPS repository. This list can also be useful if you are not using Ops Center.
-
If you are using a self-signed certificate, add the CA certificate to the system as described in Creating a Self-Signed Server Certificate Authority in Creating Package Repositories in Oracle Solaris 11.4.
-
If you are using Ops Center, see Configuring Publishers in Oracle Enterprise Manager Ops Center.