Hello, All:
I’ve just inherited a SLED11-SP1 system and I’m attempting to update the installed packages. However, zypper complains…
[CODE]genesco1:~ # zypper update
Refreshing service ‘nu_novell_com’.
Problem retrieving the repository index file for service ‘nu_novell_com’:
Download (curl) error for ‘https://nu.novell.com/repo/repoindex.xml?cookies=0&credentials=NCCcredentials’:
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Check if the URI is valid and accessible.
File ‘/repodata/repomd.xml’ not found on medium ‘http://www2.ati.com/suse/sle11sp1’
Abort, retry, ignore? [a/r/i/?] (a): a
Problem retrieving files from ‘ATI-Driver-SLE11-SP1’.
File ‘/repodata/repomd.xml’ not found on medium ‘http://www2.ati.com/suse/sle11sp1’
Please see the above error message for a hint.
Warning: Disabling repository ‘ATI-Driver-SLE11-SP1’ because of the above error.
Download (curl) error for ‘https://nu.novell.com/repo/$RCE/SLED11-SP1-Pool/sle-11-i586/repodata/repomd.xml?credentials=NCCcredentials’:
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Abort, retry, ignore? [a/r/i/?] (a): a
Abort, retry, ignore? [a/r/i/?] (a): a
Problem retrieving files from ‘SLED11-SP1-Pool’.
Download (curl) error for ‘https://nu.novell.com/repo/$RCE/SLED11-SP1-Pool/sle-11-i586/repodata/repomd.xml?credentials=NCCcredentials’:
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please see the above error message for a hint.
Warning: Disabling repository ‘SLED11-SP1-Pool’ because of the above error.
Download (curl) error for ‘https://nu.novell.com/repo/$RCE/SLED11-SP1-Updates/sle-11-i586/repodata/repomd.xml?credentials=NCCcredentials’:
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Abort, retry, ignore? [a/r/i/?] (a):
Abort, retry, ignore? [a/r/i/?] (a):
Problem retrieving files from ‘SLED11-SP1-Updates’.
Download (curl) error for ‘https://nu.novell.com/repo/$RCE/SLED11-SP1-Updates/sle-11-i586/repodata/repomd.xml?credentials=NCCcredentials’:
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please see the above error message for a hint.
Warning: Disabling repository ‘SLED11-SP1-Updates’ because of the above error.[/CODE]
I believe that there is an HTTP proxy in our environment but that’s not stopping wget from accessing google.com:
[CODE]genesco1:~ # wget google.com
–2012-07-05 22:15:51-- http://google.com/
Resolving google.com… 74.125.226.162, 74.125.226.169, 74.125.226.160, …
Connecting to google.com|74.125.226.162|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://www.google.com/ [following]
–2012-07-05 22:15:52-- http://www.google.com/
Resolving www.google.com… 173.194.207.105, 173.194.207.147, 173.194.207.99, …
Connecting to www.google.com|173.194.207.105|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: `index.html.1’
[ <=> ] 18,957 --.-K/s in 0.1s
2012-07-05 22:15:52 (157 KB/s) - `index.html.1’ saved [18957][/CODE]
But when I use wget to access the repository (https://nu.novell.com/repo/) it complains that the “Issued certificate not yet valid”:
genesco1:~ # wget https://nu.novell.com/repo/
--2012-07-05 22:12:32-- https://nu.novell.com/repo/
Resolving nu.novell.com... 93.184.215.212
Connecting to nu.novell.com|93.184.215.212|:443... connected.
ERROR: cannot verify nu.novell.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3':
Issued certificate not yet valid.
To connect to nu.novell.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
…and when I disable the checking of SSL certificates, wget returns an HTTP status code of 404 (i.e., It receives that code from the nu.novell.com HTTP server):
genesco1:~ # wget --no-check-certificate https://nu.novell.com/repo/
--2012-07-05 22:13:04-- https://nu.novell.com/repo/
Resolving nu.novell.com... 93.184.215.212
Connecting to nu.novell.com|93.184.215.212|:443... connected.
WARNING: cannot verify nu.novell.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3':
Issued certificate not yet valid.
HTTP request sent, awaiting response... 404 Not Found
2012-07-05 22:13:05 ERROR 404: Not Found.
…so I used OpenSSL to verify the certificate’s dates:
genesco1:~ # openssl x509 -in nu.novell.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:e0:b2:27:66:e3:3c:2e:df:9a:4a:80:6f:db:b0:31
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Validity
Not Before: Feb 19 00:00:00 2014 GMT
Not After : Dec 30 12:00:00 2016 GMT
This all leads me to the conclusion that there’s a problem with the repositories that zypper is configured to use. Do I need to modify the system’s repositories?