ULN-CA-CERT (SHA-2) Certificates to be Updated on October 9, 2018 (Doc ID 2454202.1)

ULN-CA-CERT (SHA-2) Certificates to be Updated on October 9, 2018 (Doc ID 2454202.1)

In this Document Description Occurrence Symptoms Workaround History Applies to: Linux OS - Version Oracle Linux 5.0 and later Oracle Linux Cloud Service Linux x86-64 Linux x86 Linux Itanium Linux ARM 64-bit Description Oracle is replacing Symantec-branded certificates with Digicert-branded certificates across all of its infrastructure to prevent trust warnings from Chrome and Firefox. Occurrence Due to the nature of how Oracle Linux systems connect to Unbreakable Linux Network (ULN), this change requires that client certificates on all Oracle Linux systems receiving updates from ULN be updated. The change in server certificates on ULN will occur on October 9, 2018. After that time, Oracle Linux systems will only be able to connect to ULN with an updated client certificate. Symptoms You may encounter the following errors if certificate is not updated: The certificate /usr/share/rhn/ULN-CA-CERT is expired. Please ensure you have the correct certificate and your system time is correct. Or: There was an SSL error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] A common cause of this error is the system time being incorrect. Verify that the time on this system is correct. Or: # yum repolist The SSL certificate failed verification. You have new mail in /var/spool/mail/root   Or: # uln-yum-mirror Traceback (most recent call last): File "<string>", line 14, in <module> AttributeError: 'Error' object has no attribute 'faultString' ... File "/usr/share/rhn/up2date_client/rhnserver.py", line 68, in __call__ raise up2dateErrors.SSLCertificateVerifyFailedError() up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The SSL certificate failed verification. Workaround Please make sure to have following or later version of the packages installed on the system before October 9, 2018. Oracle Linux 7 rhn-client-tools-2.0.2-21.0.9.el7.noarch.rpm rhn-setup-2.0.2-21.0.9.el7.noarch.rpm rhn-check-2.0.2-21.0.9.el7.noarch.rpm rhn-setup-gnome-2.0.2-21.0.9.el7.noarch.rpm (if the older version of this package is installed) Oracle Linux 6 rhn-setup-1.0.0.1-45.0.3.el6.noarch.rpm rhn-client-tools-1.0.0.1-45.0.3.el6.noarch.rpm rhn-check-1.0.0.1-45.0.3.el6.noarch.rpm rhn-setup-gnome-1.0.0.1-45.0.3.el6.noarch.rpm (if the older version of this package is installed) Oracle Linux 5 x86_64: up2date-5.10.1-41.30.el5.x86_64.rpm up2date-gnome-5.10.1-41.30.el5.x86_64.rpm (if the older version of this package is installed) i386: up2date-5.10.1-41.30.el5.i386.rpm up2date-gnome-5.10.1-41.30.el5.i386.rpm (if the older version of this package is installed) ia64: up2date-5.10.1-41.30.el5.ia64.rpm up2date-gnome-5.10.1-41.30.el5.ia64.rpm (if the older version of this package is installed) After October 9, 2018, you have to run the following steps to update the client SSL certificate on your Oracle Linux machine: # cp /usr/share/rhn/ULN-CA-CERT /usr/share/rhn/ULN-CA-CERT.old # wget https://linux-update.oracle.com/rpms/ULN-CA-CERT.sha2 # cp ULN-CA-CERT.sha2 /usr/share/rhn/ULN-CA-CERT Reference: Unbreakable Linux Network - FAQ