[OmniOS-discuss] failure in set-publisher for a zone to the new omniosce repository

Paul Jochum paul.jochum at nokia.com
Fri Aug 25 14:37:05 UTC 2017


Hi Andy:

For both the host and the zone, the trust-anchor-directory returns 
etc/ssl/pkg

 From the host:

# pkg property trust-anchor-directory
PROPERTY               VALUE
trust-anchor-directory etc/ssl/pkg

# pkg -R /rpool/zones/lss-ganglia02/root property trust-anchor-directory
PROPERTY               VALUE
trust-anchor-directory etc/ssl/pkg

# pkg -R /rpool/zones/lss-ganglia02/root property
PROPERTY                       VALUE
be-policy                      default
ca-path                        /etc/openssl/certs
check-certificate-revocation   False
content-update-policy          default
dehydrated                     []
flush-content-cache-on-success True
mirror-discovery               False
preferred-authority
publisher-search-order         []
send-uuid                      True
signature-policy               verify
signature-required-names       []
trust-anchor-directory         etc/ssl/pkg
use-system-repo                False


Paul

On 08/25/2017 08:47 AM, Andy Fiddaman wrote:
> What is the trust-anchor-directory property set to on the image root?
>
> % pkg property trust-anchor-directory
> PROPERTY               VALUE
> trust-anchor-directory etc/ssl/pkg
>
> (or pkg -R /rpool/zones/lss-ganglia02/root property)
>
> Andy
>
> On Fri, 25 Aug 2017, Paul Jochum wrote:
>
> ; Hi John and Andy:
> ;
> ;     I tried it from the host, and received the same error message (output
> ; below).  I know the host has internet connectivity, since I was able to use
> ; nearly the same command (without the -R option of the zone name/path), to set
> ; the publisher on the host.  In the example below, the wget command copies the
> ; new cert to *.pem.1, (since I had previously used wget to set-publisher on the
> ; host), and that file is identical to the omniosce-ca.cert.pem file I used to
> ; set-publisher on the host.
> ;
> ; # zoneadm list -cv
> ;   ID NAME             STATUS     PATH BRAND    IP
> ;    0 global           running    / ipkg     shared
> ;    1 lss-ganglia02    running    /rpool/zones/lss-ganglia02 lipkg    shared
> ; # zoneadm -z lss-ganglia02 halt
> ; # zoneadm -z lss-ganglia02 detach
> ; # /usr/bin/wget -P /etc/ssl/pkg
> ; https://downloads.omniosce.org/ssl/omniosce-ca.cert.pem
> ; --2017-08-25 08:19:59--
> ; https://downloads.omniosce.org/ssl/omniosce-ca.cert.pem
> ; <proxy info removed>
> ; Length: 2175 (2.1K) [application/x-x509-ca-cert]
> ; Saving to: '/etc/ssl/pkg/omniosce-ca.cert.pem.1'
> ;
> ; omniosce-ca.cert.pe 100%[===================>]   2.12K --.-KB/s    in 0s
> ;
> ; 2017-08-25 08:20:00 (209 MB/s) - '/etc/ssl/pkg/omniosce-ca.cert.pem.1' saved
> ; [2175/2175]
> ;
> ; # /usr/bin/pkg -R /rpool/zones/lss-ganglia02/root set-publisher -P -g
> ; https://pkg.omniosce.org/r151022/core/ omnios
> ; pkg set-publisher: The origin URIs for 'omnios' do not appear to point to a
> ; valid pkg repository.
> ; Please verify the repository's location and the client's network
> ; configuration.
> ; Additional details:
> ;
> ; Unable to contact valid package repository
> ; Encountered the following error(s):
> ; Unable to contact any configured publishers.
> ; This is likely a network configuration problem.
> ; Unable to locate a CA directory: /etc/openssl/certs
> ; Secure connection is not available.
> ;
> ; Thanks,
> ; Paul
> ;
> ; On 08/24/2017 07:03 PM, John D Groenveld wrote:
> ; > In message <dd328391-ede4-e22d-3f9e-2a1e9ad649ea at nokia.com>, Paul Jochum
> ; > writes
> ; > :
> ; > > configuration.
> ; > > Additional details:
> ; > >
> ; > > Unable to contact valid package repository
> ; > > Encountered the following error(s):
> ; > > Unable to contact any configured publishers.
> ; > > This is likely a network configuration problem.
> ; > > Unable to locate a CA directory: /etc/openssl/certs
> ; > > Secure connection is not available.
> ; > >
> ; > > This worked fine on the host of that zone, and on other zones (located
> ; > > on other hosts, but all at the same level of software). Any suggestions
> ; > > on how to fix this?  (And I checked, there is no /etc/openssl directory
> ; > > on this or any of my other omnios machines, but there is the
> ; > > /etc/ssl/certs directory and it looks very similar to other
> ; > > /etc/ssl/certs on machine which did not have a problem updating the
> ; > > publisher)
> ; > Shot in the dark assuming lipkg brand zone:
> ; > # zoneadm -z $zone halt
> ; > # zoneadm -z $zone detach
> ; > # /usr/bin/wget -P $zonepath/root/etc/ssl/pkg \
> ; > https://downloads.omniosce.org/ssl/omniosce-ca.cert.pem
> ; > # pkg -R $zonepath/root set-publisher -P \
> ; > -g https://pkg.omniosce.org/r151022/core/ omnios
> ; > # zoneadm -z $zone attach -U
> ; >
> ; > John
> ; > groenveld at acm.org
> ; > _______________________________________________
> ; > OmniOS-discuss mailing list
> ; > OmniOS-discuss at lists.omniti.com
> ; > http://lists.omniti.com/mailman/listinfo/omnios-discuss
> ;
> ; _______________________________________________
> ; OmniOS-discuss mailing list
> ; OmniOS-discuss at lists.omniti.com
> ; http://lists.omniti.com/mailman/listinfo/omnios-discuss
> ;



More information about the OmniOS-discuss mailing list