Update problem on old napp-it 151026 cause of "Framework error: code: E_SSL_CACERT"

MaddinK

New Member
May 16, 2018
7
0
1
56
Hallo all,

i have an old instance of napp-it that I finally wanted to update, but it wont let me do it.
I checked my valid update path ist r151030, so:

root@napp-it-026:/etc# pkg set-publisher -r -O OmniOS r151030 core omnios
pkg set-publisher: Could not refresh the catalog for omnios

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: E_SSL_CACERT (60) reason: SSL certificate problem: certificate has expired
URL: 'OmniOS r151030 core' (happened 2 times)

and yes the date and time are absolutely correct.
For me it looks like omnios is missing an update of the root-CAs from letsencrypt.

I tested the following:

root@napp-it-026:/etc# wget IPS Repositories
--2022-01-31 17:09:51-- IPS Repositories
Resolving pkg.omnios.org... 129.132.2.8, 2001:67c:10ec:2941::28
Connecting to pkg.omnios.org|129.132.2.8|:443... connected.
ERROR: cannot verify pkg.omnios.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
Issued certificate has expired.
To connect to pkg.omnios.org insecurely, use `--no-check-certificate'.

Obivously it is not an issue of the webserver itself.
It is a problem of missing root Certs from Lets-Encrypt in the CA-store of omnios and I am sure newer omnios releases dont have this problem .

So my dumb question is:
How to update the certstore or get omnios to accept without certchecking for an update?

I tried:
root@napp-it-026:/etc# pkg set-property signature-policy ignore
with no different result.


Any help woul be very nice...

Kind regards
 

g0dM@n

New Member
Feb 12, 2022
21
0
1
I too am having this problem and no idea how to resolve just yet. It's got to be the trusted/root cert store not having lets encrypt available for it to check against.

If I could somehow figure out how to adjust its cert store, I bet you we get around this issue.

The other option I'm trying to figure out is if there is a way I could manually download the update file, use WinSCP to throw it on my omnios VM, and then update from a local file. This is driving me nuts. :D

*EDIT*
I see a method to update the cert from their site, but it's outdated!! It's referencing omniosce... go here and check all the way at the bottom:
I think if we can get the right PEM file and a couple of commands we may be golden. I've put hours into this... not giving up just yet.
 
Last edited:

gea

Well-Known Member
Dec 31, 2010
2,809
970
113
DE
"If upgrading from OmniTI OmniOS first install the OmniOS CA certificate:"
This means this step was needed several years back in the move from OmniOS 151022 lts (commercial, OmniTi) to OmniOS 151022 lts (OmniOS community edition).

I would suggest for all with a very old and now unsupported OmniOS < 151030: Just install current OmniOS lts or stable, import the pool and recreate the needed local users. Within 20 min you are up again with a OmniOS version under support.