Update problem on old napp-it 151026 cause of "Framework error: code: E_SSL_CACERT"

[MaddinK]

Hallo all,

i have an old instance of napp-it that I finally wanted to update, but it wont let me do it.
I checked my valid update path ist r151030, so:

root@napp-it-026:/etc# pkg set-publisher -r -O OmniOS r151030 core omnios
pkg set-publisher: Could not refresh the catalog for omnios

Unable to contact valid package repository
Encountered the following error(s):
Unable to contact any configured publishers.
This is likely a network configuration problem.
Framework error: code: E_SSL_CACERT (60) reason: SSL certificate problem: certificate has expired
URL: 'OmniOS r151030 core' (happened 2 times)

and yes the date and time are absolutely correct.
For me it looks like omnios is missing an update of the root-CAs from letsencrypt.

I tested the following:

root@napp-it-026:/etc# wget IPS Repositories
--2022-01-31 17:09:51-- IPS Repositories
Resolving pkg.omnios.org... 129.132.2.8, 2001:67c:10ec:2941::28
Connecting to pkg.omnios.org|129.132.2.8|:443... connected.
ERROR: cannot verify pkg.omnios.org's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
Issued certificate has expired.
To connect to pkg.omnios.org insecurely, use `--no-check-certificate'.

Obivously it is not an issue of the webserver itself.
It is a problem of missing root Certs from Lets-Encrypt in the CA-store of omnios and I am sure newer omnios releases dont have this problem .

So my dumb question is:
How to update the certstore or get omnios to accept without certchecking for an update?

I tried:
root@napp-it-026:/etc# pkg set-property signature-policy ignore
with no different result.


Any help woul be very nice...

Kind regards

 

[gea]

maybe
pkg set-publisher -P --set-property signature-policy=verify -g OmniOS r151030 core omnios

Between 026 and 028 was a move from SunSSH to OpenSSH. I have had also problems with this update in the past. Maybe you export the pool, install OmniOS current 040 and import the pool.

For settings, save/restore /var/web-gui/_log/* and users with same uid/gid

http://www.napp-it.org/doc/downloads/setup_napp-it_os.pdf

 

[g0dM@n]

I too am having this problem and no idea how to resolve just yet. It's got to be the trusted/root cert store not having lets encrypt available for it to check against.

If I could somehow figure out how to adjust its cert store, I bet you we get around this issue.

The other option I'm trying to figure out is if there is a way I could manually download the update file, use WinSCP to throw it on my omnios VM, and then update from a local file. This is driving me nuts.

*EDIT*
I see a method to update the cert from their site, but it's outdated!! It's referencing omniosce... go here and check all the way at the bottom:

Upgrading OmniOS

illumos based server OS with ZFS, DTrace, Crossbow, SMF, Bhyve, KVM and Linux zone support

omnios.org

I think if we can get the right PEM file and a couple of commands we may be golden. I've put hours into this... not giving up just yet.

 

[gea]

"If upgrading from OmniTI OmniOS first install the OmniOS CA certificate:"
This means this step was needed several years back in the move from OmniOS 151022 lts (commercial, OmniTi) to OmniOS 151022 lts (OmniOS community edition).

I would suggest for all with a very old and now unsupported OmniOS < 151030: Just install current OmniOS lts or stable, import the pool and recreate the needed local users. Within 20 min you are up again with a OmniOS version under support.