12 Aug
2022
12 Aug
'22
09:57
Hello Julio and Victor The curl command say the certificate is ok, but zypper don't work. I then removed the whole domain opensuse.org from the firewall TLS/SSL Inspection (not only download.opensuse.org) - and after that, it has worked with zypper also. It's ok for me. Best regards and many thank for help Martin Am 12.08.22 um 10:22 schrieb Julio Gonzalez via Uyuni Users: > Or try with curl -k -v to inspect the output. > > -k forces the connection even if the SSL certification fails. > > El jueves, 11 de agosto de 2022 17:52:56 (CEST) Victor Zhestkov via Uyuni > Users escribió: >> Martin, could you please to check the output of the following command >> also: >> >> echo | openssl s_client -connect download.opensuse.org:443 >> >> Victor >> >> On Thu, 2022-08-11 at 17:50 +0200, Martin via Uyuni Users wrote: >> >>> Hello Julio >>> >>> uyuni:~ # curl -v >>> https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/Stabl >>> e/images/repo/Uyuni-Server-POOL-x86_64-Media1/repodata/repomd.xml > * >>> Trying 195.135.221.134:443... >>> * Connected to download.opensuse.org (195.135.221.134) port 443 (#0) >>> * ALPN, offering h2 >>> * ALPN, offering http/1.1 >>> * TLSv1.3 (OUT), TLS handshake, Client hello (1): >>> * TLSv1.3 (IN), TLS handshake, Server hello (2): >>> * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): >>> * TLSv1.3 (IN), TLS handshake, Certificate (11): >>> * TLSv1.3 (OUT), TLS alert, unknown CA (560): >>> * SSL certificate problem: unable to get local issuer certificate >>> * Closing connection 0 >>> curl: (60) SSL certificate problem: unable to get local issuer >>> certificate >>> More details here: https://curl.se/docs/sslcerts.html >>> >>> curl failed to verify the legitimacy of the server and therefore >>> could not >>> establish a secure connection to it. To learn more about this >>> situation and >>> how to fix it, please visit the web page mentioned above. >>> >>> There seems to be an issue with the CA. >>> >>> I changed the Repository URL from https to http - now it works. > Yes, that works but now your connection is not encrypted, so I'd strongly > recommend you debug why you are having the issue. > > Besides the next major upgrade for Uyuni, next year, will restore the repos to > https. > > >>> Thank you >>> >>> Martin >>> >>> >>> Am 11.08.22 um 13:35 schrieb Julio Gonzalez via Uyuni Users: >>> >>>> El jueves, 11 de agosto de 2022 13:20:28 (CEST) Martin via Uyuni >>>> Users >>>> escribió: >>>> >>>>> Hallo all >>>>> >>>>> I can't connect to uyuni-stable repo: >>>>> >>>>> uyuni:~ # zypper ref -s >>>>> All services have been refreshed. >>>>> Repository 'Update repository of openSUSE Backports' is up to >>>>> date. >>>>> Repository 'Non-OSS Repository' is up to date. >>>>> Repository 'Haupt-Repository' is up to date. >>>>> Repository 'Update repository with updates from SUSE Linux >>>>> Enterprise >>>>> 15' is up to date. >>>>> Repository 'Hauptaktualisierungs-Repository' is up to date. >>>>> Repository 'Aktualisierungs-Repository (Nicht-Open-Source- >>>>> Software)' is >>>>> up to date. >>>>> Retrieving repository 'uyuni-server-stable' metadata >>>>> ................................................................. >>>>> ........... >>>>> ......................[error] >>>> Repository 'uyuni-server-stable' is invalid. >>>> >>>>> [uyuni-server- >>>>> stable|https://download.opensuse.org/repositories/systemsmanag >>>>> ement:/Uyuni:/Stable/images/repo/Uyuni-Server-POOL-x86_64- >>>>> Media1/] >>>> Valid >>>> >>>>> metadata not found at specified URL >>>>> History: >>>>> - [|] Error trying to read from >>>>> ' >>>>> https://download.opensuse.org/repositories/systemsmanagement:/Uyun >>>>> i:/Stable >>>>> /images/repo/Uyuni-Server-POOL-x86_64-Media1/' >>>> - Download (curl) error for >>>> >>>>> ' >>>>> https://download.opensuse.org/repositories/systemsmanagement:/Uyun >>>>> i:/Stable >>>>> /images/repo/Uyuni-Server-POOL-x86_64-Media1/content': >>>> Error code: Curl >>>> >>>>> error 60 >>>>> Error message: SSL certificate problem: unable to get local >>>>> issuer >>>>> certificate >>>>> >>>>> Please check if the URIs defined for this repository are pointing >>>>> to a >>>>> valid repository. >>>>> Skipping repository 'uyuni-server-stable' because of the above >>>>> error. >>>>> Some of the repositories have not been refreshed because of an >>>>> error. >>>> curl -v >>>> https://download.opensuse.org/repositories/systemsmanagement:/Uyuni:/ >>>> Stable/images/repo/Uyuni-Server-POOL-x86_64- >>>> Media1/repodata/repomd.xml >>>> >>>> and inspect the output >>>> >>>> The repomd.xml doesn't get you redirected to a mirror, and works >>>> fine from >>>> here. But curl will give you more info about what's wrong. >>>> >>>> In my case I see: >>>> >>>> Server certificate: >>>> * subject: CN=opensuse.org >>>> * start date: Jul 12 00:12:58 2022 GMT >>>> * expire date: Oct 10 00:12:57 2022 GMT >>>> * subjectAltName: host "download.opensuse.org" matched cert's >>>> "*.opensuse.org" >>>> * issuer: C=US; O=Let's Encrypt; CN=R3 >>>> * SSL certificate verify ok. >>>> >>>> >>>>> Two additional Questions >>>>> >>>>> What I have to do, if the uyuni server IP has changed? >>>> AFAIK, as long as you keep the same hostname, you don't need to do >>>> anything. >>>> >>>> If you also changed the hostname: >>>> https://www.uyuni-project.org/uyuni-docs/en/uyuni/administration/ >>>> troubleshooting/tshoot-hostname-rename.html >>>> >>>> >>>>> What I have to do, if the IP of a uyuni managed client has >>>>> changed? >>>> AFAI; if you onboarded using the clients hostname (recommended), >>>> nothing >>>> particular. At some point a refresh will happen and you will see >>>> the new IPs >>>> at the UI. >>>> >>>> But if you onboarded using the IP of the clients, then I think (but >>>> I am not >>>> sure), that you need to use reactivation keys. >>>> >>>> https://www.uyuni-project.org/uyuni-docs/en/uyuni/client-configuration/ >>>> activation-keys.html#_reactivation_keys >>>> >>>> >>>>> We move our servers to a new IP Range. >>>> As long as you are using hostnames in all cases, chaging IPs should >>>> not really >>>> big an issue >>>> >>>> >>>> >>>>> Best regards >>>>> >>>>> Martin >>>>> >>>>> Am 10.08.22 um 13:07 schrieb Julio Gonzalez via Uyuni Users: >>>>> >>>>> >>>>>> VERY IMPORTANT: 2022.08 requires special procedures if you are >>>>>> not >>>>>> already >>>>>> using Uyuni 2022.06! The configuration files for the proxy on >>>>>> containers >>>>>> also >>>> needs to be updated. Make sure you read the release notes before >>>> >>>>>> updating!> >>>>>> >>>>>> >>>>>> We are happy to announce the availability of Uyuni 2022.08. >>>>>> Most openSUSE >>>>>> mirrors should already have 2022.08, but if you do not see it >>>>>> yet, wait a >>>>>> few >>>> hours until your local openSUSE mirror is synced. >>>> >>>>>> >>>>>> Athttps://www.uyuni-project.org/pages/stable-version.html you >>>>>> will find >>>>>> all >>>> the resources you need to start working with Uyuni 2022.08, >>>> >>>>>> including the release notes, documentation, requirements and >>>>>> setup >>>>>> instructions.> >>>>>> >>>>>> >>>>>> This is the list of highlights for this release: >>>>>> >>>>>> >>>>>> >>>>>> - Ubuntu 22.04 as client >>>>>> - GPG key handling in Uyuni >>>>>> - Disabling locally defined repositories >>>>>> - Technology Preview: Helm chart to deploy containerized Uyuni >>>>>> Proxy >>>>>> >>>>>> and Retail Branch Server >>>>>> >>>>>> >>>>>> >>>>>> Remember that Uyuni will follow a rolling release planning, so >>>>>> the next >>>>>> version will contain bugfixes for this one and any new >>>>>> features. There >>>>>> will be >>>> no maintenance of 2022.08 >>>> >>>>>> >>>>>> As always, we hope you will enjoy Uyuni 2022.08 and we invite >>>>>> everyone of >>>>>> you >>>> to send us your feedback [1] and of course your patches, if you >>>> can >>>> >>>>>> contribute. >>>>>> >>>>>> >>>>>> >>>>>> Happy hacking! >>>>>> >>>>>> >>>>>> >>>>>> [1]https://www.uyuni-project.org/pages/contact.html >>>> >> >