[opensuse-autoinstall] install source on https
Hi list, I'm trying to install SLES11SP1 via https but get errors complaining about self signed certificate in y2log: verify certificate failed. I'm wondering if the install routine should be able to verify any certificate. How can I inform the installer to accept any certificate? Thanks, Jochen -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
on Tuesday 19 July 2011 Jochen Schaefer wrote:
I'm trying to install SLES11SP1 via https but get errors complaining about self signed certificate in y2log: verify certificate failed. I'm wondering if the install routine should be able to verify any certificate. How can I inform the installer to accept any certificate?
the installation failed because of an invalid certificate? Actually I set the curllib to: curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); that should accept self signed certificates. -- ciao, Uwe Gansert Uwe Gansert SUSE LINUX Products GmbH, HRB 16746 (AG Nürnberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer Home: http://www.suse.de/~ug - Blog: http://suse.gansert.net listening to: "Destiny [egoist remix]" by Controlled Collapse -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
Hm, the profile is loaded via https which can be seen in apache2 ssl_request_log. But for installation source /var/log/YaST/y2log shows error 1409086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Thanks, Jochen
Uwe Gansert <ug@suse.de> schrieb am 7/19/2011 um 11.55 Uhr in Nachricht <201107191155.02324.ug@suse.de>: on Tuesday 19 July 2011 Jochen Schaefer wrote:
I'm trying to install SLES11SP1 via https but get errors complaining about self signed certificate in y2log: verify certificate failed. I'm wondering if the install routine should be able to verify any certificate. How can I inform the installer to accept any certificate?
the installation failed because of an invalid certificate? Actually I set the curllib to:
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
that should accept self signed certificates.
-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
on Tuesday 19 July 2011 Jochen Schaefer wrote:
Hm, the profile is loaded via https which can be seen in apache2 ssl_request_log. But for installation source /var/log/YaST/y2log shows error 1409086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
oh, I see. You are trying to install via HTTPS. I was thinking you only want to read the XML file. Installation about https I never tried and I'd have to check the zypp backend how it handles certificates but it looks like it does not accept self signed certificates. You'd have to manipulate the initrd or the inst-sys via driverupdate and put your CA into /etc/ssl/certs Then it should work. -- ciao, Uwe Gansert Uwe Gansert SUSE LINUX Products GmbH, HRB 16746 (AG Nürnberg) GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer Home: http://www.suse.de/~ug - Blog: http://suse.gansert.net listening to: "Fading Light" by In Strict Confidence -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
Hi Uwe, this approach looks promising. I will test it. Thanks, Jochen
Uwe Gansert <ug@suse.de> schrieb am 7/19/2011 um 13.17 Uhr in Nachricht <201107191317.59770.ug@suse.de>: on Tuesday 19 July 2011 Jochen Schaefer wrote:
Hm, the profile is loaded via https which can be seen in apache2 ssl_request_log. But for installation source /var/log/YaST/y2log shows error 1409086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
oh, I see. You are trying to install via HTTPS. I was thinking you only want
to read the XML file. Installation about https I never tried and I'd have to check the zypp backend how it handles certificates but it looks like it does not accept self signed
certificates. You'd have to manipulate the initrd or the inst-sys via driverupdate and put your CA into /etc/ssl/certs Then it should work.
-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
Hi Uwe, a few comments to installations via https: First it is not an easy going like most times :-). To configure addon installation sources for https transport following steps are necessary: 1. unpack your initrd somewhere 2. copy your ca certificate in pem format into <unpacked_initrd_path>/etc/ssl/certs 2. call c_rehash <unpacked initrd_path>/etc/ssl/certs 3. create <unpacked_initrd_path>/root/.curlrc with following content: --capath = /etc/ssl/certs/ 4. pack your initrd 5. copy your initrd into your installation source Unfortunately above procedure is only working with add_on products. If you specify the main installation source via https you get a non working netsetup. I included netsetup=1, ssh=1 and other parameters. But I have not been asked for any network parameter. I even tried to specify all parameters at boot prompt like netmask, hostip, gateway but it did not work either. I always end with a message: "could not find the SuSE Linux Enterprise Server 11 Repository ..." There seems to be some routine which bypasses the whole netsetup when installation source is specified with HTTPS. When I change it to HTTP everything works like expected. And I get the add_on_product HTTPS. Any clue how to solve the problem with the installation source? Thanks, Jochen
Uwe Gansert <ug@suse.de> schrieb am 7/19/2011 um 13.17 Uhr in Nachricht <201107191317.59770.ug@suse.de>: on Tuesday 19 July 2011 Jochen Schaefer wrote:
Hm, the profile is loaded via https which can be seen in apache2 ssl_request_log. But for installation source /var/log/YaST/y2log shows error 1409086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
oh, I see. You are trying to install via HTTPS. I was thinking you only want
to read the XML file. Installation about https I never tried and I'd have to check the zypp backend how it handles certificates but it looks like it does not accept self signed
certificates. You'd have to manipulate the initrd or the inst-sys via driverupdate and put your CA into /etc/ssl/certs Then it should work.
-- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
On Tue, 19 Jul 2011, Jochen Schaefer wrote:
There seems to be some routine which bypasses the whole netsetup when installation source is specified with HTTPS.
When I change it to HTTP everything works like expected. And I get the add_on_product HTTPS.
Any clue how to solve the problem with the installation source?
It's not implemented. Steffen -- Give orange me give eat orange me eat orange give me eat orange give me you. (chimp Nim, using sign language) -- To unsubscribe, e-mail: opensuse-autoinstall+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-autoinstall+help@opensuse.org
participants (3)
-
Jochen Schaefer
-
Steffen Winterfeldt
-
Uwe Gansert