[pca] FW: Pardon my question
Nishimura, Scott L (IT Solutions)
scott.nishimura at ngc.com
Wed Dec 8 01:56:04 CET 2010
I should back up: are you using a $HOME/.wgetrc file? Mine contains
use_proxy=on
http_proxy=my_proxy_name
proxy-user=username
proxy-passwd=password
check-certificate=off
Note that "proxy-user"/"proxy-password" is a different pair of
credentials than the MOS one you supply in the command line. The former
validate me to my internal proxy [maybe you don't have one?] while the
latter are for Oracle.
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Nishimura, Scott L
(IT Solutions)
Sent: Tuesday, December 07, 2010 4:50 PM
To: PCA (Patch Check Advanced) Discussion
Subject: EXTERNAL:Re: [pca] FW: Pardon my question
Neither.
check-certificate=off
should go in the $HOME/.wgetrc file as it is a PCA option. It passes
that option to wget where it gets turned into the
"--no-check-certificate" option.
If you do a "wget -help", it should show a "--no-check-certificate"
option, which tells you you're using a reasonably up-to-date version.
The fact that you did that and it did NOT show "--no-check-certificate"
led me to believe you were using an old version of wget.
But you are using a somewhat old version of PCA [I'm using 20101119-01].
Martin updated PCA fairly recently to accommodate the new Oracle
methodology.
http://www.par.univie.ac.at/solaris/pca/news.html
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Jones, Eric CIV SRF
1236
Sent: Tuesday, December 07, 2010 4:41 PM
To: PCA (Patch Check Advanced) Discussion
Subject: EXTERNAL:Re: [pca] FW: Pardon my question
I'm up to date with pca 200909, wget 1.12, openssl-1.0.0.b, libgcc and
gcc.
So the --no-check-certificate should go in the wgetrc file or and in
line
addition to the pca call?
Eric R. Jones
SRF JRMC
C1236
DSN 315-243-4196
STICK \'stik\ n. 1: A boomerang that doesn't work.
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at]
On Behalf Of Nishimura, Scott L (IT Solutions)
Sent: Wednesday, December 08, 2010 9:17 AM
To: PCA (Patch Check Advanced) Discussion
Subject: Re: [pca] FW: Pardon my question
I'm not sure what the minimum version of wget is; I had to upgrade from
1.10
to 1.12 over the summer because the https stuff wasn't working anymore.
If
you add the "--debug" string to your command, it will tell you which
wget
it's using and what version it is.
Anyhoo, with v1.12, "--no-check-certificate" is an option:
# /usr/sfw/bin/wget -help | grep certi
--no-check-certificate don't validate the server's certificate.
--certificate=FILE client certificate file.
--certificate-type=TYPE client certificate type, PEM or DER.
--ca-certificate=FILE file with the bundle of CA's.
In order to upgrade, I went to www.sunfreeware.com and also had to first
upgrade/install other stuff:
openssl-1.0.0
libiconv
libidn
libintl
/usr/local/lib/libgcc_s.so.1 and /usr/local/lib/libstdc++.so.6 need to
exist
by installing libgcc-3.4.6 or gcc-3.4.6.
I chose gcc.
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Nishimura, Scott L
(IT
Solutions)
Sent: Tuesday, December 07, 2010 4:11 PM
To: PCA (Patch Check Advanced) Discussion
Subject: EXTERNAL:Re: [pca] FW: Pardon my question
I have the line
check-certificate=off
in my $HOME/.wgetrc
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Jones, Eric CIV SRF
1236
Sent: Tuesday, December 07, 2010 4:08 PM
To: PCA (Patch Check Advanced) Discussion
Subject: EXTERNAL:Re: [pca] FW: Pardon my question
I put --sshost and debug after the call to wget but before the external
file
reference.
At the start of the output I get the same information that appears in my
pcapatchlog file until the end where I get this:
"Patchadd is terminating.
/usr/local/bin/wget --progress=dot:binary
"https://getupdates.oracle.com/pdownload.do?target=144560-02&method=h"
-O //./144560-02.tmp
--2010-12-08 08:31:06--
https://getupdates.oracle.com/pdownload.do?target=144560-02&method=h
Resolving getupdates.oracle.com (getupdates.oracle.com)... 192.18.110.9
Connecting to getupdates.oracle.com
(getupdates.oracle.com)|192.18.110.9|:443... connected.
ERROR: cannot verify getupdates.oracle.com's certificate, issued by
`/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY
LTD.(c)97 VeriSign':
Unable to locally verify the issuer's authority.
To connect to getupdates.oracle.com insecurely, use
`--no-check-certificate'.
patchxdir: /tmp/pca.334655"
At first look in my log file it appears that the 2 files in question
relate
to an application that is already installed and patched so that's why it
gets rejected. Simple enough to test on other servers; However, the
pasted
part above leads me to believe there is some type of connection error
due to
certificates. I placed the --no-check-certificate line but all I get is
an
error related to "-n".
I checked pca -V and no such option of --no-check-certificate exists and
it's not in wget -help either.
I tried this on two other servers, one X86 based and the returns were
the
same for both but different from the first. I'm not getting the
certificate
error but it's not still erroring out.
"Downloading xref file to /var/tmp/patchdiag.xref Trying
https://getupdates.oracle.com/ (1/1) Failed (Unknown Error) Failed
(patchdiag.xref not found) Using /var/tmp/patchdiag.xref from Dec/03/10
Host: yuni21 (SunOS 5.10/Generic_144488-04/sparc/sun4u)
List: missing (0/0)"
Here is my modified script.
/usr/local/bin/pca -i -V --sshost=getupdates.oracle.com
--user=eric.jones at srf.navy.mil --passwd=4004brl275
--wget=/usr/local/bin/wget >> /var/sadm/patch/pcapatchlog
Eric R. Jones
SRF JRMC
C1236
DSN 315-243-4196
STICK \'stik\ n. 1: A boomerang that doesn't work.
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Nishimura, Scott L
(IT
Solutions)
Sent: Wednesday, December 08, 2010 8:07 AM
To: PCA (Patch Check Advanced) Discussion
Subject: Re: [pca] FW: Pardon my question
Eric,
It took me a while to get my setup working. I kept running into
Resolving proxy_name... proxy_IP
Connecting to proxy_name|proxy_IP|:80... connected.
Proxy request sent, awaiting response... 503 Service Unavailable
2010-11-29 16:33:09 ERROR 503: Service Unavailable.
I finally figured out that if I added --sshost=getupdates.oracle.com to
my
command string, it worked. "sshost" means "Sunsolve Host"; nothing to
do
with "ssh" as I first thought.
I also include --wgetproxy in my command string although I guess I'm
being
redundant since I have it in $HOME/.wgetrc as well.
What kind of output do you get if you include "--debug"?
Scott
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Jones, Eric CIV SRF
1236
Sent: Tuesday, December 07, 2010 2:55 PM
To: PCA (Patch Check Advanced) Discussion
Subject: EXTERNAL:Re: [pca] FW: Pardon my question
Yes, I have had a My Oracle Support account for some time so that wasn't
an
issue.
I have switched my login in pca to my oracle account username and
password.
I made script to call pca and pass the relevant information to it and
wget.
"
#!/bin/sh
#
# Script to run the patch tool
#
/usr/local/bin/pca -i --user=fname.lname@^$^$$.#$# --passwd=@#$@$@$@#$@#
--wget =/usr/local/bin/wget >> /var/sadm/patch/pcapatchlog "
Eric R. Jones
SRF JRMC
C1236
DSN 315-243-4196
STICK \'stik\ n. 1: A boomerang that doesn't work.
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at]
On Behalf Of Nishimura, Scott L (IT Solutions)
Sent: Wednesday, December 08, 2010 7:47 AM
To: PCA (Patch Check Advanced) Discussion
Subject: Re: [pca] FW: Pardon my question
Eric,
Did you sign up for the new MOS [My Oracle Support] account and are
you
using those credentials in your pca execution? Sunsolve credentials
won't
work with the new getupdates.oracle.com, AFAIK.
Scott
-----Original Message-----
From: pca-bounces at lists.univie.ac.at
[mailto:pca-bounces at lists.univie.ac.at] On Behalf Of Jones, Eric CIV SRF
1236
Sent: Tuesday, December 07, 2010 2:43 PM
To: pca at lists.univie.ac.at
Subject: EXTERNAL:[pca] FW: Pardon my question
Hello, I have been following the posts on the new process to get patches
from Oracle.
I'm still able to get downloads, as of yesterday Japan time, from the
sunsolve.sun.com url in the PCA application.
Do I need to modify the url's in the script to read
getupdates.oracle.com
manually or is a new pca script forth coming?
I have already done a find and replace, it attempts to get the
patchdiag.xref but it fails stating:
"Trying https://getupdates.oracle.com/ (1/1) Failed (Unknown Error)
Failed
(patch not found)"
Installing 144560-02 (2/2)
Failed - missing patch file (07:36:46/00:00:00/00:01:30, 2/2, 0/0/2)
And then lists the summary of total, successful, skipped and failed.
Eric R. Jones
SRF JRMC
C1236
DSN 315-243-4196
STICK \'stik\ n. 1: A boomerang that doesn't work.
More information about the pca
mailing list