> The https server at sunsolve.sun.com doesn't respond, but > http works. At least for me.
That is somewhat bizarre. This is like watching an old well loved building collapse in slow motion. :-( So then ... here is what I did. On my server ( with a valid contract ) I did the following : 1) fetch the patchdiag.xref from good ol SunSolve that worked for the moment 2) run PCA t determine that patches have updated since June 19th which is when I last applied patches to this server. 3) look at list 4) look at the report for patches needed : # cat patch_report_missing Using /export/medusa/root/pca_data/xref/patchdiag.xref from Nov/19/10 Host: deimos (SunOS 5.10/Generic_142901-14/i386/i86pc) List: missing (157/8633) Patch IR CR RSB Age Synopsis ------ -- - -- --- --- ------------------------------------------------------- 119255 73 < 77 RS- 5 SunOS 5.10_x86: Install and Patch Utilities Patch 5) I then attempt to fetch the patch from Sunsolve with good ol PCA and watch that fail miserbly. 6) I read http://sunsolve.sun.com/search/document.do?assetkey=1-79-1199543.1-1 7) I then fetch the certificates file : # /opt/csw/bin/wget http://sunsolve.sun.com/search/document.do\?attach=yes\&assetkey=urn:cds:attach:cds/attachments/pshsure/1199543.1/WGET3_getupdates.pem 8) I put that someplace that I can get to later # mv document.do\?attach=yes\&assetkey=urn:cds:attach:cds%2Fattachments%2Fpshsure%2F1199543.1%2FWGET3_getupdates.pem $PCA_XREFDIR/getupdates.pem 9) I look at the cert file : # head $PCA_XREFDIR/getupdates.pem -----BEGIN CERTIFICATE----- MIIEdzCCA+CgAwIBAgIQeFTJcTtAoD2TTksbfyZhcDANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0x MDA0MTMwMDAwMDBaFw0xMTA1MDUyMzU5NTlaMIG4MQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxQOUmVkd29vZCBTaG9yZXMxGzAZBgNV BAoUEk9yYWNsZSBDb3Jwb3JhdGlvbjESMBAGA1UECxQJR2xvYmFsIElUMTMwMQYD VQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMTAx # # /opt/csw/bin/openssl x509 -text -in $PCA_XREFDIR/getupdates.pem Certificate: Data: Version: 3 (0x2) Serial Number: 78:54:c9:71:3b:40:a0:3d:93:4e:4b:1b:7f:26:61:70 Signature Algorithm: sha1WithRSAEncryption Issuer: O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign Validity Not Before: Apr 13 00:00:00 2010 GMT Not After : May 5 23:59:59 2011 GMT Subject: C=US, ST=California, L=Redwood Shores, O=Oracle Corporation, OU=Global IT, OU=Terms of use at www.verisign.com/rpa (c)10, CN=*.oracle.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cb:2b:bd:5b:70:71:e2:a6:cc:06:78:73:cc:e3: a7:fd:fa:5d:22:79:55:54:c7:f7:54:25:e2:7d:5e: d8:77:34:c4:c6:ed:60:7a:ea:c8:cb:10:15:33:47: 3d:b3:e2:dd:45:49:e4:1f:52:09:01:74:91:82:33: 6f:5d:3c:39:6f:90:ff:04:18:35:c8:27:17:cd:67: 3b:e3:22:bb:0b:69:41:10:02:7e:73:44:86:cc:43: 91:fe:12:4a:96:75:d2:8d:0b:15:cf:10:8f:d5:8f: d1:7e:40:f6:91:45:1a:fa:79:10:1f:58:27:a2:f4: 09:57:a2:9b:5f:0d:5c:8f:9d Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: OCSP - URI:http://ocsp.verisign.com X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.3 CPS: https://www.verisign.com/rpa X509v3 CRL Distribution Points: URI:http://SVRIntl-crl.verisign.com/SVRIntl.crl X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto X509v3 Key Usage: Digital Signature, Key Encipherment 1.3.6.1.5.5.7.1.12: 0`.^.\0Z0X0V..image/gif0!0.0...+......Kk.(.....R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif Signature Algorithm: sha1WithRSAEncryption 0d:4d:7d:17:cd:11:89:0f:a4:5a:13:aa:43:91:ab:11:30:fd: 9f:fa:fa:e6:ab:d6:c8:d9:12:3b:53:72:f2:40:47:61:c8:db: 0d:19:04:f1:0b:ef:bc:b9:0f:02:bf:b3:cd:de:c4:d7:2a:03: 17:64:f7:4a:f9:e7:35:60:34:e2:55:50:b2:16:fc:52:26:b7: d8:34:13:38:99:7f:6a:3d:a7:32:ed:6b:91:44:e1:2e:00:0b: eb:ab:36:4f:f1:9b:71:f1:58:5f:11:89:43:01:52:f3:9e:6d: fe:2a:f2:a9:24:46:44:ad:ca:70:2d:ad:0c:62:32:43:e3:47: b3:26 -----BEGIN CERTIFICATE----- MIIEdzCCA+CgAwIBAgIQeFTJcTtAoD2TTksbfyZhcDANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0x MDA0MTMwMDAwMDBaFw0xMTA1MDUyMzU5NTlaMIG4MQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ2FsaWZvcm5pYTEXMBUGA1UEBxQOUmVkd29vZCBTaG9yZXMxGzAZBgNV BAoUEk9yYWNsZSBDb3Jwb3JhdGlvbjESMBAGA1UECxQJR2xvYmFsIElUMTMwMQYD VQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMTAx FTATBgNVBAMUDCoub3JhY2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEAyyu9W3Bx4qbMBnhzzOOn/fpdInlVVMf3VCXifV7YdzTExu1geurIyxAVM0c9 s+LdRUnkH1IJAXSRgjNvXTw5b5D/BBg1yCcXzWc74yK7C2lBEAJ+c0SGzEOR/hJK lnXSjQsVzxCP1Y/RfkD2kUUa+nkQH1gnovQJV6KbXw1cj50CAwEAAaOCAXwwggF4 MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNp Z24uY29tMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgG CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDwGA1UdHwQ1 MDMwMaAvoC2GK2h0dHA6Ly9TVlJJbnRsLWNybC52ZXJpc2lnbi5jb20vU1ZSSW50 bC5jcmwwNAYDVR0lBC0wKwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEG CisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBY MFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUY MCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG 9w0BAQUFAAOBgQANTX0XzRGJD6RaE6pDkasRMP2f+vrmq9bI2RI7U3LyQEdhyNsN GQTxC++8uQ8Cv7PN3sTXKgMXZPdK+ec1YDTiVVCyFvxSJrfYNBM4mX9qPacy7WuR ROEuAAvrqzZP8Ztx8VhfEYlDAVLznm3+KvKpJEZErcpwLa0MYjJD40ezJg== -----END CERTIFICATE----- # very nice .. Verisign seems to be everywhere. 10) I then fetch my first patch : /opt/csw/bin/wget -v --http-user=someusername --http-passwd=BADCAFFE --ca-certificate=$PCA_XREFDIR/getupdates.pem https://getupdates.oracle.com/all_unsigned/119255-77.zip -O $PCA_PATCHDIR/119255-77.zip That seems to work. :-) 11) I write a simple script to fetch the patches I need. I watch that fail with loads of this : 2010-11-21 16:41:37 ERROR 403: You are not entitled to retrieve this content.. The only patches I am allowed to have with my support contract for Solaris 10 seem to be these : 119255-77 142252-02 145045-02 119255-77 RS- SunOS 5.10_x86: Install and Patch Utilities Patch 142252-02 RS- SunOS 5.10_x86: sh patch 145045-02 R-- SunOS 5.10_x86: ksh pfksh rksh xargs sh patch Strangely I am not allowed to have the compiler patches that I really need. 120759-21 --- Sun Studio 11_x86: Sun Compiler Common patch for x86 backend 121018-22 --- Sun Studio 11_x86: Patch for Sun C++ 5.8 compiler 121020-12 --- Sun Studio 11_x86: Patch for x86 Fortran 95 8.2 Compiler 121616-07 --- Sun Studio 11_x86: Patch for Sun dbx 7.5_x86 Debugger 126498-20 --- Sun Studio 12_x86: Sun Compiler Common patch for x86 backend 124864-26 --- Sun Studio 12_x86: Patch for Sun C++ Compiler 124868-15 --- Sun Studio 12_x86: Patch for C 5.9 compiler 141858-07 --- Sun Studio 12 Update 1_x86: Sun Compiler Common patch for x86 128229-11 --- Sun Studio 12 Update 1_x86: Patch for C++ Compiler 142363-06 --- Sun Studio 12 Update 1_x86: Patch for C Compiler 145349-01 --- Sun Studio 12 Update 1_x86 : Patch for dbx Funny ... I am not allowed to have those as well as piles of others. I so enjoy paying a corporation money and then I have to work for them. Does anyone know, I mean really know, when Oracle will get its act together on this simple yet critical service ? -- Dennis Clarke dcla...@opensolaris.ca <- Email related to the open source Solaris dcla...@blastwave.org <- Email related to open source for Solaris