Re: [pca] getupdates.oracle.com now available for testing! - certs q

[Don O'Malley]

Gerard Henry wrote: On 11/17/10 11:05, Don O'Malley wrote: I've tested downloading patchdiag.xref and 119254-76.zip, both using the certificate file and the --no-check-certificate option and everything looks good: bash-3.00# wget --http-user="xxxxxxxx" --http-passwd="xxxxxxxx" --ca-certificate=/tmp/WGET3_getupdates.pem"https://getupdates.oracle.com/reports/patchdiag.xref"  -O /tmp/patchdiag.xref --09:49:59--https://getupdates.oracle.com/reports/patchdiag.xref hello, where did you get this certificate called /tmp/WGET3_getupdates.pem ? Is it important? I'm no security expert, but here's my understanding of the certificate info. You must provide 'wget' with direction on how to handle security certificate information.  Otherwise, patch downloads via 'wget' will fail. The purpose of the certificates is for customers to be able to verify that the content that you are downloading from Oracle, has actually come from Oracle and has not been intercepted by a "man-in-the-middle" Domains, getupdates.oracle.com & a248.e.akamai.net, are signed by trusted Certificate Authorities. (Verisign for Oracle's and GTE Cybertrust for the case of Akamai.) Without a pointer to these certificates being provided to 'wget', download attempts will fail. Which certs are required? (These may have changed since the Oracle acquisition) CN=GTE CyberTrust Global Root CN=VeriSign Class 3 Secure Server CA - G2 What kind of error message can you expect to see from a failing 'wget' request? ERROR: Certificate verification error for getupdates.oracle.com: unable to get local issuer certificate To connect to getupdates.oracle.com insecurely, use `--no-check-certificate'. Unable to establish SSL connection. Issue resolution: If you wish to ignore this failure you can use the '--no-check-certificate' switch in 'wget'.  Example of the syntax: # /usr/sfw/bin/wget --http-user="xxxxxxxx" --http-passwd="xxxxxxx" --no-check-certificate "https://getupdates.oracle.com/all_unsigned/119254-77.zip" -O /tmp/119254-77.zip If you wish to check against the certificates, you can use the '--ca-certificate' switch to point to a file containing the certificates. http://sunsolve.sun.com/search/document.do?assetkey=1-79-1199543.1-1 has an attachment called WGET3_getupdates.pem, which is a concatenation of the two certificates. If you save this file locally (eg to /tmp/cacerts.pem), you can use a syntax similar to: # /usr/sfw/bin/wget --ca-certificate=/tmp/cacerts.pem --http-user="xxxxxxxx" --http-passwd="xxxxxxx" "http://sunsolve.sun.com/pdownload.pl?target=142284&method=h" -O /tmp/140778-01.zip HTH, -Don the following command works for me, with my valid account: $ wget --http-user="xxxxxxxxxxxxxx" --http-passwd="xxxxxxxxxxx" --no-check-certificate "https://getupdates.oracle.com/all_unsigned/119254-76.zip" -O 119254-76.zip --17:12:10--  https://getupdates.oracle.com/all_unsigned/119254-76.zip            => `119254-76.zip' Resolving getupdates.oracle.com... 192.18.110.9 Connecting to getupdates.oracle.com|192.18.110.9|:443... connected. WARNING: Certificate verification error for getupdates.oracle.com: unable to get local issuer certificate HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://a248.e.akamai.net/f/248/21808/15m/sun.download.akamai.com/21808/patches/patchroot/all_unsigned/119254-76.zip?AuthParam=1290096781_9ed819b85c4f609ba7e00f2d9b7f3472&TicketId=C19a%2FE6JV18%3D&GroupName=SWUP&FilePath=/21808/patches/patchroot/all_unsigned/119254-76.zip&File=119254-76.zip [following] --17:12:13-- https://a248.e.akamai.net/f/248/21808/15m/sun.download.akamai.com/21808/patches/patchroot/all_unsigned/119254-76.zip?AuthParam=1290096781_9ed819b85c4f609ba7e00f2d9b7f3472&TicketId=C19a%2FE6JV18%3D&GroupName=SWUP&FilePath=/21808/patches/patchroot/all_unsigned/119254-76.zip&File=119254-76.zip            => `119254-76.zip' Resolving a248.e.akamai.net... 193.51.224.7, 193.51.224.23 Connecting to a248.e.akamai.net|193.51.224.7|:443... connected. WARNING: Certificate verification error for a248.e.akamai.net: unable to get local issuer certificate HTTP request sent, awaiting response... 200 OK Length: 1,708,956 (1.6M) [application/zip] 100%[====================================>] 1,708,956    897.62K/s 17:12:16 (894.74 KB/s) - `119254-76.zip' saved [1708956/1708956] -- Don O'Malley Manager, Patch System Test Revenue Product Engineering | Solaris | Hardware East Point Business Park, Dublin 3, Ireland Phone: +353 1 8199764 Team Alias: rpe_patch_system_test...@oracle.com