SUSE Manager fully unattended system provisioning from SLES11SP4 to SLES12SP1 stops on old repo refresh

This document (7018899) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager 3

Situation

On performing a system upgrade (offline migration) from SLES 11 SP4 to SLES 12 SP1 the unattended migration/installation following the process as outlined here https://www.suse.com/documentation/suse-manager/singlehtml/suse_manager21/book_susemanager_clientconf/book_susemanager_clientconf.html#s1-maintenance-migration stops with the following errors:






Resolution

Add a chroot script to the example autoyast linked below either directly or via creating a new snippet script on the SUMA (SUSE Manager Server) under the "/var/lib/rhn/kickstarts/snippets/" directory.

The script needs to have the following content:

# begin migration certificate fix
<script>
    <filename>migration_fix_script.sh</filename>
    <chrooted config:type="boolean">true</chrooted>
    <source>
        <![CDATA[
        ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT
        /usr/sbin/update-ca-certificates
        ]]>
    </source>
</script>

Either the above code can be added directly to the autoyast script via the SUMA gui:

Systems > Autoinstallation > Profiles > click on the label for the current profile > File Contents > add the following to the <scripts> section

<chroot-scripts config:type="list">
      # begin migration certiificate fix
<script>
    <filename>migration_fix_script.sh</filename>
    <chrooted config:type="boolean">true</chrooted>
    <source>
    <![CDATA[
    ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT
    /usr/sbin/update-ca-certificates
    ]]>
    </source>
</script>

Or for the snippet solution mentioned above using a snippet script the following needs to be added to the autoyast script and the <scripts> section

<chroot-scripts config:type="list">
      $SNIPPET('spacewalk/migration_fix_script')
</chroot-scripts>

After any one of the above has been added to the script the configuration needs to be updated clicking on the Update button.

Cause

The problem is also seen in the "/var/log/YaST2/y2log" log file with the following error:

MediaCurl.cc(doGetFileCopyFile):1465 curl error: 60: SSL certificate problem: unable to get local issuer certificate, temp file size 0 bytes.

Between SLES11 and SLES12 the location where to store SSL Certificates (the  trust store) has changed. The old location (/ect/ssl/certs/) is now "generated", which means everything is removed from this directory and completely generated from a different source. To get a certificate into this trust store it needs to be placed/linked into "/etc/pki/trust/anchors/".

Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018899
  • Creation Date: 10-May-2017
  • Modified Date:03-Mar-2020
    • SUSE Manager

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center
Report a Software Vulnerability Submit Tips, Tricks, and Tools Download Free Tools