SMT running on SLES11 SP4 can no longer synchronize any repository content
This document (000021070) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 Service Pack 4
SUSE Linux Enterprise Server 11 Service Pack 3
Subscription Management Tool 2.x
SUSE Linux Enterprise Server 11 Service Pack 3
Subscription Management Tool 2.x
Situation
Subscription management tool running on SLES11 servers can no longer synchronize repository content. Errors are seen in the mirroring log output similar to: 500 CURL ERROR(35) SSL connect error
Resolution
The only supported solution now available to provide for synchronization of SLES11 repository content and allow SLES11 clients to register for updates, is to run SMT on SLES12, preferably SLES12 SP5, which is the only version of SLES12 still in the general support phase.
Cause
Support for the TLS 1.0/1.1 protocol was switched off at a point within the SUSE content delivery system. This is in line with standard industry security practice.
Additional Information
With SLES12, the SMT programs can be found in the normal repositories consumed by SLES12. It can be installed by using YaST > Software Management > Patterns > Subscription Management Tool.
Note that the version of SMT supplied with SLES12 is not the same version used with SLES11.
-------------------------------------------------------------------------------------
There is also an unsupported 'work around' that may enable SLES11 SMT servers to continue to synchronize content. This information is provided 'as is' and is intended only for consumption by those who must continue to use SLES11 as their SMT server due to some valid business reason.
This work around is achieved by using content from the 'SLE11-Security-Module' repository.
To attempt to use this work-around, all relevant patches from the 'SLES11 SP4 Updates' repository must first be applied to the target SMT server.
Next step is to install the following programs which will be pulled from the 'SLE11-Security-Module' repository:
Add the following to the /etc/environment file (if the LD_LIBRARY_PATH variable is already in use on the server, you will need to adjust it's value accordingly):
Reboot and test the functionality of SMT by running:
Note that although only SLES11 SP4 is mentioned as the target for this work-around, it may be possible to make this work on SLES11 SP3 as well.
Note that using zypper in an environment linked to the libraries in /opt/suse/lib64 may cause it to randomly crash. This can be avoided by running zypper in an environment/shell where LD_LIBRARY_PATH is not present (e.g. delete the LD_LIBRARY_PATH variable from the current shell only where zypper is being used).
-------------------------------------------------------------------------------------
Here is a very brief outline of what would be needed to setup SMT on a fresh install of SLES11 SP4 (minimum requirements):
Repos/content required:
repo SLES11-SP4-updates
repo SLE11-Security-Module
repo SLE11-SMT-SP3-Pool
repo SLE11-SMT-SP3-Updates
Any repos not currently available to be consumed by the target SMT server can be copied from another source (eg. existing SLES11 SMT server or SLES12 SMT server) and added to the target via YaST > repos > add repo > directory-containing-copied-repo-content.
Fully patch using available patches provided by Updates repository, then install the following programs from the security repo:
Add the following to the /etc/environment file and reboot:
Edit /etc/suseRegister.conf
Register server using e.g.:
Install SMT using: YaST > Software Management > Patterns > Software Subscription Tool
Configure SMT > choose SCC option, add mirror credentials, add DB password then add desired repositories and initiate the mirror process.
-------------------------------------------------------------------------------------
Please do not open support tickets for SMT on SLES11 as it is out-of-support. Note that the only support option currently remaining for SLES11 (at the time of creating this document) is the 'SLES11 SP4 LTSS Extreme Core' subscription offering which has a very limited scope of support.
Note that RMT can also be used to mirror SLES11 repositories, however, SLES11 clients can not register for updates with the RMT service.
Note that the version of SMT supplied with SLES12 is not the same version used with SLES11.
-------------------------------------------------------------------------------------
There is also an unsupported 'work around' that may enable SLES11 SMT servers to continue to synchronize content. This information is provided 'as is' and is intended only for consumption by those who must continue to use SLES11 as their SMT server due to some valid business reason.
This work around is achieved by using content from the 'SLE11-Security-Module' repository.
To attempt to use this work-around, all relevant patches from the 'SLES11 SP4 Updates' repository must first be applied to the target SMT server.
Next step is to install the following programs which will be pulled from the 'SLE11-Security-Module' repository:
zypper in libcurl4-openssl1 zypper in curl-openssl1
Add the following to the /etc/environment file (if the LD_LIBRARY_PATH variable is already in use on the server, you will need to adjust it's value accordingly):
LD_LIBRARY_PATH=/opt/suse/lib64
Reboot and test the functionality of SMT by running:
smt-mirror -L <logfile_output>
Note that although only SLES11 SP4 is mentioned as the target for this work-around, it may be possible to make this work on SLES11 SP3 as well.
Note that using zypper in an environment linked to the libraries in /opt/suse/lib64 may cause it to randomly crash. This can be avoided by running zypper in an environment/shell where LD_LIBRARY_PATH is not present (e.g. delete the LD_LIBRARY_PATH variable from the current shell only where zypper is being used).
-------------------------------------------------------------------------------------
Here is a very brief outline of what would be needed to setup SMT on a fresh install of SLES11 SP4 (minimum requirements):
Repos/content required:
repo SLES11-SP4-updates
repo SLE11-Security-Module
repo SLE11-SMT-SP3-Pool
repo SLE11-SMT-SP3-Updates
Any repos not currently available to be consumed by the target SMT server can be copied from another source (eg. existing SLES11 SMT server or SLES12 SMT server) and added to the target via YaST > repos > add repo > directory-containing-copied-repo-content.
Fully patch using available patches provided by Updates repository, then install the following programs from the security repo:
zypper in libcurl4-openssl1 zypper in curl-openssl1
Add the following to the /etc/environment file and reboot:
LD_LIBRARY_PATH=/opt/suse/lib64
Edit /etc/suseRegister.conf
url = https://scc.suse.com/ncc/center/regsvc/
Register server using e.g.:
suse_register -d 3 -a regcode-sles=<your_SLES_code> -a email=<your_email_addr>
Install SMT using: YaST > Software Management > Patterns > Software Subscription Tool
Configure SMT > choose SCC option, add mirror credentials, add DB password then add desired repositories and initiate the mirror process.
-------------------------------------------------------------------------------------
Please do not open support tickets for SMT on SLES11 as it is out-of-support. Note that the only support option currently remaining for SLES11 (at the time of creating this document) is the 'SLES11 SP4 LTSS Extreme Core' subscription offering which has a very limited scope of support.
Note that RMT can also be used to mirror SLES11 repositories, however, SLES11 clients can not register for updates with the RMT service.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021070
- Creation Date: 26-Jun-2023
- Modified Date:26-Jun-2023
-
- Subscription Management Tool
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
