Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2131773.1
Update Date:2018-01-05
Keywords:
Solution Type  Problem Resolution Sure

Solution  2131773.1 :   Service ca-certificates:default will not start and log shows OSError: [Errno 17] File exists  

Related Items 
    

  • SPARC SuperCluster T4-4
    •  
Related Categories 
    

  • PLA-Support>Eng Systems>Exadata/ODA/SSC>SPARC SuperCluster>DB: SuperCluster_EST
    •  






In this Document


Symptoms


Changes


Cause


Solution


References

Created from <SR 3-12545811401>


Applies to:  

SPARC SuperCluster T4-4 - Version All Versions and later
Information in this document applies to any platform.



Symptoms


Issuing svcs -xv will show output similar to the following:




Problem Summary
---------------------------------------------------
svc:/system/ca-certificates:default


Problem Description
---------------------------------------------------
svc:/system/ca-certificates:default (CA Certificates Service)
State: maintenance since Sat Apr 16 06:23:45 2016
Reason: Start method failed repeatedly, last exited with status 1.
See: http://support.oracle.com/msg/SMF-8000-KS
See: man -M /usr/share/man -s 5 openssl
See: /var/svc/log/system-ca-certificates:default.log
Impact: This service is not running.




 


The corresponding system-ca-certificates:default.log mentioned in the output will show a trace back similar to the following:


[ Jan 16 09:22:52 Executing start method ("/lib/svc/method/svc-ca-certificates start"). ]
Re-generating OpenSSL hash Links
Traceback (most recent call last):
File "/lib/svc/method/svc-ca-certificates", line 108, in <module>
smf_include.smf_main()
File "/usr/lib/python2.6/vendor-packages/smf_include.py", line 95, in smf_main
sys.exit(frame.f_globals[sys.argv[1]]())
File "/lib/svc/method/svc-ca-certificates", line 91, in start
generate_links()
File "/lib/svc/method/svc-ca-certificates", line 43, in generate_links
os.symlink(os.path.join(RELCDIR, cfile), os.path.join(LINKDIR, shash))
OSError: [Errno 17] File exists
[ Jan 16 09:22:54 Method "start" exited with status 1. ]


 






Changes


 none.


Cause


The service ca-certificates loops over all certificates in /etc/certs/CA and creates a hash table in /etc/openssl/certs. If duplicate certificates are found in /etc/certs/CA, the service can't re-hash the same certificates and fails.


 


Solution


1. Change to the /etc/certs/CA directory.


cd /etc/certs/CA


 


2. List the contents of the directory.


ls -la


 


3. Look for any duplicate certificates. For example, the following are duplicate Ops Center certificates:


-rw-r--r-- 1 root sys 1229 Oct 12 00:45 127.0.0.1.OpsCenter_cert.pem
-rw-r--r-- 1 root root 1229 Apr 11 2014 127.0.0.1.OpsCenter_cert.pem.org


Note that multiple certificates may exist for the same site or service but with slightly different names.  Additionally, the file extension will remain .pem versus .org.  This can cause conflicts as well.  For instance, these two certificates may conflict with each other causing the error.


-rw-r--r-- 1 root sys 1216 Jul 1 2013 127.0.0.1.OpsCenter_cert.pem
-rw-r--r-- 1 root root 1216 Mar 7 2013 172.16.224.40.OpsCenter_cert.pem


  


 4. Move any duplicate certificate out of the /etc/certs/CA directory.  If duplicates are found but have the .pem extension (versus .org), then move the older of the certificates.


mv <certificate file name> /tmp


 The goal is to have only one certificate in place.


 


5. Disable the ca-certificates service.


svcadm disable /system/ca-certificates:default


 


6. Enable the ca-certificates service.


svcadm enable /system/ca-certificates:default


 


7. Check that the service is no longer showing as disabled.


svcs -xv


If the service is no longer disabled, the problem is solved.
 If the service is still disabled, then go on to the next step.


 


8.  Move all certificates out of the /etc/certs/CA directory.


mv * /tmp


  


9.  Move a single certificate back into the /etc/certs/CA directory.




cd /tmp     


mv <certificate name> /etc/certs/CA




  


10.  Disable the ca-certificates service.


svcadm disable /system/ca-certificates:default


 


11. Enable the ca-certificates service.


svcadm enable /system/ca-certificates:default 


   


12. Check that the service is no longer showing as disabled.


svcs -xv


If the service is no longer disabled, repeat steps 9 through 12 for each certificate that was moved from the /etc/certs/CA directory.


If the service did not start, there is a problem with the the last certificate moved into the /etc/certs/CA directory.  In this case do the following:


     a.  Make a note of the certificate name.
      b.  Move it back out of the /etc/certs/CA directory.
      c.  Repeat steps 9 through 12.


 


13.  Once all certificates have been moved back into the /etc/certs/CA directory and the ca-certificates:default service is running again, do one of the following:


     a.  If one or more problem certificates were found, open a service request for this issue with Oracle Support.
      b.  If no problem certificates were found, the issue is resolved.


References
<NOTE:1395637.1> - pkg(1M) on Solaris 11 System Fails with "Framework error: code: 60 reason: SSL certificate problem, verify that the CA cert is OK"



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback