Oracle is replacing Symantec-branded certificates with Digicert-branded certificates across all of its infrastructure to prevent trust warnings once the Symantec root certificate authority is removed from several web browsers, including Firefox and Chrome.

Immediate action required before October 9, 2018

Due to the nature of how Oracle Linux systems connect to Unbreakable Linux Network (ULN), this change requires that client certificates on all Oracle Linux systems directly subscribed to and receiving updates from ULN be updated. This does not affect Oracle Linux systems that are managed by Oracle Enterprise Manager or are subscribed to a local Spacewalk instance.

The change in server certificates on ULN will occur on October 9, 2018. After that time, Oracle Linux systems will only be able to connect to ULN with an updated client certificate.

Please make sure to update the packages listed at the end of this announcement on all servers that are registered directly to ULN before October 9, 2018.

What happens if I can’t update before October 9, 2018?

If you are unable to update to the packages listed below before October 9, 2018, you will be unable to connect to ULN and will receive one of the following errors:

The certificate /usr/share/rhn/ULN-CA-CERT is expired. Please ensure you
have the correct certificate and your system time is correct.

OR

There was an SSL error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
A common cause of this error is the system time being incorrect. Verify that the time on this system is correct.

Resolution: Manually replace the SSL certificate

To manually replace the client SSL certificate on an Oracle Linux machine, run the following steps as root on each server:

# cp /usr/share/rhn/ULN-CA-CERT /usr/share/rhn/ULN-CA-CERT.old
# wget https://linux-update.oracle.com/rpms/ULN-CA-CERT.sha2
# cp ULN-CA-CERT.sha2 /usr/share/rhn/ULN-CA-CERT

After this file has been updated you can continue using ULN as normal. After making this manual replacement, connectivity to ULN should be restored. The packages below should then be updated as part of your standard patching cycle.

If you have any questions about this update please feel free to contact the ULN team via uln-info_us@oracle.com.

Packages to be updated

Oracle Linux 7

  • rhn-client-tools-2.0.2-21.0.9.el7.noarch.rpm
  • rhn-setup-2.0.2-21.0.9.el7.noarch.rpm
  • rhn-check-2.0.2-21.0.9.el7.noarch.rpm
  • rhn-setup-gnome-2.0.2-21.0.9.el7.noarch.rpm (only required if a previous version is already installed)

Oracle Linux 6

  • rhn-setup-1.0.0.1-45.0.3.el6.noarch.rpm
  • rhn-client-tools-1.0.0.1-45.0.3.el6.noarch.rpm
  • rhn-check-1.0.0.1-45.0.3.el6.noarch.rpm
  • rhn-setup-gnome-1.0.0.1-45.0.3.el6.noarch.rpm (only required if a previous version is already installed)

Oracle Linux 5

  • x86_64
    • up2date-5.10.1-41.30.el5.x86_64.rpm
    • up2date-gnome-5.10.1-41.30.el5.x86_64.rpm (only required if a previous version is already installed)
  • i386
    • up2date-5.10.1-41.30.el5.i386.rpm
    • up2date-gnome-5.10.1-41.30.el5.i386.rpm (only required if a previous version is already installed)
  • ia64
    • up2date-5.10.1-41.30.el5.ia64.rpm
    • up2date-gnome-5.10.1-41.30.el5.ia64.rpm (only required if a previous version is already installed)