3

It has been a while since I updated one of my RHEL6 machines (except for the occasional update of specific packages with known vulnerabilities).

As a result of this, I have an old ca-certificates package:

  • ca-certificates-2010.63-3.el6_1.5.noarch.

The new ca-certificates package depends on

  • p11-kit-trust >= 0.18.4-2,

which in turn conflicts with

  • nss < 3.14.3-33,

which is currently installed (as nss-3.13.3-6.el6.x86_64). As a result, I cannot figure out how to correctly update ca-certificates.

I have p11-kit installed, but not p11-kit-trust, since nss blocks it. yum update nss says "No Packages marked for Update".

yum erase nss refuses, since it implies erasing yum as well.

The complete output from yum update looks like this:

Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be updated
---> Package ca-certificates.noarch 0:2014.1.98-65.1.el6 will be an update
--> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.1.el6.noarch
--> Running transaction check
---> Package p11-kit-trust.x86_64 0:0.18.5-2.el6_5.2 will be installed
--> Processing Conflict: p11-kit-trust-0.18.5-2.el6_5.2.x86_64 conflicts nss  Finished Dependency Resolution
Error: p11-kit-trust conflicts with nss-3.13.3-6.el6.x86_64
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

package-cleanup --problems finds no problems, and package-cleanup --cleandupes finds no duplicates.

ca-certificates cannot be uninstalled, since openssl depends on it.

Is there a way that I can resolve this without using override parameters such as --dbonly, --force, --nodeps or similar, and without manually downloading an old RPM off the net?

MattBianco
  • 3,704
  • Have you tried running package-cleanup --problems & package-cleanup --dupes? package-cleanup is provided by yum-utils and these will just check for problems but not fix them so non intrusive. – geedoubleya Nov 12 '14 at 14:32
  • @geedoubleya yes, I did yum-complete-transaction, package-cleanup --problems, package-cleanup --dupes, package-cleanup --cleandupes, yum clean all and even an rpm --rebuilddb prior to asking this question. – MattBianco Nov 12 '14 at 14:57
  • In that case try yum update ca-certificates nss. – geedoubleya Nov 12 '14 at 16:36

2 Answers2

3

Download all these packages (I took the CentOS 6.6 versions from rpmfind.net)

nss-3.16.1-14.el6.x86_64.rpm
nss-util-3.16.1-3.el6.x86_64.rpm
nss-softokn-3.14.3-17.el6.x86_64.rpm
nss-softokn-freebl-3.14.3-17.el6.x86_64.rpm
nss-tools-3.16.1-14.el6.x86_64.rpm
nss-sysinit-3.16.1-14.el6.x86_64.rpm

and install them all in one go with rpm -Uvh nss-*.rpm.

That satisfies the dependencies of p11-kit-trust that yum couldn't figure out how to resolve on its own.

After that, yum update can update ca-certificates and install p11-kit-trust (for dependencies).

MattBianco
  • 3,704
1

Try:

  1. rpm -e ca-certificates
  2. rpm -ivh nss after reading the package from the NSS Bugfix and Enhancement update page. Copy the package name for your architecture into Google and end up here at the NSS List on RPM Find
  3. Continue with the yum update

This should recheck all the dependancies. If they all pass reinstall the new ca-certificates. Don't be tempted to download a version greater than the one in the security advisory, because the yum update in step 3 should replace the version you downloaded from RPM Find with the current one in the RHEL repo.

UPDATE
Most people here forget that CentOS is a child of RedHat Enterprise Linux, which is a Child of RedHat, now Fedora. This makes CentOS a grandchild of Fedora. With that in mind, I quoute:

Yum is an automatic updater and package installer/remover for rpm systems. It automatically computes dependencies and figures out what things should occur to install packages. It makes it easier to maintain groups of machines without having to manually update each one using rpm. Yum has a plugin interface for adding simple features. Yum can also be used from other python programs via its module inte[r]face.

and the Summary from this online book:

To summarize, a package management system uses the computer to keep track of all the various bits and pieces that comprise an application or an entire operating system. Most package management systems use a specially formatted file to keep everything together in a single, easily manageable entity, or package. Additionally, package management systems tend to provide one or more of the following functions:

  • Installing new packages.
  • Removing old packages.
  • Upgrading from an old package to a new one.
  • Obtaining information about installed packages.

Notice it doesn't say anything about dependency resolution. In other words:

It is possible to remove yum by issuing:

rpm -e yum

For a short time, all you lose is the dependency resolution, then erase all the other openssl packages, or use the --force option of rpm. The only package you SHOULD NOT REMOVE is rpm itself, if in fact rpm depends on OpenSSL.

eyoung100
  • 6,252
  • 23
  • 53
  • ca-certificates cannot be erased, because openssl depends on it. – MattBianco Nov 13 '14 at 07:54
  • You can either work backwards, and erase openssl and then all it's depending packages until no more depend on it, then install as I suggest, and then reinstall everything you uninstalled, or attempt your own answer, which I'll take credit for, as your answer is mine with more packages downloaded :) – eyoung100 Nov 13 '14 at 14:36
  • I upvoted your answer to give credit for point #2. I find the rest of this answer, including comments, misleading. Pretty much everything that matters indirectly depends on openssl, resulting in "Error: Trying to remove "yum", which is protected", that's why I accept my own answer to this specific question. – MattBianco Nov 14 '14 at 07:36
  • You miss the point of working backwards. You can even remove yum, as yum is not the Base Package Manager. rpm is the base package manager. Technically, you could remove everything but the CentOS build-chain and still be OK. Just dont use rpm to erase rpm. See update. – eyoung100 Nov 14 '14 at 15:06
  • I hope you get me right here, I'm looking to learn, not start a fight, but this is a production system. I cannot be without openssl. By following your point #2 (the extra packages I downloaded was required for dependencies), I managed to get in sync without uninstalling/erasing anything. How can temporarily erasing packages be a better solution? – MattBianco Nov 14 '14 at 16:09
  • 1
    Temporarily Erasing them is not a better solution, it is just one valid approach. Notice I did not imply to erase them forever. You also took another approach, which I'm not discounting. If you take anything from this: Learn that the package manager is not the end all be all of the OS.Sanely removing the packages you know you will put back later ASAP is being smarter than the package manager, which is what I am trying to explain. – eyoung100 Nov 14 '14 at 16:34