NetSUS 4.1.0 not Syncing.

seanjsgallagher
Contributor

After upgrading my NetSUS server to 4.1.0 (I did not use the .OVA file) I ran into an issue were the updates for Sierra were not populating in the NetSUS. After a few calls to jamf I tried running the sudo /var/appliance/sus_sync.py from the server and got "Could not replicate 59: Unknown cipher in list: HIGH" After sending that information to Jamf I was give this as a fix. [https://groups.google.com/forum/#!msg/reposado/_fUl1n3uPq8/dobauIM0CAAJ](link URL) Which states to:

Error 59 is a curl error about HTTPS negotiation. It turns out that in Red Hat (and Centos) linuxes, curl is compiled against NSS instead of OpenSSL and the parameters you pass to it are totally different. In short, it doesn't recognise the word "HIGH".

A glance through the NSS documentation reveals that if you specify a specific https encryption method, it will use that exclusively. Specify more than one, and it will only use those. As an experiment, I altered line 300 in the repo_sync utility to look like this:

print >> fileobj, 'ciphers = ' # use only >=128 bit SSL

Once I did this and ran the sudo /var/appliance/sus_sync.py again the sync worked. The issue is now is neither the automatic sync or using the manual sync from the GUI does nothing. I am hoping that someone else has run into this and can help me solve this issue.

6 REPLIES 6

sdagley
Esteemed Contributor II

@Seangallagher Do you have the option "Ensure that computers install software updates from the NetBoot/SUS/LDAP Proxy server instead of downloading and installing them from Apple's software update server" enabled under the label "Store Updates on the NetBoot/SUS/LDAP Proxy Server" in the Software Update Server config screen on your NetSUS? If that option isn't enabled a sync pulls the updates list from Apple's SUS, but does not actually download the updates to your NetSUS.

seanjsgallagher
Contributor

@sdagley Yes I do have that option enabled. I have updates from April 11th 2017 listed int eh branches. The overnight Sync and manual sync from the Software Update Server config screen do not seem to be working since my Last Sync is dated for April 11th.

sdagley
Esteemed Contributor II

@Seangallagher Part of your problem could be that NetSUS 4.1.0 lacks the updates to Reposado that pull the 10.12 updates from Apple's SUS. Compare the current reposadocommon.py source and the NetSUS 4.1.0 version of reposadocommon.py to see what needs to be updated on your NetSUS (we haven't deployed Sierra yet, so I hadn't noticed the lack of available updates before).

seanjsgallagher
Contributor

@sdagley I did do the comparison and had already added in the catalog entries to pull the Sierra updates. This still had not pulled them down to the NetSUS. After running the sus_sync.py from the server it generated an Error 59 is a curl error about HTTPS negotiation. I then was told to edit line 300 in the repo_sync utility to look like this:

print >> fileobj, 'ciphers = ' # use only >=128 bit SSL

After that ruling the sus_sync.py from terminal on the server worked. However the scheduled sync, and the manual sync from the GUI no longer work.

sdagley
Esteemed Contributor II

@Seangallagher I think you're going to need someone that's running NetSUS under Red Hat/Centos to chime in with suggestions. After editing reposadocommon.py and restarting my Ubuntu hosted NetSUS a manual sync appears to be working. The catalog hasn't updated yet, but the NetSUS Dashboard shows the sync has been running for a couple of hours and the Disk Usage stats are showing about 23G worth of new updates.

sdagley
Esteemed Contributor II

@Seangallagher Did you ever resolve your NetSUS problem under Red Hat?