Re: I broke "yum update" - C7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Am 2019-08-29 18:26, schrieb Gary Stainburn:
On Thursday 29 August 2019 16:47:11 Alexander Dalloz wrote:
rpm -Vv nss

[root@stan2 ~]# rpm -Vv nss
.........    /etc/pki/nss-legacy
.........  c /etc/pki/nss-legacy/nss-rhel7.config
.........    /etc/pki/nssdb
.........  c /etc/pki/nssdb/cert8.db
.........  c /etc/pki/nssdb/cert9.db
.........  c /etc/pki/nssdb/key3.db
.........  c /etc/pki/nssdb/key4.db
.........  c /etc/pki/nssdb/pkcs11.txt
.........  c /etc/pki/nssdb/secmod.db
.........    /usr/lib64/libnss3.so
.........  g /usr/lib64/libnssckbi.so
.........    /usr/lib64/libsmime3.so
.........    /usr/lib64/libssl3.so
.........    /usr/lib64/nss/libnssckbi.so
.........  d /usr/share/man/man5/cert8.db.5.gz
.........  d /usr/share/man/man5/cert9.db.5.gz
.........  d /usr/share/man/man5/key3.db.5.gz
.........  d /usr/share/man/man5/key4.db.5.gz
.........  d /usr/share/man/man5/pkcs11.txt.5.gz
.........  d /usr/share/man/man5/secmod.db.5.gz

Ok, that package content looks healthy. No problem there.

[root@stan2 ~]# URLGRABBER_DEBUG=1 yum --disablerepo=\* --enablerepo=epel update
[snip]
Loading mirror speeds from cached hostfile
2019-08-29 17:23:17,344 combined options: {
  'text'         : 'epel/x86_64/metalink',

[ ... ]

2019-08-29 17:23:17,344 attempt 1/10:
https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
2019-08-29 17:23:17,345 opening local file
"/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb
* About to connect() to mirrors.fedoraproject.org port 443 (#29)
*   Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North
Carolina,C=US
* 	start date: Feb 01 00:00:00 2017 GMT
* 	expire date: May 01 12:00:00 2020 GMT
* 	common name: *.fedoraproject.org
* 	issuer: CN=DigiCert SHA2 High Assurance Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.

So here we are.

While the current ca-certificates package of CentOS 7 ca-certificates-2018.2.22-70.0.el7_5.noarch does not hold the intermediate certificate "DigiCert SHA2 High Assurance Server" I don't get that issue.

# grep "DigiCert" /etc/pki/tls/certs/ca-bundle.crt
# DigiCert Assured ID Root CA
# DigiCert Assured ID Root G2
# DigiCert Assured ID Root G3
# DigiCert Global Root CA
# DigiCert Global Root G2
# DigiCert Global Root G3
# DigiCert High Assurance EV Root CA
# DigiCert Trusted Root G4

* Closing connection 29
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
Certificate issuer is not recognized."
2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
7], re-raising

[ ... ]

Cannot retrieve metalink for repository: epel/x86_64. Please verify
its path and try again

So can we check what version of the ca-certificates packages is being installed on your system?

And a check into a different direction: what's the date and time of that system? Does it fit or is it wrong? Time being not accurate can make SSL connections fail.

Alexander

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux