Re: I broke "yum update" - C7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Am 2019-08-30 17:04, schrieb Gordon Messmer:

On 8/30/19 5:52 AM, Gary Stainburn wrote:
Incidentally, the*good* server that I was referencing my broken server against has decided to start giving the curl certificate errors in the same way that the broken one did. Very strange. I ran 


It's possible that the error is unrelated to the ca-certificates
file.  You'll only see it if yum selects a mirror that uses a Let's
Encrypt or Amazon-signed certificate (at least, those were the CAs for
the hosts I saw you report errors for).  If yum happens to select
mirrors that don't, then everything will work normally.  Reinstalling
the package on the original system may have been coincidental.


Testing yum's activity in debug mode had shown:

https://lists.centos.org/pipermail/centos/2019-August/173297.html
2019-08-29 17:23:17,345 opening local file "/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb 
* About to connect() to mirrors.fedoraproject.org port 443 (#29)
*   Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US 
* 	start date: Feb 01 00:00:00 2017 GMT
* 	expire date: May 01 12:00:00 2020 GMT
* 	common name: *.fedoraproject.org
* issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US 
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 29
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized." 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising
Based on that it appears to me very clear that the trust with the DigiCert chain wasn't given due to a missing trust from the ca-cert bundle. Unfortunately we haven't seen a status of the ca-certificates RPM content before fixing it with a reinstall. 

Alexander


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux