Re: yum update fails when using squid even though .redhat.com is whitelisted

Giles Coochey <giles@xxxxxxxxxxx> · Thu, 21 Nov 2019 09:31:30 +0000



    On 21/11/2019 09:16, Berger J Nicklas
      wrote:

    
      We are using squid for both http and https whitelisting for
        egress. Most of the whitelisting works fine but some specific
        once do not work.
      We have tried this on this versions of squid 3.5(amazon linux
        2), 4.1(centos7) and 4.4(centos8).

      
      For instance when running yum update for redhat linux in aws
        from a server using squid for egress it fails:
      

      ec2-user]# yum update -v

        
        Failed to set
              locale, defaulting to C

          
        Loaded plugins:
              AmazonID, builddep, changelog, config-manager, copr,
              debug, debuginfo-install, download,
              generate_completion_cache, needs-restarting, playground,
              repoclosure, repodiff, repograph, repomanage, reposync,
              uploadprofile

          
        DNF version:
              4.0.9

          
        cachedir:
              /var/cache/dnf

          
        repo: downloading
              from remote: rhui-client-config-server-8

          
        error: Curl error
              (60): Peer certificate cannot be authenticated with given
              CA certificates for
https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os
              [SSL certificate problem: self signed certificate in
              certificate chain]
(https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os).

          
        Red Hat Update
              Infrastructure 3 Client Configuration Server 8            
                                                                       
                                                       0.0  B/s |   0  B
                  00:01    

          
        Cannot download
'https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os':
              Cannot prepare internal mirrorlist: Curl error (60): Peer
              certificate cannot be authenticated with given CA
              certificates for
https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os
              [SSL certificate problem: self signed certificate in
              certificate chain].

          
        Error: Failed to
              synchronize cache for repo 'rhui-client-config-server-8'
        

    The problem has nothing to do with Squid, https://rhui3.eu-north-1.aws.ce.redhat.com
          is indeed using a self-signed certificate.
    

    You could add that cert
          to CA trust in your system, once you have verified the
          authenticity.

        
    -- 
Giles Coochey
  

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users