Am 2019-08-30 10:52, schrieb Gary Stainburn:
On Thursday 29 August 2019 18:10:19 Alexander Dalloz wrote:
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized." 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising
[ ... ]
Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again
So can we check what version of the ca-certificates packages is being installed on your system?
And a check into a different direction: what's the date and time of that system? Does it fit or is it wrong? Time being not accurate can make SSL connections fail.
Firstly, thank you for you help with this Alexander.
You are welcome Gary. And I am curious about what the cause of your repo troubles is.
I had already checked the system time. It was about 3 minutes out, but I fixed it anyway. I have checked the RPM for the certificates, and it matches the one on another box that works.
[root@stan2 ~]# date Fri 30 Aug 09:45:27 BST 2019 [root@stan2 ~]# rpm -qa|grep cert ca-certificates-2018.2.22-70.0.el7_5.noarch [root@stan2 ~]#
That's good. Now please verify that the ca-certificates RPM is healthy:
rpm -V ca-certificates
In addition you can grep for the DigiCert certificates which are used by the fedoraproject.org mirror servers for EPEL (concentrating on a single broken HTTPS repo for now):
# grep "DigiCert" /etc/pki/tls/certs/ca-bundle.crt # DigiCert Assured ID Root CA # DigiCert Assured ID Root G2 # DigiCert Assured ID Root G3 # DigiCert Global Root CA # DigiCert Global Root G2 # DigiCert Global Root G3 # DigiCert High Assurance EV Root CA <<- that one must be there # DigiCert Trusted Root G4
Besides a corrupted certificates bundle I cannot imagine a different root cause actually.
Of course you could search system-wide for broken RPM content:
# for RPM in $(rpm -qa); do rpm -V ${RPM} >/dev/null; if [ "$?" -eq 1 ]; then echo "----- ${RPM} -----"; rpm -V ${RPM}; fi; done
Regards, Alexander