In article 201908300952.37126.gary.stainburn@ringways.co.uk, Gary Stainburn gary.stainburn@ringways.co.uk wrote:
On Thursday 29 August 2019 18:10:19 Alexander Dalloz wrote:
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized." 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising
[ ... ]
Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again
So can we check what version of the ca-certificates packages is being installed on your system?
And a check into a different direction: what's the date and time of that system? Does it fit or is it wrong? Time being not accurate can make SSL connections fail.
Firstly, thank you for you help with this Alexander.
I had already checked the system time. It was about 3 minutes out, but I fixed it anyway. I have checked the RPM for the certificates, and it matches the one on another box that works.
[root@stan2 ~]# date Fri 30 Aug 09:45:27 BST 2019 [root@stan2 ~]# rpm -qa|grep cert ca-certificates-2018.2.22-70.0.el7_5.noarch [root@stan2 ~]#
Can you verify the ca-certificates package on both your systems and compare? Here is what my C7 box shows (same version package as yours):
[root@hp3 ~]# rpm -Vv ca-certificates ......... /etc/pki/ca-trust ......... /etc/pki/ca-trust/README ......... c /etc/pki/ca-trust/ca-legacy.conf ......... /etc/pki/ca-trust/extracted ......... /etc/pki/ca-trust/extracted/README ......... /etc/pki/ca-trust/extracted/java ......... /etc/pki/ca-trust/extracted/java/README .M....... g /etc/pki/ca-trust/extracted/java/cacerts ......... /etc/pki/ca-trust/extracted/openssl ......... /etc/pki/ca-trust/extracted/openssl/README .M....... g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt ......... /etc/pki/ca-trust/extracted/pem ......... /etc/pki/ca-trust/extracted/pem/README .M....... g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem .M....... g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem .M....... g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ......... /etc/pki/ca-trust/source ......... /etc/pki/ca-trust/source/README ......... /etc/pki/ca-trust/source/anchors ......... /etc/pki/ca-trust/source/blacklist ......... g /etc/pki/ca-trust/source/ca-bundle.legacy.crt ......... /etc/pki/java ......... /etc/pki/java/cacerts ......... /etc/pki/tls ......... /etc/pki/tls/cert.pem ......... /etc/pki/tls/certs ......... /etc/pki/tls/certs/ca-bundle.crt ......... /etc/pki/tls/certs/ca-bundle.trust.crt ......... /etc/ssl ......... /etc/ssl/certs ......... /usr/bin/ca-legacy ......... /usr/bin/update-ca-trust ......... d /usr/share/doc/ca-certificates-2018.2.22/README ......... d /usr/share/man/man8/ca-legacy.8.gz ......... d /usr/share/man/man8/update-ca-trust.8.gz ......... /usr/share/pki ......... /usr/share/pki/ca-trust-legacy ......... /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt ......... /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt ......... /usr/share/pki/ca-trust-source ......... /usr/share/pki/ca-trust-source/README ......... /usr/share/pki/ca-trust-source/anchors ......... /usr/share/pki/ca-trust-source/blacklist ......... /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit [root@hp3 ~]#
And you could try re-installing ca-certificates on the offending box.
# yum --disablerepo=* --enablerepo=base --enablerepo=updates reinstall ca-certificates
Cheers Tony