[CentOS] I broke "yum update" - C7

Fri Aug 30 10:51:35 UTC 2019
Tony Mountifield <tony at softins.co.uk>

In article <201908300952.37126.gary.stainburn at ringways.co.uk>,
Gary Stainburn <gary.stainburn at ringways.co.uk> wrote:
> On Thursday 29 August 2019 18:10:19 Alexander Dalloz wrote:
> > > 2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
> > > Certificate issuer is not recognized."
> > > 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
> > > 7], re-raising
> > 
> > [ ... ]
> > 
> > > Cannot retrieve metalink for repository: epel/x86_64. Please verify
> > > its path and try again
> > 
> > So can we check what version of the ca-certificates packages is being 
> > installed on your system?
> > 
> > And a check into a different direction: what's the date and time of that 
> > system? Does it fit or is it wrong? Time being not accurate can make SSL 
> > connections fail.
> 
> Firstly, thank you for you help with this Alexander.
> 
> I had already checked the system time. It was about 3 minutes out, but I fixed it anyway.  I have checked the RPM for
> the certificates, and it matches the one on another box that works.
> 
> 
> [root at stan2 ~]# date
> Fri 30 Aug 09:45:27 BST 2019
> [root at stan2 ~]# rpm -qa|grep cert
> ca-certificates-2018.2.22-70.0.el7_5.noarch
> [root at stan2 ~]# 

Can you verify the ca-certificates package on both your systems and compare?
Here is what my C7 box shows (same version package as yours):

[root at hp3 ~]# rpm -Vv ca-certificates
.........    /etc/pki/ca-trust
.........    /etc/pki/ca-trust/README
.........  c /etc/pki/ca-trust/ca-legacy.conf
.........    /etc/pki/ca-trust/extracted
.........    /etc/pki/ca-trust/extracted/README
.........    /etc/pki/ca-trust/extracted/java
.........    /etc/pki/ca-trust/extracted/java/README
.M.......  g /etc/pki/ca-trust/extracted/java/cacerts
.........    /etc/pki/ca-trust/extracted/openssl
.........    /etc/pki/ca-trust/extracted/openssl/README
.M.......  g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
.........    /etc/pki/ca-trust/extracted/pem
.........    /etc/pki/ca-trust/extracted/pem/README
.M.......  g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M.......  g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
.........    /etc/pki/ca-trust/source
.........    /etc/pki/ca-trust/source/README
.........    /etc/pki/ca-trust/source/anchors
.........    /etc/pki/ca-trust/source/blacklist
.........  g /etc/pki/ca-trust/source/ca-bundle.legacy.crt
.........    /etc/pki/java
.........    /etc/pki/java/cacerts
.........    /etc/pki/tls
.........    /etc/pki/tls/cert.pem
.........    /etc/pki/tls/certs
.........    /etc/pki/tls/certs/ca-bundle.crt
.........    /etc/pki/tls/certs/ca-bundle.trust.crt
.........    /etc/ssl
.........    /etc/ssl/certs
.........    /usr/bin/ca-legacy
.........    /usr/bin/update-ca-trust
.........  d /usr/share/doc/ca-certificates-2018.2.22/README
.........  d /usr/share/man/man8/ca-legacy.8.gz
.........  d /usr/share/man/man8/update-ca-trust.8.gz
.........    /usr/share/pki
.........    /usr/share/pki/ca-trust-legacy
.........    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
.........    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
.........    /usr/share/pki/ca-trust-source
.........    /usr/share/pki/ca-trust-source/README
.........    /usr/share/pki/ca-trust-source/anchors
.........    /usr/share/pki/ca-trust-source/blacklist
.........    /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
[root at hp3 ~]#

And you could try re-installing ca-certificates on the offending box.

# yum --disablerepo=\* --enablerepo=base --enablerepo=updates reinstall ca-certificates

Cheers
Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org