[CentOS] I broke "yum update" - C7

Fri Aug 30 15:31:59 UTC 2019
Alexander Dalloz <ad+lists at uni-x.org>

Am 2019-08-30 17:04, schrieb Gordon Messmer:
> On 8/30/19 5:52 AM, Gary Stainburn wrote:
>> Incidentally, the*good*  server that I was referencing my broken 
>> server against has decided to start giving the curl certificate errors 
>> in the same way that the broken one did. Very strange.  I ran
> 
> 
> It's possible that the error is unrelated to the ca-certificates
> file.  You'll only see it if yum selects a mirror that uses a Let's
> Encrypt or Amazon-signed certificate (at least, those were the CAs for
> the hosts I saw you report errors for).  If yum happens to select
> mirrors that don't, then everything will work normally.  Reinstalling
> the package on the original system may have been coincidental.

Testing yum's activity in debug mode had shown:

https://lists.centos.org/pipermail/centos/2019-August/173297.html

2019-08-29 17:23:17,345 opening local file 
"/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb
* About to connect() to mirrors.fedoraproject.org port 443 (#29)
*   Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
   CApath: none
* Server certificate:
* 	subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North 
Carolina,C=US
* 	start date: Feb 01 00:00:00 2017 GMT
* 	expire date: May 01 12:00:00 2020 GMT
* 	common name: *.fedoraproject.org
* 	issuer: CN=DigiCert SHA2 High Assurance Server 
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 29
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's 
Certificate issuer is not recognized."
2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], 
re-raising

Based on that it appears to me very clear that the trust with the 
DigiCert chain wasn't given due to a missing trust from the ca-cert 
bundle. Unfortunately we haven't seen a status of the ca-certificates 
RPM content before fixing it with a reinstall.

Alexander