[CentOS] I broke "yum update" - C7

Alexander Dalloz ad+lists at uni-x.org
Thu Aug 29 17:10:19 UTC 2019


Am 2019-08-29 18:26, schrieb Gary Stainburn:
> On Thursday 29 August 2019 16:47:11 Alexander Dalloz wrote:
>> rpm -Vv nss
> 
> [root at stan2 ~]# rpm -Vv nss
> .........    /etc/pki/nss-legacy
> .........  c /etc/pki/nss-legacy/nss-rhel7.config
> .........    /etc/pki/nssdb
> .........  c /etc/pki/nssdb/cert8.db
> .........  c /etc/pki/nssdb/cert9.db
> .........  c /etc/pki/nssdb/key3.db
> .........  c /etc/pki/nssdb/key4.db
> .........  c /etc/pki/nssdb/pkcs11.txt
> .........  c /etc/pki/nssdb/secmod.db
> .........    /usr/lib64/libnss3.so
> .........  g /usr/lib64/libnssckbi.so
> .........    /usr/lib64/libsmime3.so
> .........    /usr/lib64/libssl3.so
> .........    /usr/lib64/nss/libnssckbi.so
> .........  d /usr/share/man/man5/cert8.db.5.gz
> .........  d /usr/share/man/man5/cert9.db.5.gz
> .........  d /usr/share/man/man5/key3.db.5.gz
> .........  d /usr/share/man/man5/key4.db.5.gz
> .........  d /usr/share/man/man5/pkcs11.txt.5.gz
> .........  d /usr/share/man/man5/secmod.db.5.gz

Ok, that package content looks healthy. No problem there.

> [root at stan2 ~]# URLGRABBER_DEBUG=1 yum --disablerepo=\* 
> --enablerepo=epel update
> [snip]
> Loading mirror speeds from cached hostfile
> 2019-08-29 17:23:17,344 combined options: {
>   'text'         : 'epel/x86_64/metalink',

[ ... ]

> 2019-08-29 17:23:17,344 attempt 1/10:
> https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64
> 2019-08-29 17:23:17,345 opening local file
> "/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb
> * About to connect() to mirrors.fedoraproject.org port 443 (#29)
> *   Trying 8.43.85.67...
> * Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
>   CApath: none
> * Server certificate:
> * 	subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North
> Carolina,C=US
> * 	start date: Feb 01 00:00:00 2017 GMT
> * 	expire date: May 01 12:00:00 2020 GMT
> * 	common name: *.fedoraproject.org
> * 	issuer: CN=DigiCert SHA2 High Assurance Server
> CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
> * Peer's Certificate issuer is not recognized.

So here we are.

While the current ca-certificates package of CentOS 7 
ca-certificates-2018.2.22-70.0.el7_5.noarch does not hold the 
intermediate certificate "DigiCert SHA2 High Assurance Server" I don't 
get that issue.

# grep "DigiCert" /etc/pki/tls/certs/ca-bundle.crt
# DigiCert Assured ID Root CA
# DigiCert Assured ID Root G2
# DigiCert Assured ID Root G3
# DigiCert Global Root CA
# DigiCert Global Root G2
# DigiCert Global Root G3
# DigiCert High Assurance EV Root CA
# DigiCert Trusted Root G4

> * Closing connection 29
> 2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
> Certificate issuer is not recognized."
> 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
> 7], re-raising

[ ... ]

> Cannot retrieve metalink for repository: epel/x86_64. Please verify
> its path and try again

So can we check what version of the ca-certificates packages is being 
installed on your system?

And a check into a different direction: what's the date and time of that 
system? Does it fit or is it wrong? Time being not accurate can make SSL 
connections fail.

Alexander



More information about the CentOS mailing list