[CentOS] I broke "yum update" - C7
Tony Mountifield
tony at softins.co.uk
Fri Aug 30 10:51:35 UTC 2019
In article <201908300952.37126.gary.stainburn at ringways.co.uk>,
Gary Stainburn <gary.stainburn at ringways.co.uk> wrote:
> On Thursday 29 August 2019 18:10:19 Alexander Dalloz wrote:
> > > 2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
> > > Certificate issuer is not recognized."
> > > 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
> > > 7], re-raising
> >
> > [ ... ]
> >
> > > Cannot retrieve metalink for repository: epel/x86_64. Please verify
> > > its path and try again
> >
> > So can we check what version of the ca-certificates packages is being
> > installed on your system?
> >
> > And a check into a different direction: what's the date and time of that
> > system? Does it fit or is it wrong? Time being not accurate can make SSL
> > connections fail.
>
> Firstly, thank you for you help with this Alexander.
>
> I had already checked the system time. It was about 3 minutes out, but I fixed it anyway. I have checked the RPM for
> the certificates, and it matches the one on another box that works.
>
>
> [root at stan2 ~]# date
> Fri 30 Aug 09:45:27 BST 2019
> [root at stan2 ~]# rpm -qa|grep cert
> ca-certificates-2018.2.22-70.0.el7_5.noarch
> [root at stan2 ~]#
Can you verify the ca-certificates package on both your systems and compare?
Here is what my C7 box shows (same version package as yours):
[root at hp3 ~]# rpm -Vv ca-certificates
......... /etc/pki/ca-trust
......... /etc/pki/ca-trust/README
......... c /etc/pki/ca-trust/ca-legacy.conf
......... /etc/pki/ca-trust/extracted
......... /etc/pki/ca-trust/extracted/README
......... /etc/pki/ca-trust/extracted/java
......... /etc/pki/ca-trust/extracted/java/README
.M....... g /etc/pki/ca-trust/extracted/java/cacerts
......... /etc/pki/ca-trust/extracted/openssl
......... /etc/pki/ca-trust/extracted/openssl/README
.M....... g /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
......... /etc/pki/ca-trust/extracted/pem
......... /etc/pki/ca-trust/extracted/pem/README
.M....... g /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
.M....... g /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
.M....... g /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
......... /etc/pki/ca-trust/source
......... /etc/pki/ca-trust/source/README
......... /etc/pki/ca-trust/source/anchors
......... /etc/pki/ca-trust/source/blacklist
......... g /etc/pki/ca-trust/source/ca-bundle.legacy.crt
......... /etc/pki/java
......... /etc/pki/java/cacerts
......... /etc/pki/tls
......... /etc/pki/tls/cert.pem
......... /etc/pki/tls/certs
......... /etc/pki/tls/certs/ca-bundle.crt
......... /etc/pki/tls/certs/ca-bundle.trust.crt
......... /etc/ssl
......... /etc/ssl/certs
......... /usr/bin/ca-legacy
......... /usr/bin/update-ca-trust
......... d /usr/share/doc/ca-certificates-2018.2.22/README
......... d /usr/share/man/man8/ca-legacy.8.gz
......... d /usr/share/man/man8/update-ca-trust.8.gz
......... /usr/share/pki
......... /usr/share/pki/ca-trust-legacy
......... /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
......... /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
......... /usr/share/pki/ca-trust-source
......... /usr/share/pki/ca-trust-source/README
......... /usr/share/pki/ca-trust-source/anchors
......... /usr/share/pki/ca-trust-source/blacklist
......... /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
[root at hp3 ~]#
And you could try re-installing ca-certificates on the offending box.
# yum --disablerepo=\* --enablerepo=base --enablerepo=updates reinstall ca-certificates
Cheers
Tony
--
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org
More information about the CentOS
mailing list