[CentOS] I broke "yum update" - C7
Alexander Dalloz
ad+lists at uni-x.org
Fri Aug 30 15:31:59 UTC 2019
Am 2019-08-30 17:04, schrieb Gordon Messmer:
> On 8/30/19 5:52 AM, Gary Stainburn wrote:
>> Incidentally, the*good* server that I was referencing my broken
>> server against has decided to start giving the curl certificate errors
>> in the same way that the broken one did. Very strange. I ran
>
>
> It's possible that the error is unrelated to the ca-certificates
> file. You'll only see it if yum selects a mirror that uses a Let's
> Encrypt or Amazon-signed certificate (at least, those were the CAs for
> the hosts I saw you report errors for). If yum happens to select
> mirrors that don't, then everything will work normally. Reinstalling
> the package on the original system may have been coincidental.
Testing yum's activity in debug mode had shown:
https://lists.centos.org/pipermail/centos/2019-August/173297.html
2019-08-29 17:23:17,345 opening local file
"/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb
* About to connect() to mirrors.fedoraproject.org port 443 (#29)
* Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North
Carolina,C=US
* start date: Feb 01 00:00:00 2017 GMT
* expire date: May 01 12:00:00 2020 GMT
* common name: *.fedoraproject.org
* issuer: CN=DigiCert SHA2 High Assurance Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 29
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
Certificate issuer is not recognized."
2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7],
re-raising
Based on that it appears to me very clear that the trust with the
DigiCert chain wasn't given due to a missing trust from the ca-cert
bundle. Unfortunately we haven't seen a status of the ca-certificates
RPM content before fixing it with a reinstall.
Alexander
More information about the CentOS
mailing list