Re: [CentOS] I broke "yum update" - C7

Fri, 30 Aug 2019 08:33:08 -0700 

Am 2019-08-30 17:04, schrieb Gordon Messmer:

On 8/30/19 5:52 AM, Gary Stainburn wrote:
Incidentally, the*good* server that I was referencing my broken server against has decided to start giving the curl certificate errors in the same way that the broken one did. Very strange. I ran 


It's possible that the error is unrelated to the ca-certificates
file.  You'll only see it if yum selects a mirror that uses a Let's
Encrypt or Amazon-signed certificate (at least, those were the CAs for
the hosts I saw you report errors for).  If yum happens to select
mirrors that don't, then everything will work normally.  Reinstalling
the package on the original system may have been coincidental.


Testing yum's activity in debug mode had shown:

https://lists.centos.org/pipermail/centos/2019-August/173297.html


2019-08-29 17:23:17,345 opening local file 
"/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb

* About to connect() to mirrors.fedoraproject.org port 443 (#29)
*   Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:

* 	subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North 
Carolina,C=US

*       start date: Feb 01 00:00:00 2017 GMT
*       expire date: May 01 12:00:00 2020 GMT
*       common name: *.fedoraproject.org

* 	issuer: CN=DigiCert SHA2 High Assurance Server 
CA,OU=www.digicert.com,O=DigiCert Inc,C=US

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 29

2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's 
Certificate issuer is not recognized."
2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], 
re-raising



Based on that it appears to me very clear that the trust with the 
DigiCert chain wasn't given due to a missing trust from the ca-cert 
bundle. Unfortunately we haven't seen a status of the ca-certificates 
RPM content before fixing it with a reinstall.


Alexander


_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

























					Reply via email to