CentOS - Aug 2019 - I broke "yum update" - C7

On Wednesday 28 August 2019 22:41:24 Jonathan Billings
wrote:
> If it?s really out of date, you might need to update the ca-certificates
package, but that?d have to be a really old system.
> 
> I?d suggest by checking to make sure the clock on your computer isn?t
really out of date.  If its right, I?d double-check with ?curl? to see if you
aren?t getting a MitM response, where your HTTPS calls are being intercepted and
resigned by a CA that isn?t in your CA trust.  If that?s the case, you need be
very suspicious of your network.
It isn't that out of date. The server is less than a year old, and the last
yum update was probably only done about 2 months ago.

I checked the system time and it was only a few minutes out. A quick rdate to my
local time server sorted that.

I ran a yum check which took ages but didn't report any problems. 

[root at stan2 ~]# yum check
Loaded plugins: fastestmirror, langpacks
check all
[root at stan2 ~]#

However, running yum update afterwards came up with the same problem.

[root at stan2 ~]# yum update
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix"
this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default.
Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save
--setopt=<repoid>.skip_if_unavailable=true

Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and
try again
[root at stan2 ~]# cat /etc/yum.repos.d/epel.repo 
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
[root at stan2 ~]#

Interestingly, if I try a yum update on one of my other boxes I get similar
errors. However, it then proceeds to complete the yum update successfully

[root at ollie2 ~]# yum update
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
Could not get metalink
https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64 error was
14: curl#60 - "Peer's Certificate issuer is not recognized."
Could not retrieve mirrorlist
https://mirror.webtatic.com/yum/el7/x86_64/mirrorlist error was
14: curl#60 - "Peer's Certificate issuer is not recognized."
 * base: mirror.as29550.net
 * epel: ftp-stud.hs-esslingen.de
 * extras: mozart.ee.ic.ac.uk
 * updates: mirror.vorboss.net
 * webtatic: uk.repo.webtatic.com
base                                                                            
| 3.6 kB  00:00:00
http://download.owncloud.org/download/repositories/10.0/CentOS_7/repodata/repomd.xml:
[Errno 14] HTTPS Error 302 - Found
Trying other mirror.
extras                                                                          
| 3.4 kB  00:00:00
google-chrome                                                                   
| 1.3 kB  00:00:00
https://rpm.nodesource.com/pub_6.x/el/7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's Certificate issuer is not recognized."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system
clock.
You can try to solve this issue by using the instructions on
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use
https://bugs.centos.org/.

https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's Certificate issuer is not
recognized."
Trying other mirror.
updates                                                                         
| 3.4 kB  00:00:00
https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's Certificate issuer is not recognized."
Trying other mirror.
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's Certificate issuer is not recognized."
Trying other mirror.
(1/3): google-chrome/primary                                                    
| 1.7 kB  00:00:00
(2/3): extras/7/x86_64/primary_db                                               
| 215 kB  00:00:00
(3/3): updates/7/x86_64/primary_db                                              
| 7.4 MB  00:00:05
google-chrome                                                                   
3/3
Resolving Dependencies

On 8/29/19 3:03 AM, Gary Stainburn wrote:
> https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's Certificate issuer is not
recognized."

What do you see when you run:

 ??? openssl s_client -showcerts -connect us-east.repo.webtatic.com:443

On 29/08/19 9:58 PM, Gary Stainburn wrote:
>   One of the configured repositories failed (Unknown),
>   and yum doesn't have enough cached data to continue. At this point
the only
>   safe thing yum can do is fail. There are a few ways to work
"fix" this:
> 
> Cannot retrieve metalink for repository: epel/x86_64. Please verify its
path and try again
I would try this:

yum clean all
yum --disablerepo=epel update
yum --disablerepo=epel --enablerepo=extras reinstall epel-release
yum update

If that doesn't work show the complete output from the above commands 
and we'll go from there.


Peter

On Friday 30 August 2019 04:54:14 Peter wrote:
> 
> I would try this:
> 
> yum clean all
ran okay.
> yum --disablerepo=epel update
ran okay but said there was nothing to update which I find hard to believe. It
has been a month or so at least since the last successful update. It did
complain about the REMI repos, which is odd as this all started when my yum
update only updated PHP and Google Chrome, with PHP coming from REMI.
> yum --disablerepo=epel --enablerepo=extras reinstall epel-release
ran okay and successfully reinstalled epel-release.noarch 0:7-11
> yum update
Still failed in the same way as before. Full output below.

[root at stan2 ~]# yum clean all
Loaded plugins: fastestmirror, langpacks
Cleaning repos: base epel extras remi-php72 remi-safe updates
Cleaning up list of fastest mirrors
Other repos take up 57 k of disk space (use --verbose for details)
[root at stan2 ~]# yum --disablerepo=epel update
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
 * base: mirror.sov.uk.goscomb.net
 * extras: mirror.clustered.net
 * remi-php72: mirror.23media.com
 * remi-safe: mirror.23media.com
 * updates: mirrors.vooservers.com
base                                                                            
| 3.6 kB  00:00:00
extras                                                                          
| 3.4 kB  00:00:00
https://mirror.23media.com/remi/enterprise/7/php72/x86_64/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's Certificate issuer is not
recognized."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system
clock.
You can try to solve this issue by using the instructions on
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use
https://bugs.centos.org/.

https://mirror.oxilion.nl/remi/enterprise/7/php72/x86_64/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
trusted by the user."
Trying other mirror.
https://mirrors.ukfast.co.uk/sites/remi/enterprise/7/php72/x86_64/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's Certificate issuer is not
recognized."
Trying other mirror.
remi-php72                                                                      
| 3.0 kB  00:00:00
remi-safe                                                                       
| 3.0 kB  00:00:00
updates                                                                         
| 3.4 kB  00:00:00
(1/6): base/7/x86_64/group_gz                                                   
| 166 kB  00:00:00
(2/6): extras/7/x86_64/primary_db                                               
| 215 kB  00:00:00
(3/6): remi-php72/primary_db                                                    
| 225 kB  00:00:00
(4/6): remi-safe/primary_db                                                     
| 1.6 MB  00:00:02
(5/6): updates/7/x86_64/primary_db                                              
| 7.4 MB  00:00:02
(6/6): base/7/x86_64/primary_db                                                 
| 6.0 MB  00:00:03
No packages marked for update
[root at stan2 ~]# yum --disablerepo=epel --enablerepo=extras reinstall
epel-release
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.sov.uk.goscomb.net
 * extras: mirror.clustered.net
 * remi-php72: mirror.23media.com
 * remi-safe: mirror.23media.com
 * updates: mirrors.vooservers.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
Package                                   Arch                               
Version                              Repository                           Size
=============================================================================================================================================================Reinstalling:
 epel-release                              noarch                             
7-11                                 extras                               15 k

Transaction Summary
=============================================================================================================================================================Reinstall
1 Package

Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm                                                    
|  15 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : epel-release-7-11.noarch                                         
1/1
  Verifying  : epel-release-7-11.noarch                                         
1/1

Installed:
  epel-release.noarch 0:7-11

Complete!
[root at stan2 ~]# yum update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix"
this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default.
Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save
--setopt=<repoid>.skip_if_unavailable=true

Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and
try again
[root at stan2 ~]#