On 8/30/19 5:52 AM, Gary Stainburn wrote:> Incidentally, the*good* server that I was referencing my broken server against has decided to start giving the curl certificate errors in the same way that the broken one did. Very strange. I ranIt's possible that the error is unrelated to the ca-certificates file.? You'll only see it if yum selects a mirror that uses a Let's Encrypt or Amazon-signed certificate (at least, those were the CAs for the hosts I saw you report errors for).? If yum happens to select mirrors that don't, then everything will work normally.? Reinstalling the package on the original system may have been coincidental.
On Friday 30 August 2019 16:04:51 Gordon Messmer wrote:> On 8/30/19 5:52 AM, Gary Stainburn wrote: > > Incidentally, the*good* server that I was referencing my broken server against has decided to start giving the curl certificate errors in the same way that the broken one did. Very strange. I ran > > > It's possible that the error is unrelated to the ca-certificates file.? > You'll only see it if yum selects a mirror that uses a Let's Encrypt or > Amazon-signed certificate (at least, those were the CAs for the hosts I > saw you report errors for).? If yum happens to select mirrors that > don't, then everything will work normally.? Reinstalling the package on > the original system may have been coincidental.Hi Gordon, That would make a great deal of sense, and fits in with the external influence which would explain why it's suddenly appearing on both servers. However, when I re-installed ca-certificates it immediately fixed the problem on both boxes, which implies an internal problem. Gary
Am 2019-08-30 17:04, schrieb Gordon Messmer:> On 8/30/19 5:52 AM, Gary Stainburn wrote: >> Incidentally, the*good* server that I was referencing my broken >> server against has decided to start giving the curl certificate errors >> in the same way that the broken one did. Very strange. I ran > > > It's possible that the error is unrelated to the ca-certificates > file.? You'll only see it if yum selects a mirror that uses a Let's > Encrypt or Amazon-signed certificate (at least, those were the CAs for > the hosts I saw you report errors for).? If yum happens to select > mirrors that don't, then everything will work normally.? Reinstalling > the package on the original system may have been coincidental.Testing yum's activity in debug mode had shown: https://lists.centos.org/pipermail/centos/2019-August/173297.html 2019-08-29 17:23:17,345 opening local file "/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb * About to connect() to mirrors.fedoraproject.org port 443 (#29) * Trying 8.43.85.67... * Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US * start date: Feb 01 00:00:00 2017 GMT * expire date: May 01 12:00:00 2020 GMT * common name: *.fedoraproject.org * issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 29 2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized." 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising Based on that it appears to me very clear that the trust with the DigiCert chain wasn't given due to a missing trust from the ca-cert bundle. Unfortunately we haven't seen a status of the ca-certificates RPM content before fixing it with a reinstall. Alexander
On 8/30/19 8:17 AM, Gary Stainburn wrote:> However, when I re-installed ca-certificates it immediately fixed the problem on both boxes, which implies an internal problem.That is only true if yum selected the same server, and there is no evidence that it did.? It's possible that reinstalling the package fixed the problem, and it's also possible that it did not.
On 8/30/19 8:31 AM, Alexander Dalloz wrote:> Based on that it appears to me very clear that the trust with the > DigiCert chain wasn't given due to a missing trust from the ca-cert bundleThat seems reasonable to me.? :)