[Spacewalk-list] RHEL repo sync error - CURL #60

Robert Paschedag robert.paschedag at web.de
Tue Oct 9 18:33:25 UTC 2018 

Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan <matt at moldvan.com>:
>No, unfortunately, I gave up on trying a long time ago, as it seemed
>like a
>very hokey approach to first sync using reposync on additional VMs, run
>createrepo, then add those as channels in Spacewalk.  Due to that and
>other
>cost saving initiatives, I gave up and changed our infrastructure to
>avoid
>using RHEL as much as possible in favor of CentOS...

I'm pretty sure, that all red hat customers here with this "SSL cert error" or "403 error" while syncing repos are mixing those errors.

Note: I'm not a red hat customer. But as far as I know, red hat uses SSL certificates to identify customers and grant access to the repos.

So if the access to the repos returns "403" (suddenly), maybe your subscription expired. So you might need to refresh these certificates. (Again, I'm not sure).

The SSL validation error (curl) is something "general".

And, I also thought, that there are rpms within the red hat repos, that contain these CA certs that are used on their Webservers so the customers do *not* get these "curl" errors.

Robert
>
>On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>raymond.setchfield at gmail.com> wrote:
>
>> Have you got this working, Matt?
>>
>> On 9 Oct 2018, at 16:21, Matt Moldvan <matt at moldvan.com> wrote:
>>
>> Oops, looks like my replies weren't making it to the mailing list
>(forgot
>> to change the "From" option).
>>
>> Anyway, I intended to reply to the list and not just Robert...
>>
>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <sandwormusmc at gmail.com>
>> wrote:
>>
>>> Yeah, makes sense.  My point was that Red Hat expecting this to be
>done
>>> by it's customers is silly and they shouldn't be using self signed
>certs in
>>> the path and making their customers do extra work...
>>>
>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
><robert.paschedag at web.de>
>>> wrote:
>>>
>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>> sandwormusmc at gmail.com>:
>>>> >Looks like an issue Red Hat should fix, too be honest.  While you
>could
>>>> >pull the CA cert of the issuer and import it, I get an invalid
>issuer
>>>> >error when I pull up that URL in my browser, too.  So updating
>your CA
>>>> >certs may not help either (unless Red Hat provides the root cert
>for
>>>> >whomever generated the cert for cdn.redhat.com).
>>>> >If you have a Red Hat support contract, I would open a ticket with
>this
>>>> >information and ask for their input.
>>>> >
>>>> >
>>>> >Sent from my Verizon, Samsung Galaxy smartphone
>>>> >-------- Original message --------From: "Irwin, Jeffrey"
>>>> ><Jeffrey.Irwin at rivertechllc.com> Date: 10/9/18  8:46 AM 
>(GMT-05:00)
>>>> >To: Robert Paschedag <robert.paschedag at web.de>,
>>>> >spacewalk-list at redhat.com Subject: Re: [Spacewalk-list] RHEL repo
>sync
>>>> >error - CURL #60
>>>> >I have tried this with a local mirror repo......no dice, tried it
>with
>>>> >subscribed RHEL repo, no dice, trying to track this pesky cert
>issue.
>>>> >Will check out the man page and see, would be nice to see a more
>>>> >verbose indication of what cert it is trying to use, where it is,
>etc..
>>>> >________________________________________
>>>> >From: Robert Paschedag <robert.paschedag at web.de>
>>>> >Sent: Tuesday, October 9, 2018 8:41 AM
>>>> >To: spacewalk-list at redhat.com; Irwin, Jeffrey;
>>>> >spacewalk-list at redhat.com
>>>> >Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>> >
>>>> >Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>> ><Jeffrey.Irwin at rivertechllc.com>:
>>>> >>?Same issue I ma having, interested to see the solution.
>>>> >
>>>> >I think manpage of update-ca-certificates should help.
>>>> >
>>>> >Get the issuer cert, update the local CA certs and it should run
>(in
>>>> >case, there is no new rpm which updates the certs)
>>>> >
>>>> >Robert
>>>> >>
>>>> >>________________________________
>>>> >>From: spacewalk-list-bounces at redhat.com
>>>> >><spacewalk-list-bounces at redhat.com> on behalf of Raymond
>Setchfield
>>>> >><raymond.setchfield at gmail.com>
>>>> >>Sent: Monday, October 8, 2018 6:47 AM
>>>> >>To: spacewalk-list at redhat.com
>>>> >>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>> >>
>>>> >>Hi
>>>> >>
>>>> >>I have been attempting to pull the RHEL updates into spacewalk,
>and I
>>>> >>am receiving the following error;
>>>> >>
>>>> >># spacewalk-repo-sync -c rhel07-update
>>>> >>11:44:03 ======================================
>>>> >>11:44:03 | Channel: rhel07-update
>>>> >>11:44:03 ======================================
>>>> >>11:44:03 Sync of channel started.
>>>> >>11:44:03
>>>> >>11:44:03   Processing repository with URL:
>>>>
>>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>> >>Repository group_spacewalkproject-java-packages is listed more
>than
>>>> >>once in the configuration
>>>> >>11:44:03 ERROR: failure: repodata/repomd.xml from
>rhel07-update.repo:
>>>> >>[Errno 256] No more mirrors to try.
>>>> >>
>>>>
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>> :
>>>> >>[Errno 14] curl#60 - "Peer's certificate issuer has been marked
>as not
>>>> >>trusted by the user."
>>>> >>11:44:03 Sync of channel completed in 0:00:00.
>>>> >>11:44:03 Total time: 0:00:00
>>>> >>
>>>> >>Looking into this it appears to be a certificate issue from what
>I can
>>>> >>gather. My assumption is to use the "redhat-uep.pem" Is this
>correct?
>>>> >>If so where do I place this to allow the curl to work? Or am I
>off in
>>>> >>the wrong direction
>>>> >>
>>>> >>Thanks
>>>> >>
>>>> >>Ray
>>>> >
>>>> >
>>>> >--
>>>> >sent from my mobile device
>>>> >
>>>> >_______________________________________________
>>>> >Spacewalk-list mailing list
>>>> >Spacewalk-list at redhat.com
>>>> >https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>
>>>> There is a self signed cert within the SSL path, which does not
>seem to
>>>> be on your cert parts.
>>>>
>>>> So download the certs via the browser (export root ca and
>intermediate
>>>> cas), put the in the "anchors" directory  (where update-ca-trust or
>>>> update-ca-certificates wants them to be), update the certs... Then
>try
>>>> again.
>>>>
>>>> Robert
>>>> --
>>>> sent from my mobile device
>>>>
>>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list


-- 
sent from my mobile device

More information about the Spacewalk-list mailing list