[Spacewalk-list] RHEL repo sync error - CURL #60
Raymond Setchfield
raymond.setchfield at gmail.com
Tue Oct 9 19:01:18 UTC 2018
Hi Robert
Thanks for the reply.
For me the RHEL subscriptions are brand new and therefore I don’t think that this is the problem.
I’ll look further into the SSL issue though, as that would potentially make sense. I thought it was just done through the subscription manager using username and password.
Ray
> On 9 Oct 2018, at 19:33, Robert Paschedag <robert.paschedag at web.de> wrote:
>
> Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan <matt at moldvan.com>:
>> No, unfortunately, I gave up on trying a long time ago, as it seemed
>> like a
>> very hokey approach to first sync using reposync on additional VMs, run
>> createrepo, then add those as channels in Spacewalk. Due to that and
>> other
>> cost saving initiatives, I gave up and changed our infrastructure to
>> avoid
>> using RHEL as much as possible in favor of CentOS...
>
> I'm pretty sure, that all red hat customers here with this "SSL cert error" or "403 error" while syncing repos are mixing those errors.
>
> Note: I'm not a red hat customer. But as far as I know, red hat uses SSL certificates to identify customers and grant access to the repos.
>
> So if the access to the repos returns "403" (suddenly), maybe your subscription expired. So you might need to refresh these certificates. (Again, I'm not sure).
>
> The SSL validation error (curl) is something "general".
>
> And, I also thought, that there are rpms within the red hat repos, that contain these CA certs that are used on their Webservers so the customers do *not* get these "curl" errors.
>
> Robert
>>
>> On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>> raymond.setchfield at gmail.com> wrote:
>>
>>> Have you got this working, Matt?
>>>
>>> On 9 Oct 2018, at 16:21, Matt Moldvan <matt at moldvan.com> wrote:
>>>
>>> Oops, looks like my replies weren't making it to the mailing list
>> (forgot
>>> to change the "From" option).
>>>
>>> Anyway, I intended to reply to the list and not just Robert...
>>>
>>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <sandwormusmc at gmail.com>
>>> wrote:
>>>
>>>> Yeah, makes sense. My point was that Red Hat expecting this to be
>> done
>>>> by it's customers is silly and they shouldn't be using self signed
>> certs in
>>>> the path and making their customers do extra work...
>>>>
>>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
>> <robert.paschedag at web.de>
>>>> wrote:
>>>>
>>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>>> sandwormusmc at gmail.com>:
>>>>>> Looks like an issue Red Hat should fix, too be honest. While you
>> could
>>>>>> pull the CA cert of the issuer and import it, I get an invalid
>> issuer
>>>>>> error when I pull up that URL in my browser, too. So updating
>> your CA
>>>>>> certs may not help either (unless Red Hat provides the root cert
>> for
>>>>>> whomever generated the cert for cdn.redhat.com).
>>>>>> If you have a Red Hat support contract, I would open a ticket with
>> this
>>>>>> information and ask for their input.
>>>>>>
>>>>>>
>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>> -------- Original message --------From: "Irwin, Jeffrey"
>>>>>> <Jeffrey.Irwin at rivertechllc.com> Date: 10/9/18 8:46 AM
>> (GMT-05:00)
>>>>>> To: Robert Paschedag <robert.paschedag at web.de>,
>>>>>> spacewalk-list at redhat.com Subject: Re: [Spacewalk-list] RHEL repo
>> sync
>>>>>> error - CURL #60
>>>>>> I have tried this with a local mirror repo......no dice, tried it
>> with
>>>>>> subscribed RHEL repo, no dice, trying to track this pesky cert
>> issue.
>>>>>> Will check out the man page and see, would be nice to see a more
>>>>>> verbose indication of what cert it is trying to use, where it is,
>> etc..
>>>>>> ________________________________________
>>>>>> From: Robert Paschedag <robert.paschedag at web.de>
>>>>>> Sent: Tuesday, October 9, 2018 8:41 AM
>>>>>> To: spacewalk-list at redhat.com; Irwin, Jeffrey;
>>>>>> spacewalk-list at redhat.com
>>>>>> Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>
>>>>>> Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>>>> <Jeffrey.Irwin at rivertechllc.com>:
>>>>>>> ?Same issue I ma having, interested to see the solution.
>>>>>>
>>>>>> I think manpage of update-ca-certificates should help.
>>>>>>
>>>>>> Get the issuer cert, update the local CA certs and it should run
>> (in
>>>>>> case, there is no new rpm which updates the certs)
>>>>>>
>>>>>> Robert
>>>>>>>
>>>>>>> ________________________________
>>>>>>> From: spacewalk-list-bounces at redhat.com
>>>>>>> <spacewalk-list-bounces at redhat.com> on behalf of Raymond
>> Setchfield
>>>>>>> <raymond.setchfield at gmail.com>
>>>>>>> Sent: Monday, October 8, 2018 6:47 AM
>>>>>>> To: spacewalk-list at redhat.com
>>>>>>> Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> I have been attempting to pull the RHEL updates into spacewalk,
>> and I
>>>>>>> am receiving the following error;
>>>>>>>
>>>>>>> # spacewalk-repo-sync -c rhel07-update
>>>>>>> 11:44:03 ======================================
>>>>>>> 11:44:03 | Channel: rhel07-update
>>>>>>> 11:44:03 ======================================
>>>>>>> 11:44:03 Sync of channel started.
>>>>>>> 11:44:03
>>>>>>> 11:44:03 Processing repository with URL:
>>>>>
>>>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>>>>> Repository group_spacewalkproject-java-packages is listed more
>> than
>>>>>>> once in the configuration
>>>>>>> 11:44:03 ERROR: failure: repodata/repomd.xml from
>> rhel07-update.repo:
>>>>>>> [Errno 256] No more mirrors to try.
>>>>>>>
>>>>>
>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>>> :
>>>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked
>> as not
>>>>>>> trusted by the user."
>>>>>>> 11:44:03 Sync of channel completed in 0:00:00.
>>>>>>> 11:44:03 Total time: 0:00:00
>>>>>>>
>>>>>>> Looking into this it appears to be a certificate issue from what
>> I can
>>>>>>> gather. My assumption is to use the "redhat-uep.pem" Is this
>> correct?
>>>>>>> If so where do I place this to allow the curl to work? Or am I
>> off in
>>>>>>> the wrong direction
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Ray
>>>>>>
>>>>>>
>>>>>> --
>>>>>> sent from my mobile device
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spacewalk-list mailing list
>>>>>> Spacewalk-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>>
>>>>> There is a self signed cert within the SSL path, which does not
>> seem to
>>>>> be on your cert parts.
>>>>>
>>>>> So download the certs via the browser (export root ca and
>> intermediate
>>>>> cas), put the in the "anchors" directory (where update-ca-trust or
>>>>> update-ca-certificates wants them to be), update the certs... Then
>> try
>>>>> again.
>>>>>
>>>>> Robert
>>>>> --
>>>>> sent from my mobile device
>>>>>
>>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
>
> --
> sent from my mobile device
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
More information about the Spacewalk-list
mailing list