[Spacewalk-list] RHEL repo sync error - CURL #60

Raymond Setchfield raymond.setchfield at gmail.com
Tue Oct 9 19:01:18 UTC 2018 

Hi Robert

Thanks for the reply.

For me the RHEL subscriptions are brand new and therefore I don’t think that this is the problem.

I’ll look further into the SSL issue though, as that would potentially make sense. I thought it was just done through the subscription manager using username and password. 

Ray

> On 9 Oct 2018, at 19:33, Robert Paschedag <robert.paschedag at web.de> wrote:
> 
> Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan <matt at moldvan.com>:
>> No, unfortunately, I gave up on trying a long time ago, as it seemed
>> like a
>> very hokey approach to first sync using reposync on additional VMs, run
>> createrepo, then add those as channels in Spacewalk.  Due to that and
>> other
>> cost saving initiatives, I gave up and changed our infrastructure to
>> avoid
>> using RHEL as much as possible in favor of CentOS...
> 
> I'm pretty sure, that all red hat customers here with this "SSL cert error" or "403 error" while syncing repos are mixing those errors.
> 
> Note: I'm not a red hat customer. But as far as I know, red hat uses SSL certificates to identify customers and grant access to the repos.
> 
> So if the access to the repos returns "403" (suddenly), maybe your subscription expired. So you might need to refresh these certificates. (Again, I'm not sure).
> 
> The SSL validation error (curl) is something "general".
> 
> And, I also thought, that there are rpms within the red hat repos, that contain these CA certs that are used on their Webservers so the customers do *not* get these "curl" errors.
> 
> Robert
>> 
>> On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>> raymond.setchfield at gmail.com> wrote:
>> 
>>> Have you got this working, Matt?
>>> 
>>> On 9 Oct 2018, at 16:21, Matt Moldvan <matt at moldvan.com> wrote:
>>> 
>>> Oops, looks like my replies weren't making it to the mailing list
>> (forgot
>>> to change the "From" option).
>>> 
>>> Anyway, I intended to reply to the list and not just Robert...
>>> 
>>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <sandwormusmc at gmail.com>
>>> wrote:
>>> 
>>>> Yeah, makes sense.  My point was that Red Hat expecting this to be
>> done
>>>> by it's customers is silly and they shouldn't be using self signed
>> certs in
>>>> the path and making their customers do extra work...
>>>> 
>>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
>> <robert.paschedag at web.de>
>>>> wrote:
>>>> 
>>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>>> sandwormusmc at gmail.com>:
>>>>>> Looks like an issue Red Hat should fix, too be honest.  While you
>> could
>>>>>> pull the CA cert of the issuer and import it, I get an invalid
>> issuer
>>>>>> error when I pull up that URL in my browser, too.  So updating
>> your CA
>>>>>> certs may not help either (unless Red Hat provides the root cert
>> for
>>>>>> whomever generated the cert for cdn.redhat.com).
>>>>>> If you have a Red Hat support contract, I would open a ticket with
>> this
>>>>>> information and ask for their input.
>>>>>> 
>>>>>> 
>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>> -------- Original message --------From: "Irwin, Jeffrey"
>>>>>> <Jeffrey.Irwin at rivertechllc.com> Date: 10/9/18  8:46 AM 
>> (GMT-05:00)
>>>>>> To: Robert Paschedag <robert.paschedag at web.de>,
>>>>>> spacewalk-list at redhat.com Subject: Re: [Spacewalk-list] RHEL repo
>> sync
>>>>>> error - CURL #60
>>>>>> I have tried this with a local mirror repo......no dice, tried it
>> with
>>>>>> subscribed RHEL repo, no dice, trying to track this pesky cert
>> issue.
>>>>>> Will check out the man page and see, would be nice to see a more
>>>>>> verbose indication of what cert it is trying to use, where it is,
>> etc..
>>>>>> ________________________________________
>>>>>> From: Robert Paschedag <robert.paschedag at web.de>
>>>>>> Sent: Tuesday, October 9, 2018 8:41 AM
>>>>>> To: spacewalk-list at redhat.com; Irwin, Jeffrey;
>>>>>> spacewalk-list at redhat.com
>>>>>> Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>> 
>>>>>> Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>>>> <Jeffrey.Irwin at rivertechllc.com>:
>>>>>>> ?Same issue I ma having, interested to see the solution.
>>>>>> 
>>>>>> I think manpage of update-ca-certificates should help.
>>>>>> 
>>>>>> Get the issuer cert, update the local CA certs and it should run
>> (in
>>>>>> case, there is no new rpm which updates the certs)
>>>>>> 
>>>>>> Robert
>>>>>>> 
>>>>>>> ________________________________
>>>>>>> From: spacewalk-list-bounces at redhat.com
>>>>>>> <spacewalk-list-bounces at redhat.com> on behalf of Raymond
>> Setchfield
>>>>>>> <raymond.setchfield at gmail.com>
>>>>>>> Sent: Monday, October 8, 2018 6:47 AM
>>>>>>> To: spacewalk-list at redhat.com
>>>>>>> Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>> 
>>>>>>> Hi
>>>>>>> 
>>>>>>> I have been attempting to pull the RHEL updates into spacewalk,
>> and I
>>>>>>> am receiving the following error;
>>>>>>> 
>>>>>>> # spacewalk-repo-sync -c rhel07-update
>>>>>>> 11:44:03 ======================================
>>>>>>> 11:44:03 | Channel: rhel07-update
>>>>>>> 11:44:03 ======================================
>>>>>>> 11:44:03 Sync of channel started.
>>>>>>> 11:44:03
>>>>>>> 11:44:03   Processing repository with URL:
>>>>> 
>>>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>>>>> Repository group_spacewalkproject-java-packages is listed more
>> than
>>>>>>> once in the configuration
>>>>>>> 11:44:03 ERROR: failure: repodata/repomd.xml from
>> rhel07-update.repo:
>>>>>>> [Errno 256] No more mirrors to try.
>>>>>>> 
>>>>> 
>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>>> :
>>>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked
>> as not
>>>>>>> trusted by the user."
>>>>>>> 11:44:03 Sync of channel completed in 0:00:00.
>>>>>>> 11:44:03 Total time: 0:00:00
>>>>>>> 
>>>>>>> Looking into this it appears to be a certificate issue from what
>> I can
>>>>>>> gather. My assumption is to use the "redhat-uep.pem" Is this
>> correct?
>>>>>>> If so where do I place this to allow the curl to work? Or am I
>> off in
>>>>>>> the wrong direction
>>>>>>> 
>>>>>>> Thanks
>>>>>>> 
>>>>>>> Ray
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> sent from my mobile device
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Spacewalk-list mailing list
>>>>>> Spacewalk-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>> 
>>>>> There is a self signed cert within the SSL path, which does not
>> seem to
>>>>> be on your cert parts.
>>>>> 
>>>>> So download the certs via the browser (export root ca and
>> intermediate
>>>>> cas), put the in the "anchors" directory  (where update-ca-trust or
>>>>> update-ca-certificates wants them to be), update the certs... Then
>> try
>>>>> again.
>>>>> 
>>>>> Robert
>>>>> --
>>>>> sent from my mobile device
>>>>> 
>>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>> 
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> 
> -- 
> sent from my mobile device
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list

More information about the Spacewalk-list mailing list