[Spacewalk-list] RHEL repo sync error - CURL #60

Wed Oct 10 05:03:25 UTC 2018

Am 9. Oktober 2018 21:01:18 MESZ schrieb Raymond Setchfield <raymond.setchfield at gmail.com>:
>Hi Robert
>
>Thanks for the reply.
>
>For me the RHEL subscriptions are brand new and therefore I don’t think
>that this is the problem.
>
>I’ll look further into the SSL issue though, as that would potentially
>make sense. I thought it was just done through the subscription manager
>using username and password. 
>
>Ray

Does this not help?

https://access.redhat.com/solutions/189533

Robert
>
>> On 9 Oct 2018, at 19:33, Robert Paschedag <robert.paschedag at web.de>
>wrote:
>> 
>> Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan
><matt at moldvan.com>:
>>> No, unfortunately, I gave up on trying a long time ago, as it seemed
>>> like a
>>> very hokey approach to first sync using reposync on additional VMs,
>run
>>> createrepo, then add those as channels in Spacewalk.  Due to that
>and
>>> other
>>> cost saving initiatives, I gave up and changed our infrastructure to
>>> avoid
>>> using RHEL as much as possible in favor of CentOS...
>> 
>> I'm pretty sure, that all red hat customers here with this "SSL cert
>error" or "403 error" while syncing repos are mixing those errors.
>> 
>> Note: I'm not a red hat customer. But as far as I know, red hat uses
>SSL certificates to identify customers and grant access to the repos.
>> 
>> So if the access to the repos returns "403" (suddenly), maybe your
>subscription expired. So you might need to refresh these certificates.
>(Again, I'm not sure).
>> 
>> The SSL validation error (curl) is something "general".
>> 
>> And, I also thought, that there are rpms within the red hat repos,
>that contain these CA certs that are used on their Webservers so the
>customers do *not* get these "curl" errors.
>> 
>> Robert
>>> 
>>> On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>>> raymond.setchfield at gmail.com> wrote:
>>> 
>>>> Have you got this working, Matt?
>>>> 
>>>> On 9 Oct 2018, at 16:21, Matt Moldvan <matt at moldvan.com> wrote:
>>>> 
>>>> Oops, looks like my replies weren't making it to the mailing list
>>> (forgot
>>>> to change the "From" option).
>>>> 
>>>> Anyway, I intended to reply to the list and not just Robert...
>>>> 
>>>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan
><sandwormusmc at gmail.com>
>>>> wrote:
>>>> 
>>>>> Yeah, makes sense.  My point was that Red Hat expecting this to be
>>> done
>>>>> by it's customers is silly and they shouldn't be using self signed
>>> certs in
>>>>> the path and making their customers do extra work...
>>>>> 
>>>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
>>> <robert.paschedag at web.de>
>>>>> wrote:
>>>>> 
>>>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>>>> sandwormusmc at gmail.com>:
>>>>>>> Looks like an issue Red Hat should fix, too be honest.  While
>you
>>> could
>>>>>>> pull the CA cert of the issuer and import it, I get an invalid
>>> issuer
>>>>>>> error when I pull up that URL in my browser, too.  So updating
>>> your CA
>>>>>>> certs may not help either (unless Red Hat provides the root cert
>>> for
>>>>>>> whomever generated the cert for cdn.redhat.com).
>>>>>>> If you have a Red Hat support contract, I would open a ticket
>with
>>> this
>>>>>>> information and ask for their input.
>>>>>>> 
>>>>>>> 
>>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>>> -------- Original message --------From: "Irwin, Jeffrey"
>>>>>>> <Jeffrey.Irwin at rivertechllc.com> Date: 10/9/18  8:46 AM 
>>> (GMT-05:00)
>>>>>>> To: Robert Paschedag <robert.paschedag at web.de>,
>>>>>>> spacewalk-list at redhat.com Subject: Re: [Spacewalk-list] RHEL
>repo
>>> sync
>>>>>>> error - CURL #60
>>>>>>> I have tried this with a local mirror repo......no dice, tried
>it
>>> with
>>>>>>> subscribed RHEL repo, no dice, trying to track this pesky cert
>>> issue.
>>>>>>> Will check out the man page and see, would be nice to see a more
>>>>>>> verbose indication of what cert it is trying to use, where it
>is,
>>> etc..
>>>>>>> ________________________________________
>>>>>>> From: Robert Paschedag <robert.paschedag at web.de>
>>>>>>> Sent: Tuesday, October 9, 2018 8:41 AM
>>>>>>> To: spacewalk-list at redhat.com; Irwin, Jeffrey;
>>>>>>> spacewalk-list at redhat.com
>>>>>>> Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>> 
>>>>>>> Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>>>>> <Jeffrey.Irwin at rivertechllc.com>:
>>>>>>>> ?Same issue I ma having, interested to see the solution.
>>>>>>> 
>>>>>>> I think manpage of update-ca-certificates should help.
>>>>>>> 
>>>>>>> Get the issuer cert, update the local CA certs and it should run
>>> (in
>>>>>>> case, there is no new rpm which updates the certs)
>>>>>>> 
>>>>>>> Robert
>>>>>>>> 
>>>>>>>> ________________________________
>>>>>>>> From: spacewalk-list-bounces at redhat.com
>>>>>>>> <spacewalk-list-bounces at redhat.com> on behalf of Raymond
>>> Setchfield
>>>>>>>> <raymond.setchfield at gmail.com>
>>>>>>>> Sent: Monday, October 8, 2018 6:47 AM
>>>>>>>> To: spacewalk-list at redhat.com
>>>>>>>> Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>>> 
>>>>>>>> Hi
>>>>>>>> 
>>>>>>>> I have been attempting to pull the RHEL updates into spacewalk,
>>> and I
>>>>>>>> am receiving the following error;
>>>>>>>> 
>>>>>>>> # spacewalk-repo-sync -c rhel07-update
>>>>>>>> 11:44:03 ======================================
>>>>>>>> 11:44:03 | Channel: rhel07-update
>>>>>>>> 11:44:03 ======================================
>>>>>>>> 11:44:03 Sync of channel started.
>>>>>>>> 11:44:03
>>>>>>>> 11:44:03   Processing repository with URL:
>>>>>> 
>>>>>
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>>>>>> Repository group_spacewalkproject-java-packages is listed more
>>> than
>>>>>>>> once in the configuration
>>>>>>>> 11:44:03 ERROR: failure: repodata/repomd.xml from
>>> rhel07-update.repo:
>>>>>>>> [Errno 256] No more mirrors to try.
>>>>>>>> 
>>>>>> 
>>>
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>>>> :
>>>>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked
>>> as not
>>>>>>>> trusted by the user."
>>>>>>>> 11:44:03 Sync of channel completed in 0:00:00.
>>>>>>>> 11:44:03 Total time: 0:00:00
>>>>>>>> 
>>>>>>>> Looking into this it appears to be a certificate issue from
>what
>>> I can
>>>>>>>> gather. My assumption is to use the "redhat-uep.pem" Is this
>>> correct?
>>>>>>>> If so where do I place this to allow the curl to work? Or am I
>>> off in
>>>>>>>> the wrong direction
>>>>>>>> 
>>>>>>>> Thanks
>>>>>>>> 
>>>>>>>> Ray
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> sent from my mobile device
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Spacewalk-list mailing list
>>>>>>> Spacewalk-list at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>>> 
>>>>>> There is a self signed cert within the SSL path, which does not
>>> seem to
>>>>>> be on your cert parts.
>>>>>> 
>>>>>> So download the certs via the browser (export root ca and
>>> intermediate
>>>>>> cas), put the in the "anchors" directory  (where update-ca-trust
>or
>>>>>> update-ca-certificates wants them to be), update the certs...
>Then
>>> try
>>>>>> again.
>>>>>> 
>>>>>> Robert
>>>>>> --
>>>>>> sent from my mobile device
>>>>>> 
>>>>> _______________________________________________
>>>> Spacewalk-list mailing list
>>>> Spacewalk-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>> 
>>>> _______________________________________________
>>>> Spacewalk-list mailing list
>>>> Spacewalk-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>> 
>> 
>> -- 
>> sent from my mobile device
>> 
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-list at redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list

-- 
sent from my mobile device