rpm repo sp

Peter Schober peter.schober at univie.ac.at
Fri Aug 5 18:44:10 UTC 2022

* Rachid MONIR via users <users at shibboleth.net> [2022-08-05 18:46]:
> Errors during downloading metadata for repository 'shibboleth':
>   - Curl error (60): SSL peer certificate or SSH remote key was not
>   OK for https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8 [SSL
>   certificate problem: unable to get local issuer certificate]

That's weird because downloading the repo signing key from that same
machine seems go have worked?

> I've downloded repomd.xml.key
> wget https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key

(The difference being wget vs. [lib]curl?)

FWIW, I don't see any server-side TLS problems on shibboleth.net,
neither with curl (v4, v6) nor openssl's s_client, at least not from
an OS released in the last 5 years. (Tried Debian versions 11 to 9. No RHEL here.)

$ curl -4 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8

$ curl -6 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8

$ openssl s_client -connect shibboleth.net:443 < /dev/null 2>&1 < /dev/null | fgrep -A7 chain
Certificate chain
 0 s:CN = shibboleth.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Maybe the cert chain on the server is not optimal for some client OSs
(there might be several different ones, though not even SSL Labs
doesn't anything wrong) or it's a local problem on the OS you're
trying to run yum on.


More information about the users mailing list