rpm repo sp
Peter Schober
peter.schober at univie.ac.at
Fri Aug 5 18:44:10 UTC 2022
* Rachid MONIR via users <users at shibboleth.net> [2022-08-05 18:46]:
> Errors during downloading metadata for repository 'shibboleth':
> - Curl error (60): SSL peer certificate or SSH remote key was not
> OK for https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8 [SSL
> certificate problem: unable to get local issuer certificate]
That's weird because downloading the repo signing key from that same
machine seems go have worked?
> I've downloded repomd.xml.key
> wget https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
(The difference being wget vs. [lib]curl?)
FWIW, I don't see any server-side TLS problems on shibboleth.net,
neither with curl (v4, v6) nor openssl's s_client, at least not from
an OS released in the last 5 years. (Tried Debian versions 11 to 9. No RHEL here.)
$ curl -4 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8
$ curl -6 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8
$ openssl s_client -connect shibboleth.net:443 < /dev/null 2>&1 < /dev/null | fgrep -A7 chain
Certificate chain
0 s:CN = shibboleth.net
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Maybe the cert chain on the server is not optimal for some client OSs
(there might be several different ones, though not even SSL Labs
doesn't anything wrong) or it's a local problem on the OS you're
trying to run yum on.
-peter
More information about the users
mailing list