rpm repo sp

Rachid MONIR r.monir at hotmail.fr
Wed Aug 10 15:47:43 UTC 2022

It was a problem on my system (RHEL8 upgrade from 7). Installing the system from scratch has resolved the issue.
I managed to install shibboleth sp 3.3.0 from repo,  however  i noticed warning about deprecated mod_shib. This seems to be resolved in 3.3.1. How can i install this version ?

De : users <users-bounces at shibboleth.net> de la part de Peter Schober via users <users at shibboleth.net>
Envoyé : vendredi 5 août 2022 20:44
À : users at shibboleth.net <users at shibboleth.net>
Cc : Peter Schober <peter.schober at univie.ac.at>
Objet : Re: rpm repo sp

* Rachid MONIR via users <users at shibboleth.net> [2022-08-05 18:46]:
> Errors during downloading metadata for repository 'shibboleth':
>   - Curl error (60): SSL peer certificate or SSH remote key was not
>   OK for https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8 [SSL
>   certificate problem: unable to get local issuer certificate]

That's weird because downloading the repo signing key from that same
machine seems go have worked?

> I've downloded repomd.xml.key
> wget https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key

(The difference being wget vs. [lib]curl?)

FWIW, I don't see any server-side TLS problems on shibboleth.net,
neither with curl (v4, v6) nor openssl's s_client, at least not from
an OS released in the last 5 years. (Tried Debian versions 11 to 9. No RHEL here.)

$ curl -4 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8

$ curl -6 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8

$ openssl s_client -connect shibboleth.net:443 < /dev/null 2>&1 < /dev/null | fgrep -A7 chain
Certificate chain
 0 s:CN = shibboleth.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Maybe the cert chain on the server is not optimal for some client OSs
(there might be several different ones, though not even SSL Labs
doesn't anything wrong) or it's a local problem on the OS you're
trying to run yum on.

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220810/19d1be0c/attachment.htm>

More information about the users mailing list