rpm repo sp

Rachid MONIR r.monir at hotmail.fr
Wed Aug 10 15:47:43 UTC 2022 

It was a problem on my system (RHEL8 upgrade from 7). Installing the system from scratch has resolved the issue.
I managed to install shibboleth sp 3.3.0 from repo,  however  i noticed warning about deprecated mod_shib. This seems to be resolved in 3.3.1. How can i install this version ?

Thanks.
________________________________
De : users <users-bounces at shibboleth.net> de la part de Peter Schober via users <users at shibboleth.net>
Envoyé : vendredi 5 août 2022 20:44
À : users at shibboleth.net <users at shibboleth.net>
Cc : Peter Schober <peter.schober at univie.ac.at>
Objet : Re: rpm repo sp

* Rachid MONIR via users <users at shibboleth.net> [2022-08-05 18:46]:
> Errors during downloading metadata for repository 'shibboleth':
>   - Curl error (60): SSL peer certificate or SSH remote key was not
>   OK for https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8 [SSL
>   certificate problem: unable to get local issuer certificate]

That's weird because downloading the repo signing key from that same
machine seems go have worked?

> I've downloded repomd.xml.key
> wget https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key

(The difference being wget vs. [lib]curl?)

FWIW, I don't see any server-side TLS problems on shibboleth.net,
neither with curl (v4, v6) nor openssl's s_client, at least not from
an OS released in the last 5 years. (Tried Debian versions 11 to 9. No RHEL here.)

$ curl -4 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8

$ curl -6 -sSo /dev/null -I https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_8

$ openssl s_client -connect shibboleth.net:443 < /dev/null 2>&1 < /dev/null | fgrep -A7 chain
Certificate chain
 0 s:CN = shibboleth.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Maybe the cert chain on the server is not optimal for some client OSs
(there might be several different ones, though not even SSL Labs
doesn't anything wrong) or it's a local problem on the OS you're
trying to run yum on.

-peter
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220810/19d1be0c/attachment.htm>

More information about the users mailing list