[RESOLVED] YUM Error - Peer cert cannot be verified
Posted: 2011/08/03 14:38:47
I wanted to share this information with everyone in the hopes that it might save someone some of the frustration that I've had in dealing with this issue. Hope it helps! :-)
While attempting to do a CentOS 6.0 kickstart install, I ran into a fun error when Anaconda started trying to pull from our local YUM repository. The error was:
[quote][Errno 14] Peer cert cannot be verified or peer cert invalid
[/quote]
At that point, the install bombed out. The local repository that I was trying to use runs over https and has a self-signed certificate. This was never an issue in CentOS 5.x, but the default behavior of YUM has changed in 6.0. In RHEL6 (and by extension CentOS 6), SSL certs are now validated by YUM and if validation fails, YUM will error out with the above message.
If you have a RHN subscription, see [url=https://access.redhat.com/kb/docs/DOC-53910]https://access.redhat.com/kb/docs/DOC-53910[/url]
From the KB article:
[quote]In RHEL5 SSL certs were not validated, now in RHEL6 they are by default. SSL validation can be disabled by adding sslverify=false to /etc/yum.conf. However if validation the server's SSL certificate is need, then the certificate authority's certificate (cacert) need to be downloaded to the yum client and then a pointer to that cacert file needs to be added to yum.conf using the sslcacert option, such as sslcacert=/etc/yum.cacert.
[/quote]
Apparently this bug has been reported upstream and fixed in Anaconda 14.10 and pykickstart-1.76, and a '--noverifyssl' kickstart flag has been added.
This fix won't help current CentOS 6.0 users, but there is a workaround listed on the Bugzilla page:
[url=https://bugzilla.redhat.com/show_bug.cgi?id=599040#c0]https://bugzilla.redhat.com/show_bug.cgi?id=599040#c0[/url]
Basically, you'll need to add the CA cert for your repository to the global trusted cert store in your kickstart script like this:
[quote]%pre
cat >/etc/pki/tls/certs/ca-bundle.crt <<END
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
MdRAGmI0Nj81Aa6sY6A=
-----END CERTIFICATE-----
%end
[/quote]
I searched all through the CentOS forums and site and didn't see anyone mention this issue so far, so hopefully this information saves someone some trouble of piecing together what's going on and how to work around it.
I also just want to make clear that this is an upstream vendor "bug," so it's through no fault of the CentOS team. The CentOS team is doing a fantastic job, and I want to thank everyone for all the time and effort that they've put into bringing us the excellent 6.0 release! 8-)
While attempting to do a CentOS 6.0 kickstart install, I ran into a fun error when Anaconda started trying to pull from our local YUM repository. The error was:
[quote][Errno 14] Peer cert cannot be verified or peer cert invalid
[/quote]
At that point, the install bombed out. The local repository that I was trying to use runs over https and has a self-signed certificate. This was never an issue in CentOS 5.x, but the default behavior of YUM has changed in 6.0. In RHEL6 (and by extension CentOS 6), SSL certs are now validated by YUM and if validation fails, YUM will error out with the above message.
If you have a RHN subscription, see [url=https://access.redhat.com/kb/docs/DOC-53910]https://access.redhat.com/kb/docs/DOC-53910[/url]
From the KB article:
[quote]In RHEL5 SSL certs were not validated, now in RHEL6 they are by default. SSL validation can be disabled by adding sslverify=false to /etc/yum.conf. However if validation the server's SSL certificate is need, then the certificate authority's certificate (cacert) need to be downloaded to the yum client and then a pointer to that cacert file needs to be added to yum.conf using the sslcacert option, such as sslcacert=/etc/yum.cacert.
[/quote]
Apparently this bug has been reported upstream and fixed in Anaconda 14.10 and pykickstart-1.76, and a '--noverifyssl' kickstart flag has been added.
This fix won't help current CentOS 6.0 users, but there is a workaround listed on the Bugzilla page:
[url=https://bugzilla.redhat.com/show_bug.cgi?id=599040#c0]https://bugzilla.redhat.com/show_bug.cgi?id=599040#c0[/url]
Basically, you'll need to add the CA cert for your repository to the global trusted cert store in your kickstart script like this:
[quote]%pre
cat >/etc/pki/tls/certs/ca-bundle.crt <<END
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
MdRAGmI0Nj81Aa6sY6A=
-----END CERTIFICATE-----
%end
[/quote]
I searched all through the CentOS forums and site and didn't see anyone mention this issue so far, so hopefully this information saves someone some trouble of piecing together what's going on and how to work around it.
I also just want to make clear that this is an upstream vendor "bug," so it's through no fault of the CentOS team. The CentOS team is doing a fantastic job, and I want to thank everyone for all the time and effort that they've put into bringing us the excellent 6.0 release! 8-)