Customize Yum Server with SSL

Support for security such as Firewalls and securing linux
wengin211
Posts: 5
Joined: 2018/04/21 06:16:37

Customize Yum Server with SSL

Postby wengin211 » 2018/04/21 06:23:27

Hi,
I have created a YUM server (CentOS 6.8, using Apache) by creating a repository for client servers use.
I have already enabled the 443(https) by using the SSL with the cert issued from my CA and the cert seems valid when I used Chrome to browse the file lists through https.
So I changed the .repo file on my client servers to point at e.g. baseurl=https://xx.xx/centos/6/Packages ,
but I got errors when using the yum - [Errno 14] Peer cert cannot be verified or peer cert invalid
is there any setting that I missed? Thanks.

User avatar
TrevorH
Forum Moderator
Posts: 22575
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Customize Yum Server with SSL

Postby TrevorH » 2018/04/21 10:21:12

If this is a genuine CA issued certificate then it should just work. If it's a self-signed cert then you probably either need to import your CA cert into the trusted list or tell yum to ignore the errors. Running man yum.conf and searching for SSL shows me parameters like sslcacert=, sslverify, sslclientcert, sslclientkey, and ssl_check_cert_permissions.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

wengin211
Posts: 5
Joined: 2018/04/21 06:16:37

Re: Customize Yum Server with SSL

Postby wengin211 » 2018/04/22 03:33:20

Yes it was issued from my CA server.
Are these the parameters you want?

sslcacert Path to the directory containing the databases of the certificate authorities yum should use to verify SSL certificates. Defaults to none - uses system default

sslverify Boolean - should yum verify SSL certificates/hosts at all. Defaults to True.

Note that the plugin yum-rhn-plugin will force this value to true, and may alter other ssl settings (like hostname checking), even if it the machine is not registered.

sslclientcert Path to the SSL client certificate yum should use to connect to repos/remote sites Defaults to none.

Note that if you are using curl compiled against NSS (default in Fedora/RHEL), curl treats sslclientcert values with the same basename as _identical_. This version of yum will check that this isn't true and output an error when the repositories "foo" and "bar" violate this, like so:

sslclientcert basename shared between foo and bar

sslclientkey Path to the SSL client key yum should use to connect to repos/remote sites Defaults to none.

User avatar
TrevorH
Forum Moderator
Posts: 22575
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Customize Yum Server with SSL

Postby TrevorH » 2018/04/22 10:43:04

Yes it was issued from my CA server.


and is "your" CA server a real recognised one whose cert will already be in the list of trusted ones shipped by Redhat? If it isn't then you need to add it to the list of trusted ones or tell yum to allow it.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
avij
Forum Moderator
Posts: 2448
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Customize Yum Server with SSL

Postby avij » 2018/04/22 11:20:45

If your server is accessible from Internet, you could also test it with SSL Server Test.

Sometimes you need to add an intermediate certificate to the server's certificate path. Your CA should have these intermediate certificates publicly available.

wengin211
Posts: 5
Joined: 2018/04/21 06:16:37

Re: Customize Yum Server with SSL

Postby wengin211 » 2018/04/24 04:32:12

TrevorH wrote:
Yes it was issued from my CA server.


and is "your" CA server a real recognised one whose cert will already be in the list of trusted ones shipped by Redhat? If it isn't then you need to add it to the list of trusted ones or tell yum to allow it.


I'm not sure. How can I check it or add it to the list. Many thanks.

wengin211
Posts: 5
Joined: 2018/04/21 06:16:37

Re: Customize Yum Server with SSL

Postby wengin211 » 2018/04/24 04:33:24

avij wrote:If your server is accessible from Internet, you could also test it with SSL Server Test.

Sometimes you need to add an intermediate certificate to the server's certificate path. Your CA should have these intermediate certificates publicly available.


My server can't access the internet since the aim of the yum server is to restrict other clients server from accessing the internet directly.

wengin211
Posts: 5
Joined: 2018/04/21 06:16:37

Re: Customize Yum Server with SSL

Postby wengin211 » 2018/04/26 06:55:55

I have solved it by trusting the root cert of CA on client server. Thanks.