[RESOLVED] YUM Error - Peer cert cannot be verified

General support questions

[RESOLVED] YUM Error - Peer cert cannot be verified

Postby Roturgo » 2011/08/03 14:38:47

I wanted to share this information with everyone in the hopes that it might save someone some of the frustration that I've had in dealing with this issue. Hope it helps! :-)

While attempting to do a CentOS 6.0 kickstart install, I ran into a fun error when Anaconda started trying to pull from our local YUM repository. The error was:

[Errno 14] Peer cert cannot be verified or peer cert invalid

At that point, the install bombed out. The local repository that I was trying to use runs over https and has a self-signed certificate. This was never an issue in CentOS 5.x, but the default behavior of YUM has changed in 6.0. In RHEL6 (and by extension CentOS 6), SSL certs are now validated by YUM and if validation fails, YUM will error out with the above message.

If you have a RHN subscription, see https://access.redhat.com/kb/docs/DOC-53910

From the KB article:
In RHEL5 SSL certs were not validated, now in RHEL6 they are by default. SSL validation can be disabled by adding sslverify=false to /etc/yum.conf. However if validation the server's SSL certificate is need, then the certificate authority's certificate (cacert) need to be downloaded to the yum client and then a pointer to that cacert file needs to be added to yum.conf using the sslcacert option, such as sslcacert=/etc/yum.cacert.

Apparently this bug has been reported upstream and fixed in Anaconda 14.10 and pykickstart-1.76, and a '--noverifyssl' kickstart flag has been added.

This fix won't help current CentOS 6.0 users, but there is a workaround listed on the Bugzilla page:

https://bugzilla.redhat.com/show_bug.cgi?id=599040#c0

Basically, you'll need to add the CA cert for your repository to the global trusted cert store in your kickstart script like this:

%pre
cat >/etc/pki/tls/certs/ca-bundle.crt <-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
MdRAGmI0Nj81Aa6sY6A=
-----END CERTIFICATE-----
%end

I searched all through the CentOS forums and site and didn't see anyone mention this issue so far, so hopefully this information saves someone some trouble of piecing together what's going on and how to work around it.

I also just want to make clear that this is an upstream vendor "bug," so it's through no fault of the CentOS team. The CentOS team is doing a fantastic job, and I want to thank everyone for all the time and effort that they've put into bringing us the excellent 6.0 release! 8-)
Roturgo
 
Posts: 1
Joined: 2011/07/21 14:25:14

[RESOLVED] YUM Error - Peer cert cannot be verified

Postby pschaff » 2011/08/03 23:36:04

Welcome to the CentOS fora and thanks for the helpful post. I will add a note to the release notes with a pointer here.
pschaff
Retired Moderator
 
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Postby AlanBartlett » 2011/08/04 00:33:55

And, for posterity, this thread is marked [RESOLVED].
User avatar
AlanBartlett
Forum Moderator
 
Posts: 8975
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Postby bfallik-aereo » 2012/01/05 06:02:38

Hi,

I'm wondering if you had a chance to actually test the procedure in the bug report or if you're just the messenger.

I'm fairly certain I'm encountering the same issue but my attempts to workaround the problem aren't working. So far I've:
1. encountered the error during kickstart, switched VTs and saw the "Peer certificate" message in the logs
2. reproduced the error in the stalled kickstart environment using python & pycurl to retrieve the URL over via HTTPS
3. browsed to the same URL in firefox and exported the cert (X.509 PEM)
4. copied the cert into the stalled kickstart session, overwrote /etc/pkt/.../ca-bundle.crt and repeated the experiment

Unfortunately I still encounter the same message."Peer certificate cannot be authenticated..." message. It seems I'm either exporting incorrectly or not understanding how to update the local ca-bundle.crt file. Anyone have any suggestions?

Thanks.
bfallik-aereo
 
Posts: 1
Joined: 2012/01/05 05:47:52

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Postby delong » 2012/03/13 11:41:16

Hello,

I am still having this error on Centos 6.2 ( client ) trying to get repomd.xml from Centos 6.0:
Code: Select all
[Errno 14] Peer cert cannot be verified or peer cert invalid


I have exported my repository's certificate from firefox, located it in /etc/yum.cert and pointed yum.conf to it with sslcacert but it didn't help.
I can't disable ssl verification so I ask for help with this.

Any help would be appreciated.

Regards.
delong
 
Posts: 1
Joined: 2012/03/13 11:30:41


Return to CentOS 6 - General Support

Who is online

Users browsing this forum: No registered users and 6 guests