While attempting to do a CentOS 6.0 kickstart install, I ran into a fun error when Anaconda started trying to pull from our local YUM repository. The error was:
[Errno 14] Peer cert cannot be verified or peer cert invalid
At that point, the install bombed out. The local repository that I was trying to use runs over https and has a self-signed certificate. This was never an issue in CentOS 5.x, but the default behavior of YUM has changed in 6.0. In RHEL6 (and by extension CentOS 6), SSL certs are now validated by YUM and if validation fails, YUM will error out with the above message.
If you have a RHN subscription, see https://access.redhat.com/kb/docs/DOC-53910
From the KB article:
In RHEL5 SSL certs were not validated, now in RHEL6 they are by default. SSL validation can be disabled by adding sslverify=false to /etc/yum.conf. However if validation the server's SSL certificate is need, then the certificate authority's certificate (cacert) need to be downloaded to the yum client and then a pointer to that cacert file needs to be added to yum.conf using the sslcacert option, such as sslcacert=/etc/yum.cacert.
Apparently this bug has been reported upstream and fixed in Anaconda 14.10 and pykickstart-1.76, and a '--noverifyssl' kickstart flag has been added.
This fix won't help current CentOS 6.0 users, but there is a workaround listed on the Bugzilla page:
Basically, you'll need to add the CA cert for your repository to the global trusted cert store in your kickstart script like this:
cat >/etc/pki/tls/certs/ca-bundle.crt <
I searched all through the CentOS forums and site and didn't see anyone mention this issue so far, so hopefully this information saves someone some trouble of piecing together what's going on and how to work around it.
I also just want to make clear that this is an upstream vendor "bug," so it's through no fault of the CentOS team. The CentOS team is doing a fantastic job, and I want to thank everyone for all the time and effort that they've put into bringing us the excellent 6.0 release!