[RESOLVED] YUM Error - Peer cert cannot be verified

General support questions

[RESOLVED] YUM Error - Peer cert cannot be verified

Postby Roturgo » 2011/08/03 14:38:47

I wanted to share this information with everyone in the hopes that it might save someone some of the frustration that I've had in dealing with this issue. Hope it helps! :-)

While attempting to do a CentOS 6.0 kickstart install, I ran into a fun error when Anaconda started trying to pull from our local YUM repository. The error was:

[Errno 14] Peer cert cannot be verified or peer cert invalid

At that point, the install bombed out. The local repository that I was trying to use runs over https and has a self-signed certificate. This was never an issue in CentOS 5.x, but the default behavior of YUM has changed in 6.0. In RHEL6 (and by extension CentOS 6), SSL certs are now validated by YUM and if validation fails, YUM will error out with the above message.

If you have a RHN subscription, see https://access.redhat.com/kb/docs/DOC-53910

From the KB article:
In RHEL5 SSL certs were not validated, now in RHEL6 they are by default. SSL validation can be disabled by adding sslverify=false to /etc/yum.conf. However if validation the server's SSL certificate is need, then the certificate authority's certificate (cacert) need to be downloaded to the yum client and then a pointer to that cacert file needs to be added to yum.conf using the sslcacert option, such as sslcacert=/etc/yum.cacert.

Apparently this bug has been reported upstream and fixed in Anaconda 14.10 and pykickstart-1.76, and a '--noverifyssl' kickstart flag has been added.

This fix won't help current CentOS 6.0 users, but there is a workaround listed on the Bugzilla page:


Basically, you'll need to add the CA cert for your repository to the global trusted cert store in your kickstart script like this:

cat >/etc/pki/tls/certs/ca-bundle.crt <-----BEGIN CERTIFICATE-----

I searched all through the CentOS forums and site and didn't see anyone mention this issue so far, so hopefully this information saves someone some trouble of piecing together what's going on and how to work around it.

I also just want to make clear that this is an upstream vendor "bug," so it's through no fault of the CentOS team. The CentOS team is doing a fantastic job, and I want to thank everyone for all the time and effort that they've put into bringing us the excellent 6.0 release! 8-)
Posts: 1
Joined: 2011/07/21 14:25:14

[RESOLVED] YUM Error - Peer cert cannot be verified

Postby pschaff » 2011/08/03 23:36:04

Welcome to the CentOS fora and thanks for the helpful post. I will add a note to the release notes with a pointer here.
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Postby AlanBartlett » 2011/08/04 00:33:55

And, for posterity, this thread is marked [RESOLVED].
User avatar
Forum Moderator
Posts: 9278
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Postby bfallik-aereo » 2012/01/05 06:02:38


I'm wondering if you had a chance to actually test the procedure in the bug report or if you're just the messenger.

I'm fairly certain I'm encountering the same issue but my attempts to workaround the problem aren't working. So far I've:
1. encountered the error during kickstart, switched VTs and saw the "Peer certificate" message in the logs
2. reproduced the error in the stalled kickstart environment using python & pycurl to retrieve the URL over via HTTPS
3. browsed to the same URL in firefox and exported the cert (X.509 PEM)
4. copied the cert into the stalled kickstart session, overwrote /etc/pkt/.../ca-bundle.crt and repeated the experiment

Unfortunately I still encounter the same message."Peer certificate cannot be authenticated..." message. It seems I'm either exporting incorrectly or not understanding how to update the local ca-bundle.crt file. Anyone have any suggestions?

Posts: 1
Joined: 2012/01/05 05:47:52

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Postby delong » 2012/03/13 11:41:16


I am still having this error on Centos 6.2 ( client ) trying to get repomd.xml from Centos 6.0:
Code: Select all
[Errno 14] Peer cert cannot be verified or peer cert invalid

I have exported my repository's certificate from firefox, located it in /etc/yum.cert and pointed yum.conf to it with sslcacert but it didn't help.
I can't disable ssl verification so I ask for help with this.

Any help would be appreciated.

Posts: 1
Joined: 2012/03/13 11:30:41

Return to CentOS 6 - General Support

Who is online

Users browsing this forum: No registered users and 4 guests