yum - M2Crypto.SSL.SSLError: certificate verify failed

Latest response

Yum is broken on one of my servers.

Today I re-registered 18 RHEL 5.x servers under the RHN Classic subscription model.
All 18 servers show as registered on the RH Customer Portal; However, this one won't allow any updates. On it, every use of the yum command, gets the error shown below.

I've compared everything I could to the other working servers and researched online forums, but cannot figure out why yum isn't working on this one server.

[root@saalvqad01 ~]# yum check-update
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 309, in user_main
errcode = main(args)
...
File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 167, in connect_ssl
return m2.ssl_connect(self.ssl, self._timeout)
M2Crypto.SSL.SSLError: certificate verify failed

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

$ uname -a
Linux myhostname 2.6.18-274.el5 #1 SMP Fri Jul 8 17:36:59 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

[snippets of /etc/sysconfig/rhn/up2date]
serverURL=https://xmlrpc.rhn.redhat.com/XMLRPC
disallowConfChanges=noReboot;sslCACert;useNoSSLForPackages;noSSLServerURL;serverURL;disallowConfChanges;
sslCACert=/usr/share/rhn/RHNS-CA-CERT

I've tried things like:
changing serverURL from https: to http: in /etc/sysconfig/rhn/up2date
yum clean all
rm -rf /var/cache/yum/*
yum makecache
re-registering, via rhn_register, after rm /etc/sysconfig/rhn/systemid. server registers, but yum remains broken.

I'm also aware of the old expired certificate issue, and dealt with that on 3 of the other servers, by copying a good certificate over.

Any advice/suggestions?

Responses

Is the date/time correct on the system?

Current system date/time is correct:
$ date
Thu Jul 31 12:04:52 CDT 2014

If the cert in question is this file:
-rw-r--r-- 1 root root 8865 Mar 1 2010 /usr/share/rhn/RHNS-CA-CERT
It has two entries:
1)
Validity
Not Before: Aug 29 02:10:55 2003 GMT
Not After : Aug 26 02:10:55 2013 GMT
2)
Validity
Not Before: Feb 26 21:07:08 2010 GMT
Not After : Feb 24 21:07:08 2020 GMT

Note: Other (yum-working) servers have this exact same file... and I believe were actually VM cloned from this (yum-not-working) server months before I got here.

Making the changes to /etc/yum.repos.d/redhat.repo in resolution https://access.redhat.com/solutions/63357 fixed this issue for me.

To followup, I created Case# 01173598, and it was determined that the system is not properly/completely unregistered from RHSM and the subscription manager packages removed.
RH Tech comment: "root cause is yum when loading '/etc/yum.repos.d/redhat.repo' which is created when the system is registered with RHSM will be fetching for SSL cert required for communication with CDN servers. Since neither of the subscription-manager packages or the cert are present on the system an error is thrown as cert verify failed."

The solution:
1) disable following RHSM plugins -
'/etc/yum/pluginconf.d/subscription-manager.conf'
'/etc/yum/pluginconf.d/product-id.conf'
2) remove the following directories which are created during the time of RHSM registration --
rm -rf /etc/pki/consumer/*
rm -rf /etc/pki/entitlement/*
3) remove the redhat.repo file
rm -rf /etc/yum.repos.d/redhat.repo.

Step 1 did not apply to my situation, but steps 2 & 3 did resolve my issue, and yum worked thereafter.

Thanks Jared. Good to see Support were able to get this resolved for you, and I appreciate you sharing the solution here.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.