Cant install packages using yum (CA certificate error? problem making ssl connection)
I've just installed a RHEL 6.6 Basic Server and succesfully subscribed it using RH Subscription Manager but now im having troubles when trying to install packages (and basically, everything using yum):
[root@example ~]# yum check-update
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
**https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml: [Errno 14] problem making ssl connection**
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel-6-server-rpms. Please verify its path and try again
I checked my cert and i think it is expired:
[root@example rhn]# more RHNS-CA-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
Validity
Not Before: Aug 29 02:10:55 2003 GMT
**Not After : Aug 26 02:10:55 2013 GMT**
But, when i use the diagnostic tool from here https://access.redhat.com/solutions/539583 it seems to work:
[root@example rhn]# openssl s_client -connect xmlrpc.rhn.redhat.com:443 -CAfile /usr/share/rhn/RHNS-CA-CERT
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = RHN Certificate Authority, emailAddress = rhn-noc@redhat.com
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = IT, CN = xmlrpc.rhn.redhat.com, emailAddress = helpdesk@redhat.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=IT/CN=xmlrpc.rhn.redhat.com/emailAddress=helpdesk@redhat.com
i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIBUjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYD
VQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxIjAg
BgNVBAMMGVJITiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnJobi1ub2NAcmVkaGF0LmNvbTAeFw0xMzA0MTUxMjU1MTFaFw0xNjA0MTQxMjU1
MTFaMIGhMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAO
BgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsM
AklUMR4wHAYDVQQDDBV4bWxycGMucmhuLnJlZGhhdC5jb20xIjAgBgkqhkiG9w0B
CQEWE2hlbHBkZXNrQHJlZGhhdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOoI2DkD6uAFH/AzKFQh8CrpioRhCCMRUyb6tjOx7ImzD7Ze99GyID7vALc4
ZNRn7oxV/+hHlf4IzsGBaR7tB9nypqYqm1yTHBfKt37cKkgMfVdXQqYZgsHdw51O
M/jOvYPpLGnzlBLhO6jcJabQ5rFIL1stoxIrs10xr0wjogGlAgMBAAGjgdAwgc0w
CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMEsGCWCGSAGG+EIBDQQ+FjxNYW5hZ2VkIGJ5IFJlZCBI
YXQgSW5mb3JtYXRpb24gU2VjdXJpdHkgKGluZm9zZWNAcmVkaGF0LmNvbSkwHQYD
VR0OBBYEFLVg3FWCNQeyFln57dZMTNHXGENdMB8GA1UdIwQYMBaAFBXxEQAKNKGi
VrsvVx5Z4n9qz+pDMA0GCSqGSIb3DQEBBQUAA4IBAQB5KhMvcfhcLkZ0FMngpHms
7q7OlxN0szane0JaD1XMpf+QCRW5yLcfa+F3Orm8tapc6ff4va9vFY2/aGYoW1aA
Icfk5TRPaEKMVbFxeK5gvJPUXv3t811MhSPlZY57huPidF5spKplxF0sBHpRYEHz
hiXbzVtY3hNM5gJuFWZAik2ONi0OddQqF1ZRm7ay6qzcyQaquV7EVNYu6eQ2cYMh
6YQzoSCWCoqfCMvnaeeU9xF7+EmmWmc2arGjWReq6Jm/0TqUayhf3zHQgkd449V6
UGnV9prR8By4lGunjOYLgfeUgB8W7v1zzZPk3HyAtsBtQk8Ykkoa7oHNTe4vDs4g
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=IT/CN=xmlrpc.rhn.redhat.com/emailAddress=helpdesk@redhat.com
issuer=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
---
**No client certificate CA names sent**
---
**SSL handshake has read 1213 bytes and written 435 bytes**
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: BD8912728D0E933346FA9492AF1D69631B7EAD681E8C93DFE2789D1ED598D232
Session-ID-ctx:
Master-Key: 71DFFFF8ACCA58DC2B6789014EC0B4EF690F9C74CE50B38A378EB95562CF6E54995829F7D589250F7EEF839FE3C3920C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1422374587
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I'm behind a proxy and tested the connection again:
[root@example rhn]# curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x 10.3.22.252:8080
* About to connect() to proxy 10.x.x.x port 8080 (#0)
* Trying 10.x.x.x... connected
* Connected to 10.x.x.x (10.x.x.x) port 8080 (#0)
* Establish HTTP proxy tunnel to xmlrpc.rhn.redhat.com:443
> CONNECT xmlrpc.rhn.redhat.com:443 HTTP/1.1
> Host: xmlrpc.rhn.redhat.com:443
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /usr/share/rhn/RHNS-CA-CERT
CApath: none
* SSL connection using TLS_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: E=helpdesk@redhat.com,CN=xmlrpc.rhn.redhat.com,OU=IT,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US
*** start date: Apr 15 12:55:11 2013 GMT**
*** expire date: Apr 14 12:55:11 2016 GMT**
* common name: xmlrpc.rhn.redhat.com
* issuer: E=rhn-noc@redhat.com,CN=RHN Certificate Authority,OU=Red Hat Network,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US
> GET /XMLRPC HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: xmlrpc.rhn.redhat.com
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Date: Tue, 27 Jan 2015 16:08:27 GMT
< Server: Apache
< Allow: TRACE
< Content-Length: 298
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method GET is not allowed for the URL /XMLRPC.</p>
<hr>
<address>Apache Server at xmlrpc.rhn.redhat.com Port 80</address>
</body></html>
* Closing connection #0
This is my rhn-client-tools version:
[root@example rhn]# rpm -q rhn-client-tools
rhn-client-tools-1.0.0.1-18.el6.noarch
And just one more detail, when I try to browse https://rhn.redhat.com with firefox, it loops waiting for idp.redhat.com to respond...
Does anybody have an idea? this is giving me a lot of troubles right now...
Responses
Hi Aarón,
- Are you in a position to open a support case for this please?
- Also, do you have an HTTP proxy somewhere in the chain to the edge? [edit] Yes, you do and you say so.
[edit] If you can, please open a ticket, I'll ask one of the RHN team here to advise me further, some transparent proxies need extra configuration for RHN.
Many thanks,
Mark
Hi again Aarón,
Your problem appears to be related to location aware updates. With RHN Classic, it was possible to define a specific point to get downloads from, but with RHSM, we currently have no method of avoiding the CDN.
Can you ask your firewall team to review and allow the IP addresses listed in this link through your firewall please?
* Section 6.4. Setting Firewall Access for Content Delivery
Best regards,
Mark
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
