Cant install packages using yum (CA certificate error? problem making ssl connection)
I've just installed a RHEL 6.6 Basic Server and succesfully subscribed it using RH Subscription Manager but now im having troubles when trying to install packages (and basically, everything using yum):
[root@example ~]# yum check-update
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
**https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml: [Errno 14] problem making ssl connection**
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel-6-server-rpms. Please verify its path and try again
I checked my cert and i think it is expired:
[root@example rhn]# more RHNS-CA-CERT
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
Validity
Not Before: Aug 29 02:10:55 2003 GMT
**Not After : Aug 26 02:10:55 2013 GMT**
But, when i use the diagnostic tool from here https://access.redhat.com/solutions/539583 it seems to work:
[root@example rhn]# openssl s_client -connect xmlrpc.rhn.redhat.com:443 -CAfile /usr/share/rhn/RHNS-CA-CERT
CONNECTED(00000003)
depth=1 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = RHN Certificate Authority, emailAddress = rhn-noc@redhat.com
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = IT, CN = xmlrpc.rhn.redhat.com, emailAddress = helpdesk@redhat.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=IT/CN=xmlrpc.rhn.redhat.com/emailAddress=helpdesk@redhat.com
i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIBUjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYD
VQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxIjAg
BgNVBAMMGVJITiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnJobi1ub2NAcmVkaGF0LmNvbTAeFw0xMzA0MTUxMjU1MTFaFw0xNjA0MTQxMjU1
MTFaMIGhMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAO
BgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsM
AklUMR4wHAYDVQQDDBV4bWxycGMucmhuLnJlZGhhdC5jb20xIjAgBgkqhkiG9w0B
CQEWE2hlbHBkZXNrQHJlZGhhdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOoI2DkD6uAFH/AzKFQh8CrpioRhCCMRUyb6tjOx7ImzD7Ze99GyID7vALc4
ZNRn7oxV/+hHlf4IzsGBaR7tB9nypqYqm1yTHBfKt37cKkgMfVdXQqYZgsHdw51O
M/jOvYPpLGnzlBLhO6jcJabQ5rFIL1stoxIrs10xr0wjogGlAgMBAAGjgdAwgc0w
CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMEsGCWCGSAGG+EIBDQQ+FjxNYW5hZ2VkIGJ5IFJlZCBI
YXQgSW5mb3JtYXRpb24gU2VjdXJpdHkgKGluZm9zZWNAcmVkaGF0LmNvbSkwHQYD
VR0OBBYEFLVg3FWCNQeyFln57dZMTNHXGENdMB8GA1UdIwQYMBaAFBXxEQAKNKGi
VrsvVx5Z4n9qz+pDMA0GCSqGSIb3DQEBBQUAA4IBAQB5KhMvcfhcLkZ0FMngpHms
7q7OlxN0szane0JaD1XMpf+QCRW5yLcfa+F3Orm8tapc6ff4va9vFY2/aGYoW1aA
Icfk5TRPaEKMVbFxeK5gvJPUXv3t811MhSPlZY57huPidF5spKplxF0sBHpRYEHz
hiXbzVtY3hNM5gJuFWZAik2ONi0OddQqF1ZRm7ay6qzcyQaquV7EVNYu6eQ2cYMh
6YQzoSCWCoqfCMvnaeeU9xF7+EmmWmc2arGjWReq6Jm/0TqUayhf3zHQgkd449V6
UGnV9prR8By4lGunjOYLgfeUgB8W7v1zzZPk3HyAtsBtQk8Ykkoa7oHNTe4vDs4g
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=IT/CN=xmlrpc.rhn.redhat.com/emailAddress=helpdesk@redhat.com
issuer=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com
---
**No client certificate CA names sent**
---
**SSL handshake has read 1213 bytes and written 435 bytes**
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-SHA
Session-ID: BD8912728D0E933346FA9492AF1D69631B7EAD681E8C93DFE2789D1ED598D232
Session-ID-ctx:
Master-Key: 71DFFFF8ACCA58DC2B6789014EC0B4EF690F9C74CE50B38A378EB95562CF6E54995829F7D589250F7EEF839FE3C3920C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1422374587
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I'm behind a proxy and tested the connection again:
[root@example rhn]# curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x 10.3.22.252:8080
* About to connect() to proxy 10.x.x.x port 8080 (#0)
* Trying 10.x.x.x... connected
* Connected to 10.x.x.x (10.x.x.x) port 8080 (#0)
* Establish HTTP proxy tunnel to xmlrpc.rhn.redhat.com:443
> CONNECT xmlrpc.rhn.redhat.com:443 HTTP/1.1
> Host: xmlrpc.rhn.redhat.com:443
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /usr/share/rhn/RHNS-CA-CERT
CApath: none
* SSL connection using TLS_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: E=helpdesk@redhat.com,CN=xmlrpc.rhn.redhat.com,OU=IT,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US
*** start date: Apr 15 12:55:11 2013 GMT**
*** expire date: Apr 14 12:55:11 2016 GMT**
* common name: xmlrpc.rhn.redhat.com
* issuer: E=rhn-noc@redhat.com,CN=RHN Certificate Authority,OU=Red Hat Network,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US
> GET /XMLRPC HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: xmlrpc.rhn.redhat.com
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Date: Tue, 27 Jan 2015 16:08:27 GMT
< Server: Apache
< Allow: TRACE
< Content-Length: 298
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method GET is not allowed for the URL /XMLRPC.</p>
<hr>
<address>Apache Server at xmlrpc.rhn.redhat.com Port 80</address>
</body></html>
* Closing connection #0
This is my rhn-client-tools version:
[root@example rhn]# rpm -q rhn-client-tools
rhn-client-tools-1.0.0.1-18.el6.noarch
And just one more detail, when I try to browse https://rhn.redhat.com with firefox, it loops waiting for idp.redhat.com to respond...
Does anybody have an idea? this is giving me a lot of troubles right now...