Cant install packages using yum (CA certificate error? problem making ssl connection)
I've just installed a RHEL 6.6 Basic Server and succesfully subscribed it using RH Subscription Manager but now im having troubles when trying to install packages (and basically, everything using yum):
[root@example ~]# yum check-update Loaded plugins: product-id, refresh-packagekit, security, subscription-manager **https://cdn.redhat.com/content/dist/rhel/server/6/6Server/x86_64/os/repodata/repomd.xml: [Errno 14] problem making ssl connection** Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhel-6-server-rpms. Please verify its path and try again
I checked my cert and i think it is expired:
[root@example rhn]# more RHNS-CA-CERT Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., OU=Red Hat Network, CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com Validity Not Before: Aug 29 02:10:55 2003 GMT **Not After : Aug 26 02:10:55 2013 GMT**
But, when i use the diagnostic tool from here https://access.redhat.com/solutions/539583 it seems to work:
[root@example rhn]# openssl s_client -connect xmlrpc.rhn.redhat.com:443 -CAfile /usr/share/rhn/RHNS-CA-CERT CONNECTED(00000003) depth=1 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = Red Hat Network, CN = RHN Certificate Authority, emailAddress = rhn-noc@redhat.com verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = IT, CN = xmlrpc.rhn.redhat.com, emailAddress = helpdesk@redhat.com verify return:1 --- Certificate chain 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=IT/CN=xmlrpc.rhn.redhat.com/emailAddress=helpdesk@redhat.com i:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com --- Server certificate -----BEGIN CERTIFICATE----- MIIEHDCCAwSgAwIBAgIBUjANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMCVVMx FzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRYwFAYD VQQKDA1SZWQgSGF0LCBJbmMuMRgwFgYDVQQLDA9SZWQgSGF0IE5ldHdvcmsxIjAg BgNVBAMMGVJITiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW EnJobi1ub2NAcmVkaGF0LmNvbTAeFw0xMzA0MTUxMjU1MTFaFw0xNjA0MTQxMjU1 MTFaMIGhMQswCQYDVQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAO BgNVBAcMB1JhbGVpZ2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xCzAJBgNVBAsM AklUMR4wHAYDVQQDDBV4bWxycGMucmhuLnJlZGhhdC5jb20xIjAgBgkqhkiG9w0B CQEWE2hlbHBkZXNrQHJlZGhhdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAOoI2DkD6uAFH/AzKFQh8CrpioRhCCMRUyb6tjOx7ImzD7Ze99GyID7vALc4 ZNRn7oxV/+hHlf4IzsGBaR7tB9nypqYqm1yTHBfKt37cKkgMfVdXQqYZgsHdw51O M/jOvYPpLGnzlBLhO6jcJabQ5rFIL1stoxIrs10xr0wjogGlAgMBAAGjgdAwgc0w CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMBMGA1Ud JQQMMAoGCCsGAQUFBwMBMEsGCWCGSAGG+EIBDQQ+FjxNYW5hZ2VkIGJ5IFJlZCBI YXQgSW5mb3JtYXRpb24gU2VjdXJpdHkgKGluZm9zZWNAcmVkaGF0LmNvbSkwHQYD VR0OBBYEFLVg3FWCNQeyFln57dZMTNHXGENdMB8GA1UdIwQYMBaAFBXxEQAKNKGi VrsvVx5Z4n9qz+pDMA0GCSqGSIb3DQEBBQUAA4IBAQB5KhMvcfhcLkZ0FMngpHms 7q7OlxN0szane0JaD1XMpf+QCRW5yLcfa+F3Orm8tapc6ff4va9vFY2/aGYoW1aA Icfk5TRPaEKMVbFxeK5gvJPUXv3t811MhSPlZY57huPidF5spKplxF0sBHpRYEHz hiXbzVtY3hNM5gJuFWZAik2ONi0OddQqF1ZRm7ay6qzcyQaquV7EVNYu6eQ2cYMh 6YQzoSCWCoqfCMvnaeeU9xF7+EmmWmc2arGjWReq6Jm/0TqUayhf3zHQgkd449V6 UGnV9prR8By4lGunjOYLgfeUgB8W7v1zzZPk3HyAtsBtQk8Ykkoa7oHNTe4vDs4g -----END CERTIFICATE----- subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=IT/CN=xmlrpc.rhn.redhat.com/emailAddress=helpdesk@redhat.com issuer=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat Network/CN=RHN Certificate Authority/emailAddress=rhn-noc@redhat.com --- **No client certificate CA names sent** --- **SSL handshake has read 1213 bytes and written 435 bytes** --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: BD8912728D0E933346FA9492AF1D69631B7EAD681E8C93DFE2789D1ED598D232 Session-ID-ctx: Master-Key: 71DFFFF8ACCA58DC2B6789014EC0B4EF690F9C74CE50B38A378EB95562CF6E54995829F7D589250F7EEF839FE3C3920C Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1422374587 Timeout : 300 (sec) Verify return code: 0 (ok) ---
I'm behind a proxy and tested the connection again:
[root@example rhn]# curl https://xmlrpc.rhn.redhat.com/XMLRPC --cacert /usr/share/rhn/RHNS-CA-CERT -v -x 10.3.22.252:8080 * About to connect() to proxy 10.x.x.x port 8080 (#0) * Trying 10.x.x.x... connected * Connected to 10.x.x.x (10.x.x.x) port 8080 (#0) * Establish HTTP proxy tunnel to xmlrpc.rhn.redhat.com:443 > CONNECT xmlrpc.rhn.redhat.com:443 HTTP/1.1 > Host: xmlrpc.rhn.redhat.com:443 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Proxy-Connection: Keep-Alive > HTTP/1.0 200 Connection established * Proxy replied OK to CONNECT request * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /usr/share/rhn/RHNS-CA-CERT CApath: none * SSL connection using TLS_RSA_WITH_RC4_128_SHA * Server certificate: * subject: E=helpdesk@redhat.com,CN=xmlrpc.rhn.redhat.com,OU=IT,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US *** start date: Apr 15 12:55:11 2013 GMT** *** expire date: Apr 14 12:55:11 2016 GMT** * common name: xmlrpc.rhn.redhat.com * issuer: E=rhn-noc@redhat.com,CN=RHN Certificate Authority,OU=Red Hat Network,O="Red Hat, Inc.",L=Raleigh,ST=North Carolina,C=US > GET /XMLRPC HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: xmlrpc.rhn.redhat.com > Accept: */* > HTTP/1.1 405 Method Not Allowed Date: Tue, 27 Jan 2015 16:08:27 GMT Server: Apache Allow: TRACE Content-Length: 298 Connection: close Content-Type: text/html; charset=iso-8859-1405 Method Not Allowed Method Not Allowed
The requested method GET is not allowed for the URL /XMLRPC.
Apache Server at xmlrpc.rhn.redhat.com Port 80 * Closing connection #0
This is my rhn-client-tools version:
[root@example rhn]# rpm -q rhn-client-tools rhn-client-tools-1.0.0.1-18.el6.noarch
And just one more detail, when I try to browse https://rhn.redhat.com with firefox, it loops waiting for idp.redhat.com to respond...
Does anybody have an idea? this is giving me a lot of troubles right now...
Responses