Why does yum fail with error Peer's certificate issuer has been marked as not trusted by the user?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • yum
  • Red Hat Satellite 6

Issue

  • Getting the following error while running yum.

    curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
    

Resolution

  • Allow below hostnames/ports on the outgoing network firewall to have a fully working yum:

    subscription.rhn.redhat.com:443 [https]
    cdn.redhat.com:443 [https]
    *.akamaiedge.net:443 [https]
    
  • Add the Red Hat's CA cert in the External Firewall Cert to get the outgoing traffic allowed for yum.

    • Red Hat's certificate file is redhat-uep.pem which can be found under /etc/rhsm/ca/redhat-uep.pem
  • In case this issue is observed on a client of a Satellite 6, check if katello-ca-consumer rpm is installed on the client. If yes try to reinstall it .

For more KB articles/solutions related to Red Hat Satellite 6.x Client Subscription Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Client Subscription Issues

Root Cause

  • The Self Signed Certificate of Firewall was replacing Red Hat's redhat-uep.pem certificate with its own when the server was trying to contact Content Delivery Network(CDN) via yum which in turn was denied by as not trusted.

Diagnostic Steps

  • Take output of below openssl command and check whether the CA certificate /etc/rhsm/ca/redhat-uep.pem is being changed by the Firewall Cert leading to the error.

    # openssl s_client -connect cdn.redhat.com:443 -CAfile /etc/rhsm/ca/redhat-uep.pem
    
  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments