On RHEL client, yum update fails with error "[Error 14] HTTPS Errno 404 - Not Found" and it does not download the "repomd.xml.asc" file

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • yum
  • Red Hat Satellite
    • 5.x
    • 6.x
  • Red Hat Update Infrastructure
    • 2.1
    • 3.x

Issue

  • yum was trying to download repomd.xml.asc file on RHEL client while running yum update and have encountered [Errno 14] HTTPS Error 404 - Not Found error message.

    • Error from Satellite/Customer Portal Client:

      https://satellite.example.com/pulp/repos/Org/Library/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
rhel-7-server-rpms/x86_64                                                                                                                             | 2.0 kB  00:00:00
https://satellite.example.com/pulp/repos/Org/Library/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found

    • Error from RHUI client:

      https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
rhui-REGION-client-config-server-7                                                                                                                                                    | 2.9 kB  00:00:00
.
.
failure: repodata/repomd.xml.asc from rhui-REGION-client-config-server-7: [Errno 256] No more mirrors to try.
https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found

Resolution

  1. As GPG armor is not enabled on server side, so ensure repo_gpgcheck is set to 0 in yum.conf file for RHEL clients.
    • NOTE : repo_gpgcheck either 1 or 0 tells yum whether or not it should perform a GPG signature check on the repodata. When this is set in the [main] section, it sets the default for all repositories. The default is 0.
  2. Now run yum update to confirm.

Root Cause

  • Currently Red Hat products (Customer Portal, Red Hat Satellite, RHUI, etc) does not support repo gpgcheck option yet.
  • yum was trying to download repomd.xml.asc and repo_gpgcheck was set as 1.
  • As yum was unable to locate repomd.xml.asc on the server due to GPG armor disabled, it was failing with [Errno 14] HTTPS Error 404 - Not Found error message.
  • On RHEL 7.4, the stig-rhel7-disa profile will add "repo_gpgcheck=1" to /etc/yum.conf.
  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

15 Comments

Log in to comment
AS Community Member 30 points
7 April 2017 3:27 PM

This fixes the issue, but setting repo_gpgcheck=0 would be considered a vulnerability according to a DoD/DISA STIG rule. For systems that require mandatory compliance with a DISA STIG this may come up during a vulnerability scan, unless we keep it at 1. If you look at DISA STIG ID# RHEL-07-020070, Vulnerability ID# V-71981 for RHEL 7 (as of February 2017), this would be a Category I (high) finding. Is there any plans to fix this in a future release?

Magdy Mahmoud's picture Community Member 66 points
16 May 2017 10:16 AM

This did not fix the problem. It is useless.

Magdy Mahmoud's picture Community Member 66 points
16 May 2017 10:19 AM

The actual variable name is gpgcheck, not repo_gpgcheck

TT Pro 580 points
3 November 2018 9:15 PM

From the man page (man yum.conf)

              gpgcheck Either `1' or `0'. This tells yum whether or not it should perform a GPG signature check on  packages.  When this is set  in  the  [main] section it sets the default for all repositories.  The default is `0'.
(...)
              repo_gpgcheck Either `1' or `0'. This tells yum whether or not it should perform a GPG signature check on the  repodata.  When this is set  in the [main] section it sets the default for all repositories. The default is `0'.
RJ Hinton's picture Guru 18766 points
19 May 2017 4:15 PM

So a coworker of mine found this link at https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/ which has some info on how to make an app armor file that is being complained about such as below...

quote from above article 
After you've generated your repository metadata using createrepo,
you can generate a detached GPG signature by running:
$ gpg --detach-sign --armor repodata/repomd.xml
This command will create a file named repodata/repomd.xml.asc
which contains an ASCII version of the GPG signature of the
repository metadata file repomd.xml.

I'm putting in a ticket with Red Hat to get their reading on this.

RJ Hinton's picture Guru 18766 points
19 May 2017 5:10 PM

---- begin quoted text from current STIG Group ID (Vulid): V-71981 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86605r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020070 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.

Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.

Check Content:
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.

Check that yum verifies the package metadata prior to install with the following command:

grep repo_gpgcheck /etc/yum.conf

repo_gpgcheck=1

If "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified.

If there is no process to validate the metadata of packages that is approved by the organization, this is a finding.

Fix Text: Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file:

repo_gpgcheck=1

CCI: CCI-001749

--- end quoted text from current stig
AS Community Member 30 points
22 May 2017 7:09 PM

Excellent information, thank you for sharing! Our team resolved this issue recently by signing the repo.

KB Newbie 5 points
5 October 2017 11:41 PM

Can you provide details on how you signed the repo at https://cdn.redhat.com?

ST Community Member 20 points
13 June 2017 3:42 PM

setting the repo_gpgcheck to 0 worked!

CR Community Member 28 points
26 October 2017 1:30 AM

Yes, but the STIGs that you assisted in authoring require repo_gpgcheck=1

Kodiak Firesmith's picture Expert 1004 points
14 March 2018 4:39 PM

FYSA: Red Hat Satellite 6's upstream project for repository management (Pulp) has fixed this in the latest minor release. Hopefully the Sat6 folks can implement this in the next year or two now that it exists upstream.

https://docs.pulpproject.org/en/2.15/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-key

AL Active Contributor 156 points
15 March 2018 7:07 PM

I'm wondering if it will be also the implementation of this stig-required feature on Sat5/Spacewalk

IL Community Member 35 points
26 July 2018 7:54 PM

Post clean the yum metadata ansible installation got success through satellite EPEL repository.

[root@RHEL7TESTVM yum.repos.d]# yum clean metadata Loaded plugins: langpacks, package_upload, product-id, search-disabled-repos, subscription-manager Cleaning repos: EPEL pgdg95 rhel-7-server-rpms 0 metadata files removed 0 sqlite files removed 0 metadata files removed

SM Newbie 14 points
9 September 2019 6:25 PM

This works around the issue, but per DISA STIG you have to have the gpgcheck, localgpgcheck, and repo_gpgcheck enabled or it is a finding. The two questions I have are: 1)When is Red Hat going to provide server side GPG Armor? 2) Why would Red Hat build something in they don't intend to use? (I've been dealing with this for about four years at this point).

Kevin Gigiano's picture Community Member 39 points
11 August 2020 8:56 PM

The way to satisfy the STIG requirement is to sign the meta data of your repository with your own GPG key.

Here are the rough steps on how to fix this:

  • Create a public/private set of GPG keys.

Ensure that gpg is configured to create keys using at least SHA256

gpg2 --gen-key
  • Sign all the RPMS you want in your repository with this key.

You can add an additional signature to an RPM that has already been signed (ie. RPMs from Red Hat).

rpm --addsign [RPM]

  • Create your repository using createrepo.

  • Sign the metadata or your repository.

gpg --detach-sign --armor repodata/repomd.xml