On RHEL client, yum update fails with error "[Errno 14] HTTPS Error 404 - Not Found", yum was unable to download "repomd.xml.asc" file.

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6.x
  • Red Hat Satellite 5.x
  • Red Hat Update Infrastructure 2.1
  • yum
  • Red Hat Enterprise Linux

Issue

  • Yum was trying to download repomd.xml.asc file on RHEL client while running yum update and have encountered [Errno 14] HTTPS Error 404 - Not Found error message.

Error from Satellite/Customer Portal Client:

https://satellite.example.com/pulp/repos/Org/Library/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
rhel-7-server-rpms/x86_64                                                                                                                             | 2.0 kB  00:00:00     
https://satellite.example.com/pulp/repos/Org/Library/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found

Error from RHUI client:

https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
rhui-REGION-client-config-server-7                                                                                                                                                    | 2.9 kB  00:00:00
.
.
failure: repodata/repomd.xml.asc from rhui-REGION-client-config-server-7: [Errno 256] No more mirrors to try.
https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found

Resolution

  • As GPG armor is not enabled on server side, so ensure repo_gpgcheck is set to 0 in yum.conf file for RHEL clients.

    NOTE : repo_gpgcheck either 1 or 0 tells yum whether or not it should perform a GPG signature check on the repodata. When this is set in the [main] section, it sets the default for all repositories. The default is 0.

  • Now run yum update to confirm.


Root Cause

  • Currently Red Hat products (Customer Portal, Red Hat Satellite, RHUI..etc) does not support repo gpgcheck option yet.
  • Yum was trying to download repomd.xml.asc as repo_gpgcheck was set to 1.
  • As yum was unable to locate repomd.xml.asc on the server due to GPG armor disabled, it was failing with [Errno 14] HTTPS Error 404 - Not Found error message.

  • With RHEL 7.4, the stig-rhel7-disa profile will add "repo_gpgcheck=1" to /etc/yum.conf

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

13 Comments

This fixes the issue, but setting repo_gpgcheck=0 would be considered a vulnerability according to a DoD/DISA STIG rule. For systems that require mandatory compliance with a DISA STIG this may come up during a vulnerability scan, unless we keep it at 1. If you look at DISA STIG ID# RHEL-07-020070, Vulnerability ID# V-71981 for RHEL 7 (as of February 2017), this would be a Category I (high) finding. Is there any plans to fix this in a future release?

This did not fix the problem. It is useless.

The actual variable name is gpgcheck, not repo_gpgcheck

From the man page (man yum.conf)

              gpgcheck Either `1' or `0'. This tells yum whether or not it should perform a GPG signature check on  packages.  When this is set  in  the  [main] section it sets the default for all repositories.  The default is `0'.
(...)
              repo_gpgcheck Either `1' or `0'. This tells yum whether or not it should perform a GPG signature check on the  repodata.  When this is set  in the [main] section it sets the default for all repositories. The default is `0'.

So a coworker of mine found this link at https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/ which has some info on how to make an app armor file that is being complained about such as below...

quote from above article
After you've generated your repository metadata using createrepo,
you can generate a detached GPG signature by running:
$ gpg --detach-sign --armor repodata/repomd.xml
This command will create a file named repodata/repomd.xml.asc
which contains an ASCII version of the GPG signature of the
repository metadata file repomd.xml.

I'm putting in a ticket with Red Hat to get their reading on this.

---- begin quoted text from current STIG Group ID (Vulid): V-71981 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86605r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020070 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.

Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.

Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.

Check Content:
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.

Check that yum verifies the package metadata prior to install with the following command:

grep repo_gpgcheck /etc/yum.conf

repo_gpgcheck=1

If "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified.

If there is no process to validate the metadata of packages that is approved by the organization, this is a finding.

Fix Text: Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file:

repo_gpgcheck=1

CCI: CCI-001749

--- end quoted text from current stig

Excellent information, thank you for sharing! Our team resolved this issue recently by signing the repo.

Can you provide details on how you signed the repo at https://cdn.redhat.com?

setting the repo_gpgcheck to 0 worked!

Yes, but the STIGs that you assisted in authoring require repo_gpgcheck=1

FYSA: Red Hat Satellite 6's upstream project for repository management (Pulp) has fixed this in the latest minor release. Hopefully the Sat6 folks can implement this in the next year or two now that it exists upstream.

https://docs.pulpproject.org/en/2.15/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-key

I'm wondering if it will be also the implementation of this stig-required feature on Sat5/Spacewalk

Post clean the yum metadata ansible installation got success through satellite EPEL repository.

[root@RHEL7TESTVM yum.repos.d]# yum clean metadata Loaded plugins: langpacks, package_upload, product-id, search-disabled-repos, subscription-manager Cleaning repos: EPEL pgdg95 rhel-7-server-rpms 0 metadata files removed 0 sqlite files removed 0 metadata files removed