On RHEL client, yum update fails with error "[Error 14] HTTPS Errno 404 - Not Found" and it does not download the "repomd.xml.asc" file
Environment
- Red Hat Enterprise Linux (RHEL)
- yum
- Red Hat Satellite
- 5.x
- 6.x
- Red Hat Update Infrastructure
- 2.1
- 3.x
- 4.x
Issue
-
yum was trying to download
repomd.xml.asc
file on RHEL client while runningyum update
and have encountered[Errno 14] HTTPS Error 404 - Not Found
error message.-
Error from Satellite/Customer Portal Client:
https://satellite.example.com/pulp/repos/Org/Library/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found Trying other mirror. rhel-7-server-rpms/x86_64 | 2.0 kB 00:00:00 https://satellite.example.com/pulp/repos/Org/Library/content/dist/rhel/server/7/7Server/x86_64/sat-tools/6.2/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
-
Error from RHUI client:
https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found Trying other mirror. rhui-REGION-client-config-server-7 | 2.9 kB 00:00:00 . . failure: repodata/repomd.xml.asc from rhui-REGION-client-config-server-7: [Errno 256] No more mirrors to try. https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found https://cds.example.com/pulp/repos//rhui-client-config/rhel/server/7/x86_64/os/repodata/repomd.xml.asc: [Errno 14] HTTPS Error 404 - Not Found
-
Resolution
- As GPG armor is not enabled on server side, so ensure
repo_gpgcheck
is set to 0 inyum.conf
file for RHEL clients.- NOTE :
repo_gpgcheck
either 1 or0
tells yum whether or not it should perform a GPG signature check on therepodata
. When this is set in the [main] section, it sets the default for all repositories. The default is 0.
- NOTE :
- Now run
yum update
to confirm.
- Alternately you can create your own local repository with a custom
repo_gpgkey
based on the How to create a repo gpgkey for a local repository article.
Root Cause
- Currently Red Hat products (Customer Portal, Red Hat Satellite, RHUI, etc) does not support
repo gpgcheck
option yet. yum
was trying to downloadrepomd.xml.asc
andrepo_gpgcheck
was set as 1.- As yum was unable to locate
repomd.xml.asc
on the server due to GPG armor disabled, it was failing with[Errno 14] HTTPS Error 404 - Not Found
error message. - On RHEL 7.4, the
stig-rhel7-disa
profile will add"repo_gpgcheck=1"
to/etc/yum.conf
.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
15 Comments
This fixes the issue, but setting repo_gpgcheck=0 would be considered a vulnerability according to a DoD/DISA STIG rule. For systems that require mandatory compliance with a DISA STIG this may come up during a vulnerability scan, unless we keep it at 1. If you look at DISA STIG ID# RHEL-07-020070, Vulnerability ID# V-71981 for RHEL 7 (as of February 2017), this would be a Category I (high) finding. Is there any plans to fix this in a future release?
This did not fix the problem. It is useless.
The actual variable name is gpgcheck, not repo_gpgcheck
From the man page (man yum.conf)
So a coworker of mine found this link at https://blog.packagecloud.io/eng/2014/11/24/howto-gpg-sign-verify-rpm-packages-yum-repositories/ which has some info on how to make an app armor file that is being complained about such as below...
quote from above articleI'm putting in a ticket with Red Hat to get their reading on this.
---- begin quoted text from current STIG Group ID (Vulid): V-71981 Group Title: SRG-OS-000366-GPOS-00153 Rule ID: SV-86605r1_rule Severity: CAT I Rule Version (STIG-ID): RHEL-07-020070 Rule Title: The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
Vulnerability Discussion: Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.
Check Content:
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata.
Check that yum verifies the package metadata prior to install with the following command:
grep repo_gpgcheck /etc/yum.confrepo_gpgcheck=1
If "repo_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the metadata of local packages and other operating system components are verified.
If there is no process to validate the metadata of packages that is approved by the organization, this is a finding.
Fix Text: Configure the operating system to verify the repository metadata by setting the following options in the "/etc/yum.conf" file:
repo_gpgcheck=1
CCI: CCI-001749
--- end quoted text from current stigExcellent information, thank you for sharing! Our team resolved this issue recently by signing the repo.
Can you provide details on how you signed the repo at https://cdn.redhat.com?
setting the repo_gpgcheck to 0 worked!
Yes, but the STIGs that you assisted in authoring require repo_gpgcheck=1
FYSA: Red Hat Satellite 6's upstream project for repository management (Pulp) has fixed this in the latest minor release. Hopefully the Sat6 folks can implement this in the next year or two now that it exists upstream.
https://docs.pulpproject.org/en/2.15/plugins/pulp_rpm/tech-reference/yum-plugins.html#gpg-signing-key
I'm wondering if it will be also the implementation of this stig-required feature on Sat5/Spacewalk
Post clean the yum metadata ansible installation got success through satellite EPEL repository.
[root@RHEL7TESTVM yum.repos.d]# yum clean metadata Loaded plugins: langpacks, package_upload, product-id, search-disabled-repos, subscription-manager Cleaning repos: EPEL pgdg95 rhel-7-server-rpms 0 metadata files removed 0 sqlite files removed 0 metadata files removed
This works around the issue, but per DISA STIG you have to have the gpgcheck, localgpgcheck, and repo_gpgcheck enabled or it is a finding. The two questions I have are: 1)When is Red Hat going to provide server side GPG Armor? 2) Why would Red Hat build something in they don't intend to use? (I've been dealing with this for about four years at this point).
Create your repository using createrepo.
Sign the metadata or your repository.