Discussion:
[Spacewalk-list] RHEL repo sync error - CURL #60
Raymond Setchfield
2018-10-08 10:47:08 UTC
Permalink
Hi

I have been attempting to pull the RHEL updates into spacewalk, and I am
receiving the following error;

# spacewalk-repo-sync -c rhel07-update
11:44:03 ======================================
11:44:03 | Channel: rhel07-update
11:44:03 ======================================
11:44:03 Sync of channel started.
11:44:03
11:44:03 Processing repository with URL:
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
Repository group_spacewalkproject-java-packages is listed more than once in
the configuration
11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
[Errno 256] No more mirrors to try.
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
trusted by the user."
11:44:03 Sync of channel completed in 0:00:00.
11:44:03 Total time: 0:00:00

Looking into this it appears to be a certificate issue from what I can
gather. My assumption is to use the "redhat-uep.pem" Is this correct? If so
where do I place this to allow the curl to work? Or am I off in the wrong
direction

Thanks

Ray
Irwin, Jeffrey
2018-10-09 12:04:25 UTC
Permalink
?Same issue I ma having, interested to see the solution.

________________________________
From: spacewalk-list-***@redhat.com <spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield <***@gmail.com>
Sent: Monday, October 8, 2018 6:47 AM
To: spacewalk-***@redhat.com
Subject: [Spacewalk-list] RHEL repo sync error - CURL #60

Hi

I have been attempting to pull the RHEL updates into spacewalk, and I am receiving the following error;

# spacewalk-repo-sync -c rhel07-update
11:44:03 ======================================
11:44:03 | Channel: rhel07-update
11:44:03 ======================================
11:44:03 Sync of channel started.
11:44:03
11:44:03 Processing repository with URL: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
Repository group_spacewalkproject-java-packages is listed more than once in the configuration
11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
11:44:03 Sync of channel completed in 0:00:00.
11:44:03 Total time: 0:00:00

Looking into this it appears to be a certificate issue from what I can gather. My assumption is to use the "redhat-uep.pem" Is this correct? If so where do I place this to allow the curl to work? Or am I off in the wrong direction

Thanks

Ray
Raymond Setchfield
2018-10-09 12:36:50 UTC
Permalink
Hi Jeffrey

Hopefully getting closer to resolving the problem.

copy the redhat-uep.pem to your spacewalk server to the following location
#> /usr/share/pki/ca-trust-source/anchors/redhat-uep.pem
run
#> update-ca-trust

This will resolve the trust issue, but now I am receiving an issue when
attempting to run the sync. Getting a 403 forbidden message.

[***@spacewalk ~]# spacewalk-repo-sync -c rhel07-update
13:32:44 ======================================
13:32:44 | Channel: rhel07-update
13:32:44 ======================================
13:32:44 Sync of channel started.
13:32:44
13:32:44 Processing repository with URL: https://<username>:<password>@
cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
Repository group_spacewalkproject-java-packages is listed more than once in
the configuration
13:32:44 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
[Errno 256] No more mirrors to try.
https://<username>:<password>@
cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
[Errno 14] HTTPS Error 403 - Forbidden
13:32:45 Sync of channel completed in 0:00:00.
13:32:45 Total time: 0:00:00
[***@spacewalk ~]#

Thanks

Ray


On Tue, Oct 9, 2018 at 1:05 PM Irwin, Jeffrey <
***@rivertechllc.com> wrote:

> ​Same issue I ma having, interested to see the solution.
> ------------------------------
> *From:* spacewalk-list-***@redhat.com <
> spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield <
> ***@gmail.com>
> *Sent:* Monday, October 8, 2018 6:47 AM
> *To:* spacewalk-***@redhat.com
> *Subject:* [Spacewalk-list] RHEL repo sync error - CURL #60
>
> Hi
>
> I have been attempting to pull the RHEL updates into spacewalk, and I am
> receiving the following error;
>
> # spacewalk-repo-sync -c rhel07-update
> 11:44:03 ======================================
> 11:44:03 | Channel: rhel07-update
> 11:44:03 ======================================
> 11:44:03 Sync of channel started.
> 11:44:03
> 11:44:03 Processing repository with URL:
> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
> Repository group_spacewalkproject-java-packages is listed more than once
> in the configuration
> 11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
> [Errno 256] No more mirrors to try.
>
> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
> trusted by the user."
> 11:44:03 Sync of channel completed in 0:00:00.
> 11:44:03 Total time: 0:00:00
>
> Looking into this it appears to be a certificate issue from what I can
> gather. My assumption is to use the "redhat-uep.pem" Is this correct? If so
> where do I place this to allow the curl to work? Or am I off in the wrong
> direction
>
> Thanks
>
> Ray
>
>
>
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
Irwin, Jeffrey
2018-10-09 13:15:31 UTC
Permalink
?Ray, Thank you......Where is this copied from? Do you have a local repo?

________________________________
From: spacewalk-list-***@redhat.com <spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield <***@gmail.com>
Sent: Tuesday, October 9, 2018 8:36 AM
To: spacewalk-***@redhat.com
Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60

Hi Jeffrey

Hopefully getting closer to resolving the problem.

copy the redhat-uep.pem to your spacewalk server to the following location
#> /usr/share/pki/ca-trust-source/anchors/redhat-uep.pem
run
#> update-ca-trust

This will resolve the trust issue, but now I am receiving an issue when attempting to run the sync. Getting a 403 forbidden message.

[***@spacewalk ~]# spacewalk-repo-sync -c rhel07-update
13:32:44 ======================================
13:32:44 | Channel: rhel07-update
13:32:44 ======================================
13:32:44 Sync of channel started.
13:32:44
13:32:44 Processing repository with URL: https://<username>:<password>@cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os<http://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os>
Repository group_spacewalkproject-java-packages is listed more than once in the configuration
13:32:44 ERROR: failure: repodata/repomd.xml from rhel07-update.repo: [Errno 256] No more mirrors to try.
https://<username>:<password>@cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml<http://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml>: [Errno 14] HTTPS Error 403 - Forbidden
13:32:45 Sync of channel completed in 0:00:00.
13:32:45 Total time: 0:00:00
[***@spacewalk ~]#

Thanks

Ray


On Tue, Oct 9, 2018 at 1:05 PM Irwin, Jeffrey <***@rivertechllc.com<mailto:***@rivertechllc.com>> wrote:

?Same issue I ma having, interested to see the solution.

________________________________
From: spacewalk-list-***@redhat.com<mailto:spacewalk-list-***@redhat.com> <spacewalk-list-***@redhat.com<mailto:spacewalk-list-***@redhat.com>> on behalf of Raymond Setchfield <***@gmail.com<mailto:***@gmail.com>>
Sent: Monday, October 8, 2018 6:47 AM
To: spacewalk-***@redhat.com<mailto:spacewalk-***@redhat.com>
Subject: [Spacewalk-list] RHEL repo sync error - CURL #60

Hi

I have been attempting to pull the RHEL updates into spacewalk, and I am receiving the following error;

# spacewalk-repo-sync -c rhel07-update
11:44:03 ======================================
11:44:03 | Channel: rhel07-update
11:44:03 ======================================
11:44:03 Sync of channel started.
11:44:03
11:44:03 Processing repository with URL: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
Repository group_spacewalkproject-java-packages is listed more than once in the configuration
11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
11:44:03 Sync of channel completed in 0:00:00.
11:44:03 Total time: 0:00:00

Looking into this it appears to be a certificate issue from what I can gather. My assumption is to use the "redhat-uep.pem" Is this correct? If so where do I place this to allow the curl to work? Or am I off in the wrong direction

Thanks

Ray
Raymond Setchfield
2018-10-09 13:17:07 UTC
Permalink
Hi mate

I pulled it from a RHEL machine which I built to see what the difference
was, and intensive googling :)

Ray

On Tue, Oct 9, 2018 at 2:15 PM Irwin, Jeffrey <
***@rivertechllc.com> wrote:

> ​Ray, Thank you......Where is this copied from? Do you have a local repo?
> ------------------------------
> *From:* spacewalk-list-***@redhat.com <
> spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield <
> ***@gmail.com>
> *Sent:* Tuesday, October 9, 2018 8:36 AM
> *To:* spacewalk-***@redhat.com
> *Subject:* Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>
> Hi Jeffrey
>
> Hopefully getting closer to resolving the problem.
>
> copy the redhat-uep.pem to your spacewalk server to the following location
> #> /usr/share/pki/ca-trust-source/anchors/redhat-uep.pem
> run
> #> update-ca-trust
>
> This will resolve the trust issue, but now I am receiving an issue when
> attempting to run the sync. Getting a 403 forbidden message.
>
> [***@spacewalk ~]# spacewalk-repo-sync -c rhel07-update
> 13:32:44 ======================================
> 13:32:44 | Channel: rhel07-update
> 13:32:44 ======================================
> 13:32:44 Sync of channel started.
> 13:32:44
> 13:32:44 Processing repository with URL: https://<username>:<password>@
> cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
> Repository group_spacewalkproject-java-packages is listed more than once
> in the configuration
> 13:32:44 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
> [Errno 256] No more mirrors to try.
> https://<username>:<password>@
> cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
> [Errno 14] HTTPS Error 403 - Forbidden
> 13:32:45 Sync of channel completed in 0:00:00.
> 13:32:45 Total time: 0:00:00
> [***@spacewalk ~]#
>
> Thanks
>
> Ray
>
>
> On Tue, Oct 9, 2018 at 1:05 PM Irwin, Jeffrey <
> ***@rivertechllc.com> wrote:
>
>> ​Same issue I ma having, interested to see the solution.
>> ------------------------------
>> *From:* spacewalk-list-***@redhat.com <
>> spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield <
>> ***@gmail.com>
>> *Sent:* Monday, October 8, 2018 6:47 AM
>> *To:* spacewalk-***@redhat.com
>> *Subject:* [Spacewalk-list] RHEL repo sync error - CURL #60
>>
>> Hi
>>
>> I have been attempting to pull the RHEL updates into spacewalk, and I am
>> receiving the following error;
>>
>> # spacewalk-repo-sync -c rhel07-update
>> 11:44:03 ======================================
>> 11:44:03 | Channel: rhel07-update
>> 11:44:03 ======================================
>> 11:44:03 Sync of channel started.
>> 11:44:03
>> 11:44:03 Processing repository with URL:
>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>> Repository group_spacewalkproject-java-packages is listed more than once
>> in the configuration
>> 11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>> [Errno 256] No more mirrors to try.
>>
>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>> trusted by the user."
>> 11:44:03 Sync of channel completed in 0:00:00.
>> 11:44:03 Total time: 0:00:00
>>
>> Looking into this it appears to be a certificate issue from what I can
>> gather. My assumption is to use the "redhat-uep.pem" Is this correct? If so
>> where do I place this to allow the curl to work? Or am I off in the wrong
>> direction
>>
>> Thanks
>>
>> Ray
>>
>>
>>
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
Irwin, Jeffrey
2018-10-09 15:43:40 UTC
Permalink
I just rebuilt my spacewalk this morning (couldnt keep track of all the things i tried).

I copied /etc/rhsm/ca/redhat-uep.pem to /usr/share/pki/ca-trust-source/anchors/

ran update-ca-trust


tried to sync repo


spacewalk-repo-sync --channel rhel7_server
11:39:26 ======================================
11:39:26 | Channel: rhel7_server
11:39:26 ======================================
11:39:26 Sync of channel started.
11:39:26
11:39:26 Processing repository with URL: https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os
​11:39:26 ERROR: failure: repodata/repomd.xml from rhel7_server_rpms_x86_64: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/os/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden
11:39:26 Sync of channel completed in 0:00:00.
11:39:26 Total time: 0:00:00





________________________________
From: spacewalk-list-***@redhat.com <spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield <***@gmail.com>
Sent: Tuesday, October 9, 2018 8:36 AM
To: spacewalk-***@redhat.com
Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60

Hi Jeffrey

Hopefully getting closer to resolving the problem.

copy the redhat-uep.pem to your spacewalk server to the following location
#> /usr/share/pki/ca-trust-source/anchors/redhat-uep.pem
run
#> update-ca-trust

This will resolve the trust issue, but now I am receiving an issue when attempting to run the sync. Getting a 403 forbidden message.

[***@spacewalk ~]# spacewalk-repo-sync -c rhel07-update
13:32:44 ======================================
13:32:44 | Channel: rhel07-update
13:32:44 ======================================
13:32:44 Sync of channel started.
13:32:44
13:32:44 Processing repository with URL: https://<username>:<password>@cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os<http://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os>
Repository group_spacewalkproject-java-packages is listed more than once in the configuration
13:32:44 ERROR: failure: repodata/repomd.xml from rhel07-update.repo: [Errno 256] No more mirrors to try.
https://<username>:<password>@cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml<http://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml>: [Errno 14] HTTPS Error 403 - Forbidden
13:32:45 Sync of channel completed in 0:00:00.
13:32:45 Total time: 0:00:00
[***@spacewalk ~]#

Thanks

Ray


On Tue, Oct 9, 2018 at 1:05 PM Irwin, Jeffrey <***@rivertechllc.com<mailto:***@rivertechllc.com>> wrote:

​Same issue I ma having, interested to see the solution.

________________________________
From: spacewalk-list-***@redhat.com<mailto:spacewalk-list-***@redhat.com> <spacewalk-list-***@redhat.com<mailto:spacewalk-list-***@redhat.com>> on behalf of Raymond Setchfield <***@gmail.com<mailto:***@gmail.com>>
Sent: Monday, October 8, 2018 6:47 AM
To: spacewalk-***@redhat.com<mailto:spacewalk-***@redhat.com>
Subject: [Spacewalk-list] RHEL repo sync error - CURL #60

Hi

I have been attempting to pull the RHEL updates into spacewalk, and I am receiving the following error;

# spacewalk-repo-sync -c rhel07-update
11:44:03 ======================================
11:44:03 | Channel: rhel07-update
11:44:03 ======================================
11:44:03 Sync of channel started.
11:44:03
11:44:03 Processing repository with URL: https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
Repository group_spacewalkproject-java-packages is listed more than once in the configuration
11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo: [Errno 256] No more mirrors to try.
https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
11:44:03 Sync of channel completed in 0:00:00.
11:44:03 Total time: 0:00:00

Looking into this it appears to be a certificate issue from what I can gather. My assumption is to use the "redhat-uep.pem" Is this correct? If so where do I place this to allow the curl to work? Or am I off in the wrong direction

Thanks

Ray




_______________________________________________
Spacewalk-list mailing list
Spacewalk-***@redhat.com<mailto:Spacewalk-***@redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
Robert Paschedag
2018-10-09 12:41:29 UTC
Permalink
Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey" <***@rivertechllc.com>:
>?Same issue I ma having, interested to see the solution.

I think manpage of update-ca-certificates should help.

Get the issuer cert, update the local CA certs and it should run (in case, there is no new rpm which updates the certs)

Robert
>
>________________________________
>From: spacewalk-list-***@redhat.com
><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
><***@gmail.com>
>Sent: Monday, October 8, 2018 6:47 AM
>To: spacewalk-***@redhat.com
>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>
>Hi
>
>I have been attempting to pull the RHEL updates into spacewalk, and I
>am receiving the following error;
>
># spacewalk-repo-sync -c rhel07-update
>11:44:03 ======================================
>11:44:03 | Channel: rhel07-update
>11:44:03 ======================================
>11:44:03 Sync of channel started.
>11:44:03
>11:44:03 Processing repository with URL:
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>Repository group_spacewalkproject-java-packages is listed more than
>once in the configuration
>11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>[Errno 256] No more mirrors to try.
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
>[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>trusted by the user."
>11:44:03 Sync of channel completed in 0:00:00.
>11:44:03 Total time: 0:00:00
>
>Looking into this it appears to be a certificate issue from what I can
>gather. My assumption is to use the "redhat-uep.pem" Is this correct?
>If so where do I place this to allow the curl to work? Or am I off in
>the wrong direction
>
>Thanks
>
>Ray


--
sent from my mobile device
Irwin, Jeffrey
2018-10-09 12:46:58 UTC
Permalink
I have tried this with a local mirror repo......no dice, tried it with subscribed RHEL repo, no dice, trying to track this pesky cert issue. Will check out the man page and see, would be nice to see a more verbose indication of what cert it is trying to use, where it is, etc..
________________________________________
From: Robert Paschedag <***@web.de>
Sent: Tuesday, October 9, 2018 8:41 AM
To: spacewalk-***@redhat.com; Irwin, Jeffrey; spacewalk-***@redhat.com
Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60

Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey" <***@rivertechllc.com>:
>?Same issue I ma having, interested to see the solution.

I think manpage of update-ca-certificates should help.

Get the issuer cert, update the local CA certs and it should run (in case, there is no new rpm which updates the certs)

Robert
>
>________________________________
>From: spacewalk-list-***@redhat.com
><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
><***@gmail.com>
>Sent: Monday, October 8, 2018 6:47 AM
>To: spacewalk-***@redhat.com
>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>
>Hi
>
>I have been attempting to pull the RHEL updates into spacewalk, and I
>am receiving the following error;
>
># spacewalk-repo-sync -c rhel07-update
>11:44:03 ======================================
>11:44:03 | Channel: rhel07-update
>11:44:03 ======================================
>11:44:03 Sync of channel started.
>11:44:03
>11:44:03 Processing repository with URL:
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>Repository group_spacewalkproject-java-packages is listed more than
>once in the configuration
>11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>[Errno 256] No more mirrors to try.
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
>[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>trusted by the user."
>11:44:03 Sync of channel completed in 0:00:00.
>11:44:03 Total time: 0:00:00
>
>Looking into this it appears to be a certificate issue from what I can
>gather. My assumption is to use the "redhat-uep.pem" Is this correct?
>If so where do I place this to allow the curl to work? Or am I off in
>the wrong direction
>
>Thanks
>
>Ray


--
sent from my mobile device
Raymond Setchfield
2018-10-09 13:08:53 UTC
Permalink
Hi Robert

>From my previous mail. I have got that working fine :)

Just forbidden now. Are you aware of anything which I am potentially
missing?

Ray

On Tue, Oct 9, 2018 at 1:41 PM Robert Paschedag <***@web.de>
wrote:

> Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey" <
> ***@rivertechllc.com>:
> >?Same issue I ma having, interested to see the solution.
>
> I think manpage of update-ca-certificates should help.
>
> Get the issuer cert, update the local CA certs and it should run (in case,
> there is no new rpm which updates the certs)
>
> Robert
> >
> >________________________________
> >From: spacewalk-list-***@redhat.com
> ><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
> ><***@gmail.com>
> >Sent: Monday, October 8, 2018 6:47 AM
> >To: spacewalk-***@redhat.com
> >Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
> >
> >Hi
> >
> >I have been attempting to pull the RHEL updates into spacewalk, and I
> >am receiving the following error;
> >
> ># spacewalk-repo-sync -c rhel07-update
> >11:44:03 ======================================
> >11:44:03 | Channel: rhel07-update
> >11:44:03 ======================================
> >11:44:03 Sync of channel started.
> >11:44:03
> >11:44:03 Processing repository with URL:
> >https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
> >Repository group_spacewalkproject-java-packages is listed more than
> >once in the configuration
> >11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
> >[Errno 256] No more mirrors to try.
> >
> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
> :
> >[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
> >trusted by the user."
> >11:44:03 Sync of channel completed in 0:00:00.
> >11:44:03 Total time: 0:00:00
> >
> >Looking into this it appears to be a certificate issue from what I can
> >gather. My assumption is to use the "redhat-uep.pem" Is this correct?
> >If so where do I place this to allow the curl to work? Or am I off in
> >the wrong direction
> >
> >Thanks
> >
> >Ray
>
>
> --
> sent from my mobile device
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
Robert Paschedag
2018-10-09 13:50:11 UTC
Permalink
Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <***@gmail.com>:
>Looks like an issue Red Hat should fix, too be honest.  While you could
>pull the CA cert of the issuer and import it, I get an invalid issuer
>error when I pull up that URL in my browser, too.  So updating your CA
>certs may not help either (unless Red Hat provides the root cert for
>whomever generated the cert for cdn.redhat.com).
>If you have a Red Hat support contract, I would open a ticket with this
>information and ask for their input. 
>
>
>Sent from my Verizon, Samsung Galaxy smartphone
>-------- Original message --------From: "Irwin, Jeffrey"
><***@rivertechllc.com> Date: 10/9/18 8:46 AM (GMT-05:00)
>To: Robert Paschedag <***@web.de>,
>spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL repo sync
>error - CURL #60
>I have tried this with a local mirror repo......no dice, tried it with
>subscribed RHEL repo, no dice, trying to track this pesky cert issue. 
>Will check out the man page and see, would be nice to see a more
>verbose indication of what cert it is trying to use, where it is, etc..
>________________________________________
>From: Robert Paschedag <***@web.de>
>Sent: Tuesday, October 9, 2018 8:41 AM
>To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>spacewalk-***@redhat.com
>Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>
>Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
><***@rivertechllc.com>:
>>?Same issue I ma having, interested to see the solution.
>
>I think manpage of update-ca-certificates should help.
>
>Get the issuer cert, update the local CA certs and it should run (in
>case, there is no new rpm which updates the certs)
>
>Robert
>>
>>________________________________
>>From: spacewalk-list-***@redhat.com
>><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
>><***@gmail.com>
>>Sent: Monday, October 8, 2018 6:47 AM
>>To: spacewalk-***@redhat.com
>>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>
>>Hi
>>
>>I have been attempting to pull the RHEL updates into spacewalk, and I
>>am receiving the following error;
>>
>># spacewalk-repo-sync -c rhel07-update
>>11:44:03 ======================================
>>11:44:03 | Channel: rhel07-update
>>11:44:03 ======================================
>>11:44:03 Sync of channel started.
>>11:44:03
>>11:44:03   Processing repository with URL:
>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>Repository group_spacewalkproject-java-packages is listed more than
>>once in the configuration
>>11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>>[Errno 256] No more mirrors to try.
>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
>>[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>>trusted by the user."
>>11:44:03 Sync of channel completed in 0:00:00.
>>11:44:03 Total time: 0:00:00
>>
>>Looking into this it appears to be a certificate issue from what I can
>>gather. My assumption is to use the "redhat-uep.pem" Is this correct?
>>If so where do I place this to allow the curl to work? Or am I off in
>>the wrong direction
>>
>>Thanks
>>
>>Ray
>
>
>--
>sent from my mobile device
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-***@redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list

There is a self signed cert within the SSL path, which does not seem to be on your cert parts.

So download the certs via the browser (export root ca and intermediate cas), put the in the "anchors" directory (where update-ca-trust or update-ca-certificates wants them to be), update the certs... Then try again.

Robert
--
sent from my mobile device
Matt Moldvan
2018-10-09 15:21:04 UTC
Permalink
Oops, looks like my replies weren't making it to the mailing list (forgot
to change the "From" option).

Anyway, I intended to reply to the list and not just Robert...

On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <***@gmail.com> wrote:

> Yeah, makes sense. My point was that Red Hat expecting this to be done by
> it's customers is silly and they shouldn't be using self signed certs in
> the path and making their customers do extra work...
>
> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag <***@web.de>
> wrote:
>
>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>> ***@gmail.com>:
>> >Looks like an issue Red Hat should fix, too be honest. While you could
>> >pull the CA cert of the issuer and import it, I get an invalid issuer
>> >error when I pull up that URL in my browser, too. So updating your CA
>> >certs may not help either (unless Red Hat provides the root cert for
>> >whomever generated the cert for cdn.redhat.com).
>> >If you have a Red Hat support contract, I would open a ticket with this
>> >information and ask for their input.
>> >
>> >
>> >Sent from my Verizon, Samsung Galaxy smartphone
>> >-------- Original message --------From: "Irwin, Jeffrey"
>> ><***@rivertechllc.com> Date: 10/9/18 8:46 AM (GMT-05:00)
>> >To: Robert Paschedag <***@web.de>,
>> >spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL repo sync
>> >error - CURL #60
>> >I have tried this with a local mirror repo......no dice, tried it with
>> >subscribed RHEL repo, no dice, trying to track this pesky cert issue.
>> >Will check out the man page and see, would be nice to see a more
>> >verbose indication of what cert it is trying to use, where it is, etc..
>> >________________________________________
>> >From: Robert Paschedag <***@web.de>
>> >Sent: Tuesday, October 9, 2018 8:41 AM
>> >To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>> >spacewalk-***@redhat.com
>> >Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>> >
>> >Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>> ><***@rivertechllc.com>:
>> >>?Same issue I ma having, interested to see the solution.
>> >
>> >I think manpage of update-ca-certificates should help.
>> >
>> >Get the issuer cert, update the local CA certs and it should run (in
>> >case, there is no new rpm which updates the certs)
>> >
>> >Robert
>> >>
>> >>________________________________
>> >>From: spacewalk-list-***@redhat.com
>> >><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
>> >><***@gmail.com>
>> >>Sent: Monday, October 8, 2018 6:47 AM
>> >>To: spacewalk-***@redhat.com
>> >>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>> >>
>> >>Hi
>> >>
>> >>I have been attempting to pull the RHEL updates into spacewalk, and I
>> >>am receiving the following error;
>> >>
>> >># spacewalk-repo-sync -c rhel07-update
>> >>11:44:03 ======================================
>> >>11:44:03 | Channel: rhel07-update
>> >>11:44:03 ======================================
>> >>11:44:03 Sync of channel started.
>> >>11:44:03
>> >>11:44:03 Processing repository with URL:
>> >>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>> >>Repository group_spacewalkproject-java-packages is listed more than
>> >>once in the configuration
>> >>11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>> >>[Errno 256] No more mirrors to try.
>> >>
>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>> :
>> >>[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>> >>trusted by the user."
>> >>11:44:03 Sync of channel completed in 0:00:00.
>> >>11:44:03 Total time: 0:00:00
>> >>
>> >>Looking into this it appears to be a certificate issue from what I can
>> >>gather. My assumption is to use the "redhat-uep.pem" Is this correct?
>> >>If so where do I place this to allow the curl to work? Or am I off in
>> >>the wrong direction
>> >>
>> >>Thanks
>> >>
>> >>Ray
>> >
>> >
>> >--
>> >sent from my mobile device
>> >
>> >_______________________________________________
>> >Spacewalk-list mailing list
>> >Spacewalk-***@redhat.com
>> >https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>> There is a self signed cert within the SSL path, which does not seem to
>> be on your cert parts.
>>
>> So download the certs via the browser (export root ca and intermediate
>> cas), put the in the "anchors" directory (where update-ca-trust or
>> update-ca-certificates wants them to be), update the certs... Then try
>> again.
>>
>> Robert
>> --
>> sent from my mobile device
>>
>
Raymond Setchfield
2018-10-09 15:55:48 UTC
Permalink
Have you got this working, Matt?

> On 9 Oct 2018, at 16:21, Matt Moldvan <***@moldvan.com> wrote:
>
> Oops, looks like my replies weren't making it to the mailing list (forgot to change the "From" option).
>
> Anyway, I intended to reply to the list and not just Robert...
>
>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <***@gmail.com> wrote:
>> Yeah, makes sense. My point was that Red Hat expecting this to be done by it's customers is silly and they shouldn't be using self signed certs in the path and making their customers do extra work...
>>
>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag <***@web.de> wrote:
>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <***@gmail.com>:
>>> >Looks like an issue Red Hat should fix, too be honest. While you could
>>> >pull the CA cert of the issuer and import it, I get an invalid issuer
>>> >error when I pull up that URL in my browser, too. So updating your CA
>>> >certs may not help either (unless Red Hat provides the root cert for
>>> >whomever generated the cert for cdn.redhat.com).
>>> >If you have a Red Hat support contract, I would open a ticket with this
>>> >information and ask for their input.
>>> >
>>> >
>>> >Sent from my Verizon, Samsung Galaxy smartphone
>>> >-------- Original message --------From: "Irwin, Jeffrey"
>>> ><***@rivertechllc.com> Date: 10/9/18 8:46 AM (GMT-05:00)
>>> >To: Robert Paschedag <***@web.de>,
>>> >spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL repo sync
>>> >error - CURL #60
>>> >I have tried this with a local mirror repo......no dice, tried it with
>>> >subscribed RHEL repo, no dice, trying to track this pesky cert issue.
>>> >Will check out the man page and see, would be nice to see a more
>>> >verbose indication of what cert it is trying to use, where it is, etc..
>>> >________________________________________
>>> >From: Robert Paschedag <***@web.de>
>>> >Sent: Tuesday, October 9, 2018 8:41 AM
>>> >To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>>> >spacewalk-***@redhat.com
>>> >Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>> >
>>> >Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>> ><***@rivertechllc.com>:
>>> >>?Same issue I ma having, interested to see the solution.
>>> >
>>> >I think manpage of update-ca-certificates should help.
>>> >
>>> >Get the issuer cert, update the local CA certs and it should run (in
>>> >case, there is no new rpm which updates the certs)
>>> >
>>> >Robert
>>> >>
>>> >>________________________________
>>> >>From: spacewalk-list-***@redhat.com
>>> >><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
>>> >><***@gmail.com>
>>> >>Sent: Monday, October 8, 2018 6:47 AM
>>> >>To: spacewalk-***@redhat.com
>>> >>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>> >>
>>> >>Hi
>>> >>
>>> >>I have been attempting to pull the RHEL updates into spacewalk, and I
>>> >>am receiving the following error;
>>> >>
>>> >># spacewalk-repo-sync -c rhel07-update
>>> >>11:44:03 ======================================
>>> >>11:44:03 | Channel: rhel07-update
>>> >>11:44:03 ======================================
>>> >>11:44:03 Sync of channel started.
>>> >>11:44:03
>>> >>11:44:03 Processing repository with URL:
>>> >>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>> >>Repository group_spacewalkproject-java-packages is listed more than
>>> >>once in the configuration
>>> >>11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>>> >>[Errno 256] No more mirrors to try.
>>> >>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml:
>>> >>[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>>> >>trusted by the user."
>>> >>11:44:03 Sync of channel completed in 0:00:00.
>>> >>11:44:03 Total time: 0:00:00
>>> >>
>>> >>Looking into this it appears to be a certificate issue from what I can
>>> >>gather. My assumption is to use the "redhat-uep.pem" Is this correct?
>>> >>If so where do I place this to allow the curl to work? Or am I off in
>>> >>the wrong direction
>>> >>
>>> >>Thanks
>>> >>
>>> >>Ray
>>> >
>>> >
>>> >--
>>> >sent from my mobile device
>>> >
>>> >_______________________________________________
>>> >Spacewalk-list mailing list
>>> >Spacewalk-***@redhat.com
>>> >https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>> There is a self signed cert within the SSL path, which does not seem to be on your cert parts.
>>>
>>> So download the certs via the browser (export root ca and intermediate cas), put the in the "anchors" directory (where update-ca-trust or update-ca-certificates wants them to be), update the certs... Then try again.
>>>
>>> Robert
>>> --
>>> sent from my mobile device
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
Matt Moldvan
2018-10-09 16:46:27 UTC
Permalink
No, unfortunately, I gave up on trying a long time ago, as it seemed like a
very hokey approach to first sync using reposync on additional VMs, run
createrepo, then add those as channels in Spacewalk. Due to that and other
cost saving initiatives, I gave up and changed our infrastructure to avoid
using RHEL as much as possible in favor of CentOS...

On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
***@gmail.com> wrote:

> Have you got this working, Matt?
>
> On 9 Oct 2018, at 16:21, Matt Moldvan <***@moldvan.com> wrote:
>
> Oops, looks like my replies weren't making it to the mailing list (forgot
> to change the "From" option).
>
> Anyway, I intended to reply to the list and not just Robert...
>
> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <***@gmail.com>
> wrote:
>
>> Yeah, makes sense. My point was that Red Hat expecting this to be done
>> by it's customers is silly and they shouldn't be using self signed certs in
>> the path and making their customers do extra work...
>>
>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag <***@web.de>
>> wrote:
>>
>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>> ***@gmail.com>:
>>> >Looks like an issue Red Hat should fix, too be honest. While you could
>>> >pull the CA cert of the issuer and import it, I get an invalid issuer
>>> >error when I pull up that URL in my browser, too. So updating your CA
>>> >certs may not help either (unless Red Hat provides the root cert for
>>> >whomever generated the cert for cdn.redhat.com).
>>> >If you have a Red Hat support contract, I would open a ticket with this
>>> >information and ask for their input.
>>> >
>>> >
>>> >Sent from my Verizon, Samsung Galaxy smartphone
>>> >-------- Original message --------From: "Irwin, Jeffrey"
>>> ><***@rivertechllc.com> Date: 10/9/18 8:46 AM (GMT-05:00)
>>> >To: Robert Paschedag <***@web.de>,
>>> >spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL repo sync
>>> >error - CURL #60
>>> >I have tried this with a local mirror repo......no dice, tried it with
>>> >subscribed RHEL repo, no dice, trying to track this pesky cert issue.
>>> >Will check out the man page and see, would be nice to see a more
>>> >verbose indication of what cert it is trying to use, where it is, etc..
>>> >________________________________________
>>> >From: Robert Paschedag <***@web.de>
>>> >Sent: Tuesday, October 9, 2018 8:41 AM
>>> >To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>>> >spacewalk-***@redhat.com
>>> >Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>> >
>>> >Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>> ><***@rivertechllc.com>:
>>> >>?Same issue I ma having, interested to see the solution.
>>> >
>>> >I think manpage of update-ca-certificates should help.
>>> >
>>> >Get the issuer cert, update the local CA certs and it should run (in
>>> >case, there is no new rpm which updates the certs)
>>> >
>>> >Robert
>>> >>
>>> >>________________________________
>>> >>From: spacewalk-list-***@redhat.com
>>> >><spacewalk-list-***@redhat.com> on behalf of Raymond Setchfield
>>> >><***@gmail.com>
>>> >>Sent: Monday, October 8, 2018 6:47 AM
>>> >>To: spacewalk-***@redhat.com
>>> >>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>> >>
>>> >>Hi
>>> >>
>>> >>I have been attempting to pull the RHEL updates into spacewalk, and I
>>> >>am receiving the following error;
>>> >>
>>> >># spacewalk-repo-sync -c rhel07-update
>>> >>11:44:03 ======================================
>>> >>11:44:03 | Channel: rhel07-update
>>> >>11:44:03 ======================================
>>> >>11:44:03 Sync of channel started.
>>> >>11:44:03
>>> >>11:44:03 Processing repository with URL:
>>> >>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>> >>Repository group_spacewalkproject-java-packages is listed more than
>>> >>once in the configuration
>>> >>11:44:03 ERROR: failure: repodata/repomd.xml from rhel07-update.repo:
>>> >>[Errno 256] No more mirrors to try.
>>> >>
>>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>> :
>>> >>[Errno 14] curl#60 - "Peer's certificate issuer has been marked as not
>>> >>trusted by the user."
>>> >>11:44:03 Sync of channel completed in 0:00:00.
>>> >>11:44:03 Total time: 0:00:00
>>> >>
>>> >>Looking into this it appears to be a certificate issue from what I can
>>> >>gather. My assumption is to use the "redhat-uep.pem" Is this correct?
>>> >>If so where do I place this to allow the curl to work? Or am I off in
>>> >>the wrong direction
>>> >>
>>> >>Thanks
>>> >>
>>> >>Ray
>>> >
>>> >
>>> >--
>>> >sent from my mobile device
>>> >
>>> >_______________________________________________
>>> >Spacewalk-list mailing list
>>> >Spacewalk-***@redhat.com
>>> >https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>> There is a self signed cert within the SSL path, which does not seem to
>>> be on your cert parts.
>>>
>>> So download the certs via the browser (export root ca and intermediate
>>> cas), put the in the "anchors" directory (where update-ca-trust or
>>> update-ca-certificates wants them to be), update the certs... Then try
>>> again.
>>>
>>> Robert
>>> --
>>> sent from my mobile device
>>>
>> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
Robert Paschedag
2018-10-09 18:33:25 UTC
Permalink
Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan <***@moldvan.com>:
>No, unfortunately, I gave up on trying a long time ago, as it seemed
>like a
>very hokey approach to first sync using reposync on additional VMs, run
>createrepo, then add those as channels in Spacewalk. Due to that and
>other
>cost saving initiatives, I gave up and changed our infrastructure to
>avoid
>using RHEL as much as possible in favor of CentOS...

I'm pretty sure, that all red hat customers here with this "SSL cert error" or "403 error" while syncing repos are mixing those errors.

Note: I'm not a red hat customer. But as far as I know, red hat uses SSL certificates to identify customers and grant access to the repos.

So if the access to the repos returns "403" (suddenly), maybe your subscription expired. So you might need to refresh these certificates. (Again, I'm not sure).

The SSL validation error (curl) is something "general".

And, I also thought, that there are rpms within the red hat repos, that contain these CA certs that are used on their Webservers so the customers do *not* get these "curl" errors.

Robert
>
>On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>***@gmail.com> wrote:
>
>> Have you got this working, Matt?
>>
>> On 9 Oct 2018, at 16:21, Matt Moldvan <***@moldvan.com> wrote:
>>
>> Oops, looks like my replies weren't making it to the mailing list
>(forgot
>> to change the "From" option).
>>
>> Anyway, I intended to reply to the list and not just Robert...
>>
>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <***@gmail.com>
>> wrote:
>>
>>> Yeah, makes sense. My point was that Red Hat expecting this to be
>done
>>> by it's customers is silly and they shouldn't be using self signed
>certs in
>>> the path and making their customers do extra work...
>>>
>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
><***@web.de>
>>> wrote:
>>>
>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>> ***@gmail.com>:
>>>> >Looks like an issue Red Hat should fix, too be honest. While you
>could
>>>> >pull the CA cert of the issuer and import it, I get an invalid
>issuer
>>>> >error when I pull up that URL in my browser, too. So updating
>your CA
>>>> >certs may not help either (unless Red Hat provides the root cert
>for
>>>> >whomever generated the cert for cdn.redhat.com).
>>>> >If you have a Red Hat support contract, I would open a ticket with
>this
>>>> >information and ask for their input.
>>>> >
>>>> >
>>>> >Sent from my Verizon, Samsung Galaxy smartphone
>>>> >-------- Original message --------From: "Irwin, Jeffrey"
>>>> ><***@rivertechllc.com> Date: 10/9/18 8:46 AM
>(GMT-05:00)
>>>> >To: Robert Paschedag <***@web.de>,
>>>> >spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL repo
>sync
>>>> >error - CURL #60
>>>> >I have tried this with a local mirror repo......no dice, tried it
>with
>>>> >subscribed RHEL repo, no dice, trying to track this pesky cert
>issue.
>>>> >Will check out the man page and see, would be nice to see a more
>>>> >verbose indication of what cert it is trying to use, where it is,
>etc..
>>>> >________________________________________
>>>> >From: Robert Paschedag <***@web.de>
>>>> >Sent: Tuesday, October 9, 2018 8:41 AM
>>>> >To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>>>> >spacewalk-***@redhat.com
>>>> >Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>> >
>>>> >Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>> ><***@rivertechllc.com>:
>>>> >>?Same issue I ma having, interested to see the solution.
>>>> >
>>>> >I think manpage of update-ca-certificates should help.
>>>> >
>>>> >Get the issuer cert, update the local CA certs and it should run
>(in
>>>> >case, there is no new rpm which updates the certs)
>>>> >
>>>> >Robert
>>>> >>
>>>> >>________________________________
>>>> >>From: spacewalk-list-***@redhat.com
>>>> >><spacewalk-list-***@redhat.com> on behalf of Raymond
>Setchfield
>>>> >><***@gmail.com>
>>>> >>Sent: Monday, October 8, 2018 6:47 AM
>>>> >>To: spacewalk-***@redhat.com
>>>> >>Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>> >>
>>>> >>Hi
>>>> >>
>>>> >>I have been attempting to pull the RHEL updates into spacewalk,
>and I
>>>> >>am receiving the following error;
>>>> >>
>>>> >># spacewalk-repo-sync -c rhel07-update
>>>> >>11:44:03 ======================================
>>>> >>11:44:03 | Channel: rhel07-update
>>>> >>11:44:03 ======================================
>>>> >>11:44:03 Sync of channel started.
>>>> >>11:44:03
>>>> >>11:44:03 Processing repository with URL:
>>>>
>>>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>> >>Repository group_spacewalkproject-java-packages is listed more
>than
>>>> >>once in the configuration
>>>> >>11:44:03 ERROR: failure: repodata/repomd.xml from
>rhel07-update.repo:
>>>> >>[Errno 256] No more mirrors to try.
>>>> >>
>>>>
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>> :
>>>> >>[Errno 14] curl#60 - "Peer's certificate issuer has been marked
>as not
>>>> >>trusted by the user."
>>>> >>11:44:03 Sync of channel completed in 0:00:00.
>>>> >>11:44:03 Total time: 0:00:00
>>>> >>
>>>> >>Looking into this it appears to be a certificate issue from what
>I can
>>>> >>gather. My assumption is to use the "redhat-uep.pem" Is this
>correct?
>>>> >>If so where do I place this to allow the curl to work? Or am I
>off in
>>>> >>the wrong direction
>>>> >>
>>>> >>Thanks
>>>> >>
>>>> >>Ray
>>>> >
>>>> >
>>>> >--
>>>> >sent from my mobile device
>>>> >
>>>> >_______________________________________________
>>>> >Spacewalk-list mailing list
>>>> >Spacewalk-***@redhat.com
>>>> >https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>
>>>> There is a self signed cert within the SSL path, which does not
>seem to
>>>> be on your cert parts.
>>>>
>>>> So download the certs via the browser (export root ca and
>intermediate
>>>> cas), put the in the "anchors" directory (where update-ca-trust or
>>>> update-ca-certificates wants them to be), update the certs... Then
>try
>>>> again.
>>>>
>>>> Robert
>>>> --
>>>> sent from my mobile device
>>>>
>>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list


--
sent from my mobile device
Raymond Setchfield
2018-10-09 19:01:18 UTC
Permalink
Hi Robert

Thanks for the reply.

For me the RHEL subscriptions are brand new and therefore I don’t think that this is the problem.

I’ll look further into the SSL issue though, as that would potentially make sense. I thought it was just done through the subscription manager using username and password.

Ray

> On 9 Oct 2018, at 19:33, Robert Paschedag <***@web.de> wrote:
>
> Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan <***@moldvan.com>:
>> No, unfortunately, I gave up on trying a long time ago, as it seemed
>> like a
>> very hokey approach to first sync using reposync on additional VMs, run
>> createrepo, then add those as channels in Spacewalk. Due to that and
>> other
>> cost saving initiatives, I gave up and changed our infrastructure to
>> avoid
>> using RHEL as much as possible in favor of CentOS...
>
> I'm pretty sure, that all red hat customers here with this "SSL cert error" or "403 error" while syncing repos are mixing those errors.
>
> Note: I'm not a red hat customer. But as far as I know, red hat uses SSL certificates to identify customers and grant access to the repos.
>
> So if the access to the repos returns "403" (suddenly), maybe your subscription expired. So you might need to refresh these certificates. (Again, I'm not sure).
>
> The SSL validation error (curl) is something "general".
>
> And, I also thought, that there are rpms within the red hat repos, that contain these CA certs that are used on their Webservers so the customers do *not* get these "curl" errors.
>
> Robert
>>
>> On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>> ***@gmail.com> wrote:
>>
>>> Have you got this working, Matt?
>>>
>>> On 9 Oct 2018, at 16:21, Matt Moldvan <***@moldvan.com> wrote:
>>>
>>> Oops, looks like my replies weren't making it to the mailing list
>> (forgot
>>> to change the "From" option).
>>>
>>> Anyway, I intended to reply to the list and not just Robert...
>>>
>>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan <***@gmail.com>
>>> wrote:
>>>
>>>> Yeah, makes sense. My point was that Red Hat expecting this to be
>> done
>>>> by it's customers is silly and they shouldn't be using self signed
>> certs in
>>>> the path and making their customers do extra work...
>>>>
>>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
>> <***@web.de>
>>>> wrote:
>>>>
>>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>>> ***@gmail.com>:
>>>>>> Looks like an issue Red Hat should fix, too be honest. While you
>> could
>>>>>> pull the CA cert of the issuer and import it, I get an invalid
>> issuer
>>>>>> error when I pull up that URL in my browser, too. So updating
>> your CA
>>>>>> certs may not help either (unless Red Hat provides the root cert
>> for
>>>>>> whomever generated the cert for cdn.redhat.com).
>>>>>> If you have a Red Hat support contract, I would open a ticket with
>> this
>>>>>> information and ask for their input.
>>>>>>
>>>>>>
>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>> -------- Original message --------From: "Irwin, Jeffrey"
>>>>>> <***@rivertechllc.com> Date: 10/9/18 8:46 AM
>> (GMT-05:00)
>>>>>> To: Robert Paschedag <***@web.de>,
>>>>>> spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL repo
>> sync
>>>>>> error - CURL #60
>>>>>> I have tried this with a local mirror repo......no dice, tried it
>> with
>>>>>> subscribed RHEL repo, no dice, trying to track this pesky cert
>> issue.
>>>>>> Will check out the man page and see, would be nice to see a more
>>>>>> verbose indication of what cert it is trying to use, where it is,
>> etc..
>>>>>> ________________________________________
>>>>>> From: Robert Paschedag <***@web.de>
>>>>>> Sent: Tuesday, October 9, 2018 8:41 AM
>>>>>> To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>>>>>> spacewalk-***@redhat.com
>>>>>> Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>
>>>>>> Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>>>> <***@rivertechllc.com>:
>>>>>>> ?Same issue I ma having, interested to see the solution.
>>>>>>
>>>>>> I think manpage of update-ca-certificates should help.
>>>>>>
>>>>>> Get the issuer cert, update the local CA certs and it should run
>> (in
>>>>>> case, there is no new rpm which updates the certs)
>>>>>>
>>>>>> Robert
>>>>>>>
>>>>>>> ________________________________
>>>>>>> From: spacewalk-list-***@redhat.com
>>>>>>> <spacewalk-list-***@redhat.com> on behalf of Raymond
>> Setchfield
>>>>>>> <***@gmail.com>
>>>>>>> Sent: Monday, October 8, 2018 6:47 AM
>>>>>>> To: spacewalk-***@redhat.com
>>>>>>> Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> I have been attempting to pull the RHEL updates into spacewalk,
>> and I
>>>>>>> am receiving the following error;
>>>>>>>
>>>>>>> # spacewalk-repo-sync -c rhel07-update
>>>>>>> 11:44:03 ======================================
>>>>>>> 11:44:03 | Channel: rhel07-update
>>>>>>> 11:44:03 ======================================
>>>>>>> 11:44:03 Sync of channel started.
>>>>>>> 11:44:03
>>>>>>> 11:44:03 Processing repository with URL:
>>>>>
>>>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>>>>> Repository group_spacewalkproject-java-packages is listed more
>> than
>>>>>>> once in the configuration
>>>>>>> 11:44:03 ERROR: failure: repodata/repomd.xml from
>> rhel07-update.repo:
>>>>>>> [Errno 256] No more mirrors to try.
>>>>>>>
>>>>>
>> https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>>> :
>>>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked
>> as not
>>>>>>> trusted by the user."
>>>>>>> 11:44:03 Sync of channel completed in 0:00:00.
>>>>>>> 11:44:03 Total time: 0:00:00
>>>>>>>
>>>>>>> Looking into this it appears to be a certificate issue from what
>> I can
>>>>>>> gather. My assumption is to use the "redhat-uep.pem" Is this
>> correct?
>>>>>>> If so where do I place this to allow the curl to work? Or am I
>> off in
>>>>>>> the wrong direction
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Ray
>>>>>>
>>>>>>
>>>>>> --
>>>>>> sent from my mobile device
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spacewalk-list mailing list
>>>>>> Spacewalk-***@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>>
>>>>> There is a self signed cert within the SSL path, which does not
>> seem to
>>>>> be on your cert parts.
>>>>>
>>>>> So download the certs via the browser (export root ca and
>> intermediate
>>>>> cas), put the in the "anchors" directory (where update-ca-trust or
>>>>> update-ca-certificates wants them to be), update the certs... Then
>> try
>>>>> again.
>>>>>
>>>>> Robert
>>>>> --
>>>>> sent from my mobile device
>>>>>
>>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-***@redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>
>>> _______________________________________________
>>> Spacewalk-list mailing list
>>> Spacewalk-***@redhat.com
>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
>
> --
> sent from my mobile device
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-***@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
Robert Paschedag
2018-10-10 05:03:25 UTC
Permalink
Am 9. Oktober 2018 21:01:18 MESZ schrieb Raymond Setchfield <***@gmail.com>:
>Hi Robert
>
>Thanks for the reply.
>
>For me the RHEL subscriptions are brand new and therefore I don’t think
>that this is the problem.
>
>I’ll look further into the SSL issue though, as that would potentially
>make sense. I thought it was just done through the subscription manager
>using username and password.
>
>Ray

Does this not help?

https://access.redhat.com/solutions/189533

Robert
>
>> On 9 Oct 2018, at 19:33, Robert Paschedag <***@web.de>
>wrote:
>>
>> Am 9. Oktober 2018 18:46:27 MESZ schrieb Matt Moldvan
><***@moldvan.com>:
>>> No, unfortunately, I gave up on trying a long time ago, as it seemed
>>> like a
>>> very hokey approach to first sync using reposync on additional VMs,
>run
>>> createrepo, then add those as channels in Spacewalk. Due to that
>and
>>> other
>>> cost saving initiatives, I gave up and changed our infrastructure to
>>> avoid
>>> using RHEL as much as possible in favor of CentOS...
>>
>> I'm pretty sure, that all red hat customers here with this "SSL cert
>error" or "403 error" while syncing repos are mixing those errors.
>>
>> Note: I'm not a red hat customer. But as far as I know, red hat uses
>SSL certificates to identify customers and grant access to the repos.
>>
>> So if the access to the repos returns "403" (suddenly), maybe your
>subscription expired. So you might need to refresh these certificates.
>(Again, I'm not sure).
>>
>> The SSL validation error (curl) is something "general".
>>
>> And, I also thought, that there are rpms within the red hat repos,
>that contain these CA certs that are used on their Webservers so the
>customers do *not* get these "curl" errors.
>>
>> Robert
>>>
>>> On Tue, Oct 9, 2018 at 11:55 AM Raymond Setchfield <
>>> ***@gmail.com> wrote:
>>>
>>>> Have you got this working, Matt?
>>>>
>>>> On 9 Oct 2018, at 16:21, Matt Moldvan <***@moldvan.com> wrote:
>>>>
>>>> Oops, looks like my replies weren't making it to the mailing list
>>> (forgot
>>>> to change the "From" option).
>>>>
>>>> Anyway, I intended to reply to the list and not just Robert...
>>>>
>>>> On Tue, Oct 9, 2018 at 11:18 AM Matt Moldvan
><***@gmail.com>
>>>> wrote:
>>>>
>>>>> Yeah, makes sense. My point was that Red Hat expecting this to be
>>> done
>>>>> by it's customers is silly and they shouldn't be using self signed
>>> certs in
>>>>> the path and making their customers do extra work...
>>>>>
>>>>> On Tue, Oct 9, 2018 at 9:50 AM Robert Paschedag
>>> <***@web.de>
>>>>> wrote:
>>>>>
>>>>>> Am 9. Oktober 2018 15:24:55 MESZ schrieb sandwormusmc <
>>>>>> ***@gmail.com>:
>>>>>>> Looks like an issue Red Hat should fix, too be honest. While
>you
>>> could
>>>>>>> pull the CA cert of the issuer and import it, I get an invalid
>>> issuer
>>>>>>> error when I pull up that URL in my browser, too. So updating
>>> your CA
>>>>>>> certs may not help either (unless Red Hat provides the root cert
>>> for
>>>>>>> whomever generated the cert for cdn.redhat.com).
>>>>>>> If you have a Red Hat support contract, I would open a ticket
>with
>>> this
>>>>>>> information and ask for their input.
>>>>>>>
>>>>>>>
>>>>>>> Sent from my Verizon, Samsung Galaxy smartphone
>>>>>>> -------- Original message --------From: "Irwin, Jeffrey"
>>>>>>> <***@rivertechllc.com> Date: 10/9/18 8:46 AM
>>> (GMT-05:00)
>>>>>>> To: Robert Paschedag <***@web.de>,
>>>>>>> spacewalk-***@redhat.com Subject: Re: [Spacewalk-list] RHEL
>repo
>>> sync
>>>>>>> error - CURL #60
>>>>>>> I have tried this with a local mirror repo......no dice, tried
>it
>>> with
>>>>>>> subscribed RHEL repo, no dice, trying to track this pesky cert
>>> issue.
>>>>>>> Will check out the man page and see, would be nice to see a more
>>>>>>> verbose indication of what cert it is trying to use, where it
>is,
>>> etc..
>>>>>>> ________________________________________
>>>>>>> From: Robert Paschedag <***@web.de>
>>>>>>> Sent: Tuesday, October 9, 2018 8:41 AM
>>>>>>> To: spacewalk-***@redhat.com; Irwin, Jeffrey;
>>>>>>> spacewalk-***@redhat.com
>>>>>>> Subject: Re: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>>
>>>>>>> Am 9. Oktober 2018 14:04:25 MESZ schrieb "Irwin, Jeffrey"
>>>>>>> <***@rivertechllc.com>:
>>>>>>>> ?Same issue I ma having, interested to see the solution.
>>>>>>>
>>>>>>> I think manpage of update-ca-certificates should help.
>>>>>>>
>>>>>>> Get the issuer cert, update the local CA certs and it should run
>>> (in
>>>>>>> case, there is no new rpm which updates the certs)
>>>>>>>
>>>>>>> Robert
>>>>>>>>
>>>>>>>> ________________________________
>>>>>>>> From: spacewalk-list-***@redhat.com
>>>>>>>> <spacewalk-list-***@redhat.com> on behalf of Raymond
>>> Setchfield
>>>>>>>> <***@gmail.com>
>>>>>>>> Sent: Monday, October 8, 2018 6:47 AM
>>>>>>>> To: spacewalk-***@redhat.com
>>>>>>>> Subject: [Spacewalk-list] RHEL repo sync error - CURL #60
>>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> I have been attempting to pull the RHEL updates into spacewalk,
>>> and I
>>>>>>>> am receiving the following error;
>>>>>>>>
>>>>>>>> # spacewalk-repo-sync -c rhel07-update
>>>>>>>> 11:44:03 ======================================
>>>>>>>> 11:44:03 | Channel: rhel07-update
>>>>>>>> 11:44:03 ======================================
>>>>>>>> 11:44:03 Sync of channel started.
>>>>>>>> 11:44:03
>>>>>>>> 11:44:03 Processing repository with URL:
>>>>>>
>>>>>
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
>>>>>>>> Repository group_spacewalkproject-java-packages is listed more
>>> than
>>>>>>>> once in the configuration
>>>>>>>> 11:44:03 ERROR: failure: repodata/repomd.xml from
>>> rhel07-update.repo:
>>>>>>>> [Errno 256] No more mirrors to try.
>>>>>>>>
>>>>>>
>>>
>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os/repodata/repomd.xml
>>>>>> :
>>>>>>>> [Errno 14] curl#60 - "Peer's certificate issuer has been marked
>>> as not
>>>>>>>> trusted by the user."
>>>>>>>> 11:44:03 Sync of channel completed in 0:00:00.
>>>>>>>> 11:44:03 Total time: 0:00:00
>>>>>>>>
>>>>>>>> Looking into this it appears to be a certificate issue from
>what
>>> I can
>>>>>>>> gather. My assumption is to use the "redhat-uep.pem" Is this
>>> correct?
>>>>>>>> If so where do I place this to allow the curl to work? Or am I
>>> off in
>>>>>>>> the wrong direction
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Ray
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> sent from my mobile device
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Spacewalk-list mailing list
>>>>>>> Spacewalk-***@redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>>>
>>>>>> There is a self signed cert within the SSL path, which does not
>>> seem to
>>>>>> be on your cert parts.
>>>>>>
>>>>>> So download the certs via the browser (export root ca and
>>> intermediate
>>>>>> cas), put the in the "anchors" directory (where update-ca-trust
>or
>>>>>> update-ca-certificates wants them to be), update the certs...
>Then
>>> try
>>>>>> again.
>>>>>>
>>>>>> Robert
>>>>>> --
>>>>>> sent from my mobile device
>>>>>>
>>>>> _______________________________________________
>>>> Spacewalk-list mailing list
>>>> Spacewalk-***@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>>>
>>>> _______________________________________________
>>>> Spacewalk-list mailing list
>>>> Spacewalk-***@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>>
>>
>> --
>> sent from my mobile device
>>
>> _______________________________________________
>> Spacewalk-list mailing list
>> Spacewalk-***@redhat.com
>> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
>_______________________________________________
>Spacewalk-list mailing list
>Spacewalk-***@redhat.com
>https://www.redhat.com/mailman/listinfo/spacewalk-list


--
sent from my mobile device
Loading...