certificate error when trying to connect to local yum mirror

Jim MacDonald

I've created a local yum mirror on a host inside my network. The reposync is working correctly but when I attempt to connect to the local mirror I get the following error.

[[email protected] tmp]# yum repolist
Loaded plugins: changelog, downloadonly, presto, refresh-packagekit, rhnplugin, security, tmprepo, verify, versionlock

The certificate /usr/share/rhn/ULN-CA-CERT is expired. Please ensure you have the correct certificate and your system time is correct.

the time is synced to a local NTP server so I know that is not the issue.

I believe it's related to /etc/sysconfig/rhn/up2date

specifically the following stanzas

serverURL[comment]=Remote server URL (use FQDN)
serverURL=https://local_repo/XMLRPC

sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/ULN-CA-CERT

Dude!

Me too. But just in case, here is the command:

chcon -R -L -t httpd_sys_content_t /path/to/files

Avi Miller-Oracle

Why did you change the serverURL in that file? It's only ever used to connect to ULN and should never point to a local repository. You're getting a certificate error because the ULN-CA-CERT wouldn't match the CA certificate used by your local repository (which probably wouldn't respond to XMLRC calls anyway).

Essentially, that file is used by up2date (on OL5) or yum-rhn-plugin (on OL5 and OL6) to connect to ULN. If you have a local repository, you need to configure it via a .repo file in /etc/yum.repos.d/

Jim MacDonald

ok I was able to resolve this issue now I have another

when attempting to connect to the local reposerver I get the following errors, even in wget.

[[email protected] yum.repos.d]# yum repolist

Loaded plugins: changelog, downloadonly, presto, refresh-packagekit, rhnplugin, security, tmprepo, verify, versionlock

There was an error communicating with ULN.

ULN support will be disabled.

Error communicating with server. The message was:

Unable to connect to the host and port specified

http://localrepo/yum/OracleLinux/OL6/ga/base/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 403 Forbidden"

Trying other mirror.

repo id                                                        repo name                                                                                                   status

local_ol6_ga_base                                              Oracle Linux 6Server GA installation media copy (x86_64)                                                    0

local_ol6_latest                                               Oracle Linux 6Server Latest (x86_64)                                                                        0

local_ol6_u1_base                                              Oracle Linux 6Server Update 1 installation media copy (x86_64)                                              0

local_ol6_u2_base                                              Oracle Linux 6Server Update 2 installation media copy (x86_64)                                              0

local_ol6_u3_base                                              Oracle Linux 6Server Update 3 installation media copy (x86_64)                                              0

local_ol6_u4_base                                              Oracle Linux 6Server Update 4 installation media copy (x86_64)                                              0

local_ol6_u5_base                                              Oracle Linux 6Server Update 5 installation media copy (x86_64)                                              0

repolist: 0

[[email protected] yum.repos.d]# wget http://localrepo.localdomain.com/yum/OracleLinux/OL6/ga/base/x86_64/repodata/repomd.xml

--2014-04-01 10:28:16--  http://localrepo.localdomain.com/yum/OracleLinux/OL6/ga/base/x86_64/repodata/repomd.xml

Resolving localrepo.localdomain.com... 1.1.1.1

Connecting to localrepo.localdoaim.con|1.1.1.1:80... connected.

HTTP request sent, awaiting response... 403 Forbidden

2014-04-01 10:28:16 ERROR 403: Forbidden.

firewalls on both machines are set to allow ssh, https and http.

proxies are bypassed between the servers.

the files are all chmodded 755.

Avi Miller-Oracle

The web server on localrepo.localdomain is not able to read the files to deliver them via HTTP. If you check /var/log/httpd/access_log on that system, you'll find the same 403 (Permission Denied) error. You need to ensure that the httpd user on the web server is able to read the files. I usually do this by chown'ing the files to apache:apache and using the following commands to allow read access:

# cd /var/www/html

# chown -R apache:apache *

# find . -type d -exec chmod 755 {} \;

# find . -type f -exec chmod 644 {} \;

This will switch ownership to the Apache user and then set all directories to 755 and all files to 644. You will need to do your own analysis to determine if this is the appropriate solution for you.

Dude!

It may also be necessary to either disable SELinux or configure the policy to allow the http server to read the files.

Avi Miller-Oracle

Yes, good point. I always forget to mention SElinux because I always disable it immediately after install.

Dude!

Me too. But just in case, here is the command:

chcon -R -L -t httpd_sys_content_t /path/to/files

Jim MacDonald

I think both answers fixed it. Thanks again. A follow on questions. Am I going to have to do this every

time I refresh the mirror?

Avi Miller-Oracle

If you disable SElinux, then no. If you want to retain SElinux, then I would create a wrapper a script that runs uln-yum-mirror and then runs the SElinux policy update on the files afterwards.

Dude!

People who are into security will always consider SELinux a must. I guess nobody can really give you an advice how to deal with it, but you can try to think about the possible risks or benefit in your specific configuration or environment.

Every piece of software has bugs or will have bugs and the same applies to SELinux, which was initially developed by the NSA. If anything does not work as expected and you have SELinux set to enforcing or permissive, then you will always have to consider a problem with it. On the other hand it can provide more security if you are providing public internet services and remote access. It is however no substitute for keeping your system up to date.

Jim MacDonald

ARGH this is maddening... so I got the local repository configured and updating, I've got the local client configured. but when I do any command against the local mirror. I get a long wait, and error that it can't connect to ULN, saying that it's trying another mirror and then happily goes on it's way. except the only .repo file I have is my local one. I've moved all the others to *.repo.bak in the same directory.

any ideas?