[MDEV-5052] RPM key at https://yum.mariadb.org/RPM-GPG-KEY-MariaDB does not work - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
- packaging

Description

At least on CentOS 6.3 and Fedora 18 (with SELinux) I get the following:

sudo yum install MariaDB-server MariaDB-client

...

Total                                           541 kB/s |  58 MB     01:49     
Retrieving key from https://yum.mariadb.org/RPM-GPG-KEY-MariaDB


GPG key retrieval failed: [Errno 14] Peer cert cannot be verified or peer cert invalid

Trying to install it manually, as described at https://mariadb.com/kb/en/installing-mariadb-with-yum/ (on Fedora):

sudo rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
error: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB: import read failed(2).

Using http instead of https works. Disabling SELinux also helped.

Gliffy Diagrams

Attachments

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Daniel Bartholomew added a comment - 2013-09-23 22:22

Very strange. Our *.mariadb.org certificate doesn't expire until 18 Oct 2014. Investigating.

Show

Daniel Bartholomew added a comment - 2013-09-23 22:22 Very strange. Our *.mariadb.org certificate doesn't expire until 18 Oct 2014. Investigating.

Hide

Permalink

Daniel Bartholomew added a comment - 2013-09-23 22:38

"rpm --import" is using curl to download the certificate. I just tried on one CentOS 6 VM I have access to. Here's the full output using "curl -v" so we can see curl accessing the site's certificate information:

[buildbot@centos6-amd64 ~]$ curl -v https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
* About to connect() to yum.mariadb.org port 443 (#0)
*   Trying 173.203.201.148... connected
* Connected to yum.mariadb.org (173.203.201.148) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.mariadb.org,OU=Domain Control Validated
* 	start date: Aug 26 18:04:09 2013 GMT
* 	expire date: Oct 18 20:07:53 2014 GMT
* 	common name: *.mariadb.org
* 	issuer: serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US
> GET /RPM-GPG-KEY-MariaDB HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
> Host: yum.mariadb.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Mon, 23 Sep 2013 19:32:38 GMT
< Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.21 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k mod_wsgi/2.8 Python/2.6.5
< Last-Modified: Mon, 29 Apr 2013 17:40:26 GMT
< ETag: "15c40f-1b8d-4db836145b680"
< Accept-Ranges: bytes
< Content-Length: 7053
< Content-Type: text/plain
< 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQGiBEtohJARBACxvZpWSIMTp/e7BUzSW+WDL7Pl0JDg6v7ZJFGJk9qo+5JXIiis
497Ul0FmVJ6EoyVzfpqe5FyUvqtLCkM6UP5adyvXTHi1KMiYacu2q5yRhDpMKbpM
LkAg23Yyz1yK/d0TsAkerLJ6K1Bh8NIm44Op+qFrDxeYZDIR5Q8WaCdK8wCg/jc8
p/4XaKq74ghUHEX+35qk63UD/0YEsgHrsRQZ42wKNeO8ZUJKqCVHXYJrCq7DhRhn
U5aYnuK3op0JusPN5fdIGkKwJy24dWRoRfNIIg0WvM8qUNrC2NvhomnZNudsI0Jb
XapRemrIwbvrZToD6ei1awdVqa5fT6XIxV4MSQEwn47qmUNSz/0TkUmB3VZ2EL/j
zfHUA/91ZfAdWCmRemTLWRrzIYYJKyEInZ0qwZVrkyMY8+T7b2/6RGR0f2oV1dOx
cjbd0+N3vKrUkjuzkcVu/oB8wq9UBfuSHwsxYqub4gvIh0/LW+CsWa955sQ/Hj9H
48j3nUHaXqM9uJyMMgMlCdo3rLpnYCJH8w2kFfLHIDksMs1YtLQ9TWFyaWFEQiBQ
YWNrYWdlIFNpZ25pbmcgS2V5IDxwYWNrYWdlLXNpZ25pbmcta2V5QG1hcmlhZGIu
b3JnPohiBBMRAgAiBQJREUepAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK
CRDLywgqG7lD28y4AJ0aByfYvJWqBm5PZjusZiG0vo9SRwCeM0izj/oryMu0fJi3
kRbTlojzCd2JAhwEEAECAAYFAlERSAgACgkQQd3AtA2lbyLlsQ/+KbSkMhjnZ73I
9XhndOX7USxIIumuVI2nU829+EiLhxYYcVJHUO5tO9rvRGgmSg0IhPSwEMK3GLC3
P5v6gipyCKOAnx2T0qF2k8gq9YRVFd7LZqJsM06HuGsFG5SWieVjjjE0s7A/urLb
Uxa067pleZeKFCTTxTnar2eBKQAhwZkRSEBvvcAHkqQQAMwiAHvq2A0IjC3txqUF
iQbMouPCOJYA3Wn3NXKZwCxcyl2WwGSt7EwAs6C6d266QyWVQT+kZ6JFgRibcnfl
sNdniknGue5EKAj0nlhHGf6cyqJZ3AN4h+W40kKfIqnaeWkT0K+MnKp3Tah9y+h0
u5buKfR5D/tK5ZYLUS0ujQJ0tlO1KpZuvTn13n7OMn7fOb3yqUcthnSTcuB/wpH2
YDeON8sITqhHC1wDvxh5Iu8gYhBGoDmXzAiwpeZpQEHWzGVoG4SGNExwdOUFzX2b
GhC3Eol6z7fR32mUhisy/78wbu7mF9w32H1mgrjEW7sjLa3jebHbca3YIA8wUnAJ
7+KQXun/9X0joyyBy3U+8oW9i4E3UtKrsKOwd20NmfnOQCZg15pi7Yp2/ChgWkKD
EDpQcR2ZuyqRSzPRExnEcKKAq9hKS7l/bNhZJqoj3CMgJt9Co+Y89ObKwRCdwnJb
LWIajqBftzdZeRFkcsu4sKhfhnudCmWJAhwEEAECAAYFAlERSDUACgkQkXEYmZXk
Wp4Q4RAAj230KH+LtFGGlLhBARk+kBUV3mfoJKTye52ELQxbqudU9JrUceUXDGq3
d/2n0mBt2mkmHYyqIMFShE5fnFrW4KXLVCKDCDy6mZ7/PBarB9y6lL8sVFXFpfVo
8hQInSR7fIEkREQQkpNtUddUHlCepyHj8QMKENjaxq6yrF3KvW+kWhAxvDutUzlr
q1N7AkedZ6owP0ChELdQYPtsGOcuipkqQgfpVB3PVBAsYe8wm5HbjqZCbV+VgLl6
4WDyqmhJlOsT3KthLdNkmFyzL7BbkkyC5RX/X1xfyGhtYRpRNUF+5ewXItmpMnfI
UmEKIVF1jTwpj7554dQSCVJNlNOFiyYgRmcNs1XFQfa0bmv2raWZf3Zb0yfYR+tl
J2BuU3yBzhbFGmry7GdquqtbgRX+zFJsnkH7kGyP177QxDREwrhGZXcJgeO7Op8B
TJfTGhhDclIei1EZvvlVetiQ8PKtRA4D/zsCloHrSTu8uOXQlj+GPivM6sfVjhZF
F1I4FVeqUXze5vBz5O8IPfPuPcK+i5P2L0OZODpZ5CP30zY/L7wrgX2/fzJpGTz6
+Lh77SGczGwQRfB/+D2kJkwaYeXd764pPVy0bdKGw4QPGtvyUQ4+fWQa5hyZSoTR
tj7fFYtYQvmPsMAIknR/lQxuZI7fX1M5j+FgijwUkv9fQzhorYK0Q0RhbmllbCBC
YXJ0aG9sb21ldyAoTW9udHkgUHJvZ3JhbSBzaWduaW5nIGtleSkgPGRiYXJ0QGFz
a21vbnR5Lm9yZz6IYAQTEQIAIAUCS2iEkAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4B
AheAAAoJEMvLCCobuUPboDgAoNQVrK4i5LXTgwnWke2MxsXCoHDnAJ93j733YuNk
V64aHEUwWxNCkkwUkYkCHAQQAQIABgUCTWPEiQAKCRCRcRiZleRansGMD/96EvJv
LiuoQvv/KkeftLfvwoULVBBdAKLFmPyMjDbMP+1I2YnyF/7pSVmn/37QAP05QdoP
51RlZwRkEEVRMOlKIqny2WGGm8oxtkd3Lvi2TDkYRdkbfCn983WEUXqziOLadB3r
UPy+76D1GynoIerIyp9kzLtfJeHMWJumfh7poxnCup55eA5v4bbvToLacxca4ZJZ
gcdGrYGKKmYubrFGlrJqeF83JfQqXvD9ip15iOs4fSAeHVs0XbTFIsErk1axIXnE
mylHbSgu0Cri0ltNomAmFKuUR9hDamn8DaRWTTqAi9r7Mgm+KRB54Vn84yi3OAkE
etc8Qvz98Mp4kucHxt9daU1sA6pYWFf8jY61AXn7Qbm5t2l+RZhdIrJeHK3zktnn
MPoIwxgxogrTrLxL+WJGjCUAUfKzxd5eg+kqypIp5NIxpzKZrxXX+isLzjAiu+6l
Z8wbyspjybiMrVQsLF3bxBS3vaV3PDbhH4RI66FtwWbiOUAoMJH67uWlSbAjeAok
ZWJ0GchtgDfLI2olaM//gPxqDlNULkCsogypZCVYDcLR76kc3grhldtDfgU/PZLd
TuVtJnYsUWUgzbi+MYjMNFvojVkBsZdi8xXMTTaJ4EBr/x7FKr0yQrmqY6SIkKUA
RZqxMYERQm2toRfhWt5N9wKHuvqMv/eGYcCzcokCHAQQAQIABgUCTWPMCgAKCRBB
3cC0DaVvIjZREACImkZmDsZHOi3tZZKgttmxyK1uCJJoS8egX3DLQdBTci2PmiL1
f9io2r7ii1Au/vfEdFGDVHOy3ksrJlazVgneGLmVbin9+B7OiQGiINQFoZ9WGCnL
MYt5BvBsP5nGuJHXpxG/OTAfWmqEx7wB15LMoAcA45o10IazIJB+78EwAbqJvhFm
hWBCuM9bvaigemdIjyKZM6Fd4B5ElQIsw3XFBLWEVnCfdPvD++cZU6U9F5PCM+oL
gmyGrpxbdiP2wGNhsh+w+jwRCPGVpivZMMHUVYJNLC2BModnyanz0obrw22U2LKT
nQOOVRMmvO6jYxdMUrOz+qjILLClozZd83X5P3Yz9rZYDXwu526iCGfKcoTWecru
oKw/nlHharrf97Kj9LZirHEUa3wrjEWTr1g90YgyVVqw5H1jdQ3kZ677bgJfSiT/
OXwUhrqXBrPxIfYBweISDttbV7XkNFOM8tV+fM/CyV97omep8pctLyHL4QTs1BW5
YhFsLEfw4M9hYcPD9EKs/f3EdDB9eKWbYkdWAnPwJtML6/OowtTM98FbsAbjKctb
O9LXzfrzCwV7137vLNrzFQXupzK3D+ar+oEZQIyezJyWz/Kl4xatx/B2E6APDpyb
iHwpzjHZbNY1uswuQTGJgi7huQRNooDJmMToYnGP+Mv9C1bcesf8K1qnjYkCHAQQ
AQIABgUCTXeZrgAKCRBB3cC0DaVvIghPEACo1DbukXlf/7lbSOPMZ+eUPaVQoP3M
QZC3e+KbbsQqw0YWwgmJRybyB8x5OYeBqoP1kOZX0MxOLqsMvFYNXGJIPbag+ufU
Q4NhNXFnRMJD6Exlum3M30s7SvxzX9sVZCvoAyrqDp9xiFs0cKtU2DUTS/LawkJm
0ro4K5JFH9irmpsXMzf83EfTR62lzDYSf3JOh9605jkJCQt+gj/T8YzPIqTy2569
alBEEAFxoh+PMfxFNDv7siNLYBgbCTuE3ZifOD+3xZo4nlryGjzPI6C80nR9RPO7
pPoJ26zEwWKC5bcBHcnIXpG1v4+at9A0YQqdLeufL+b3W+tPulf1bYtgKPq6oMR3
lQSswaX0AockF4Dpz2smSiBdYX1XMkp1BjfAlqi+lhr4Uf68fZbQhhAf8puY4EQp
mobXY6/Un8h0C6xH8KzRxAPhB3r8XMwgFD6PYzmy5tB0v+Lt/nzkRMrRrgtEqwKo
BRzTy7jI7rr1hTkNdPKEiT/LbuQcNgrRqD4q1mM5N6RFqezx1pboTxdR5CppabwF
1qu1RUFt9xLsNcBFynAa8/Vmhn8dFggY240FJht2aKpj9S8G6ufwhq9JeAFqwDt5
kHNTjkEFF20XeXvYamF2dX6kRtGm+hauDiHzhGbAoHxJIvLqNyLtxIZGapeVL36M
1RAUOqlnMiqPhYkCHAQQAQIABgUCTXeZ8wAKCRCRcRiZleRannQDEACaIRmvVUrp
d0LAKvtov9ZXfhHMxTbnIIvszbII8shPt29UO08er4Yd0ZnTIFHMvnX5MWCLWBlu
aJ56ucoXMJpcNRPmNCw1bWnjFwQVxajzSpzm4duGQnakOKH7uywNaaUE81nd1VY6
XUW7J/IergcscMOOxHfbXu2hF/2AV7x9NkjbykuMBscgEc8CRuUHJ+A/52Ilwo9R
sEsxKJfh86++h1jaLjs8RL2dEo2ioO0QfAW+rXLgctCe7v3Zs8xBv1qFIV7QW5a+
ZaYW1SRhMNJVnN5iP+WbFiMelzEqcxkgXErGeoDHPE4GDNIQyvhwhryOz1lJONix
b+Cb5jqUoC0Wa96fKP2/t1Dlm+d3ZSp7nQSaQZJ+8pF0yYcAqbKam5zr/XY+EPex
cGJ2GQuQ2y6tSz5kqy5qr5xQoHqif9dCFBkL7aOEO+5waBSy5oTb7uMHki+hKWTz
dlldliXKt4P2tMa/2uFj5m9DXn+CneoHi3FzET24RbglDb445aPNMM+EWqRGQUR0
8wzp8X00WVRuLGenBws5LSjftHCdtVqdDLsM6eJ7BqH0wNPrMwXNz8lErNFnpIwT
DbZiw7GcQGkjRNvDpovAB7OUcGQNXaLvbsjF93OY3lOeBoyPokONIzUPSUdKurbZ
YyfT2mcqGEp1hkZVwPsKIA1y5ioxHQI2HbkEDQRLaIS4EBAApZ0wvxpQVlZ6OEFa
9SBQ5eclRIOjXjKqkYGkvIx+jUmqCYfOgfPixOGYS5Q2KwHNz4XEOIOA1kyClAoA
AgOEGUxj8CxnbBk10IVo/JBONjdqKYPZ2YNdeIIrKXEmai4i5hK5AfZHoyqsV5aq
xGkGeVUju/coyRJY6La8iL+RBuxiRuUPWymGjtISAR6fSiN8f/kRly/y9LmMO8Jc
OpeieqLUFPK6KuzhI4F0nFkHJpZPDNOHHl+GmAZ+SqZxmIrpkGymd36hTKxW4nln
N6kqc1gMwdn1L/u/D+C/jhMbTTssqiMZeyP9uFmnMB3ls1NV8OxvbxcTBG0M7g4A
lffUQKpUrNhIBoC3R7UbYQ3CTZX1Qp/TBzbfRAgGhdWBQDQEd3/Ll9G4QaCs9I+4
W68rkAr7e7IylHyfEi9oYQkXFIEeaAhiENmJBpcLpas/yNJoLayqzPsQ+lRNg3om
FntPtZolkMi6orRNixrgXV64m/01YNjmBFTqsp5wOq2j0cmTkbOWqdnlmGPg2El1
ufebJc6YWS1nFm6YRpN/B3QbtAnar1Cb+IHlr0haTOYhQp+XFN+k1brqs+Sufa8/
rz6N5tsm+W5GjHKvHr24FTa02u3H4lIqNlNBkzZZKhzAhxEWiJzwc/f2upG5vdpl
rM/YCU+XTotYPb5ZEXQe2mD/rXMAAwUP/0f1DOJIfnMrh1o/3RKqDq8k7tlv2GEE
v0VEnh8ty4dMb8Dos2M1Oc4Kv9QLB3DXcS4/L4JW5vF0QgSAzq1r5oBT1zaMcqDS
6OUlHrWUi8aDNt5EPQuEGdP2/iTDeAq4r8eCYrHRC7egldyRZrmWNfcZN6/G9K+J
SjhWfSWWSBRIqb+UxcQNCp6i6tvVSxCfLK1R4P4kA/Z4Co2vywIfVfPhHd5nIWNl
1yl9O3r04GCNTjzwsv/dhUGDFIVsghgehZuL0Bb7hDuyvZ2ShALumZ5t7mU/SJ2h
Ok3klO+2bIJB0gquUkWn/4g1h2Tp9XVWrI1x6GUBxRYkwC4tWajzWeVC5hcDVAdq
YN0H0HVj/CEgrEWlCVv1hJ0JYAsjX8Cj1QuZB1i34fjEkgybMjo3oCU5GCSiNmvt
TeUpexyY/7iHAdyoZHFT+fQS84VMYKFT4tTYH+5jTa62yfPhn63TYPorrRyTqG8a
JQLnczm0NN5R5mriYJQjr4Pj8PSSwWck/Gt8R5vb+C69+uXINB6OKqhG6xU0bqnC
Ixt3OhVS7v0SfHjn0+il/JOc/ev9wm6G5FxmEWOoYwibmaDzHfc9N1HMRzjTENI7
fyJPNFj9IDkpwk4E3ylrkuVl2KEmYDJ9T9ny4UMnQ7Sb6w59UhxMIFtRTPNpQJWC
WXfhWUAo4WfCiEkEGBECAAkFAktohLgCGwwACgkQy8sIKhu5Q9vThgCeIHzJCz+Q
M8u4iCTrGaJ9w/+jwz4AnRhdXcFVv7svt2qOd374EtCSjv24
=/Od8
-----END PGP PUBLIC KEY BLOCK-----
* Connection #0 to host yum.mariadb.org left intact
* Closing connection #0

So on this machine at least, the request was successful (as was "sudo rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB") . I'll try on other machines to try and duplicate, but no luck with this CentOS box.

Show

Daniel Bartholomew added a comment - 2013-09-23 22:38 "rpm --import" is using curl to download the certificate. I just tried on one CentOS 6 VM I have access to. Here's the full output using "curl -v" so we can see curl accessing the site's certificate information: [buildbot@centos6-amd64 ~]$ curl -v https://yum.mariadb.org/RPM-GPG-KEY-MariaDB * About to connect() to yum.mariadb.org port 443 (#0) * Trying 173.203.201.148... connected * Connected to yum.mariadb.org (173.203.201.148) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=*.mariadb.org,OU=Domain Control Validated * start date: Aug 26 18:04:09 2013 GMT * expire date: Oct 18 20:07:53 2014 GMT * common name: *.mariadb.org * issuer: serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US > GET /RPM-GPG-KEY-MariaDB HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > Host: yum.mariadb.org > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 23 Sep 2013 19:32:38 GMT < Server: Apache/2.2.14 (Ubuntu) PHP/5.3.2-1ubuntu4.21 with Suhosin-Patch mod_ssl/2.2.14 OpenSSL/0.9.8k mod_wsgi/2.8 Python/2.6.5 < Last-Modified: Mon, 29 Apr 2013 17:40:26 GMT < ETag: "15c40f-1b8d-4db836145b680" < Accept-Ranges: bytes < Content-Length: 7053 < Content-Type: text/plain < -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) mQGiBEtohJARBACxvZpWSIMTp/e7BUzSW+WDL7Pl0JDg6v7ZJFGJk9qo+5JXIiis 497Ul0FmVJ6EoyVzfpqe5FyUvqtLCkM6UP5adyvXTHi1KMiYacu2q5yRhDpMKbpM LkAg23Yyz1yK/d0TsAkerLJ6K1Bh8NIm44Op+qFrDxeYZDIR5Q8WaCdK8wCg/jc8 p/4XaKq74ghUHEX+35qk63UD/0YEsgHrsRQZ42wKNeO8ZUJKqCVHXYJrCq7DhRhn U5aYnuK3op0JusPN5fdIGkKwJy24dWRoRfNIIg0WvM8qUNrC2NvhomnZNudsI0Jb XapRemrIwbvrZToD6ei1awdVqa5fT6XIxV4MSQEwn47qmUNSz/0TkUmB3VZ2EL/j zfHUA/91ZfAdWCmRemTLWRrzIYYJKyEInZ0qwZVrkyMY8+T7b2/6RGR0f2oV1dOx cjbd0+N3vKrUkjuzkcVu/oB8wq9UBfuSHwsxYqub4gvIh0/LW+CsWa955sQ/Hj9H 48j3nUHaXqM9uJyMMgMlCdo3rLpnYCJH8w2kFfLHIDksMs1YtLQ9TWFyaWFEQiBQ YWNrYWdlIFNpZ25pbmcgS2V5IDxwYWNrYWdlLXNpZ25pbmcta2V5QG1hcmlhZGIu b3JnPohiBBMRAgAiBQJREUepAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK CRDLywgqG7lD28y4AJ0aByfYvJWqBm5PZjusZiG0vo9SRwCeM0izj/oryMu0fJi3 kRbTlojzCd2JAhwEEAECAAYFAlERSAgACgkQQd3AtA2lbyLlsQ/+KbSkMhjnZ73I 9XhndOX7USxIIumuVI2nU829+EiLhxYYcVJHUO5tO9rvRGgmSg0IhPSwEMK3GLC3 P5v6gipyCKOAnx2T0qF2k8gq9YRVFd7LZqJsM06HuGsFG5SWieVjjjE0s7A/urLb Uxa067pleZeKFCTTxTnar2eBKQAhwZkRSEBvvcAHkqQQAMwiAHvq2A0IjC3txqUF iQbMouPCOJYA3Wn3NXKZwCxcyl2WwGSt7EwAs6C6d266QyWVQT+kZ6JFgRibcnfl sNdniknGue5EKAj0nlhHGf6cyqJZ3AN4h+W40kKfIqnaeWkT0K+MnKp3Tah9y+h0 u5buKfR5D/tK5ZYLUS0ujQJ0tlO1KpZuvTn13n7OMn7fOb3yqUcthnSTcuB/wpH2 YDeON8sITqhHC1wDvxh5Iu8gYhBGoDmXzAiwpeZpQEHWzGVoG4SGNExwdOUFzX2b GhC3Eol6z7fR32mUhisy/78wbu7mF9w32H1mgrjEW7sjLa3jebHbca3YIA8wUnAJ 7+KQXun/9X0joyyBy3U+8oW9i4E3UtKrsKOwd20NmfnOQCZg15pi7Yp2/ChgWkKD EDpQcR2ZuyqRSzPRExnEcKKAq9hKS7l/bNhZJqoj3CMgJt9Co+Y89ObKwRCdwnJb LWIajqBftzdZeRFkcsu4sKhfhnudCmWJAhwEEAECAAYFAlERSDUACgkQkXEYmZXk Wp4Q4RAAj230KH+LtFGGlLhBARk+kBUV3mfoJKTye52ELQxbqudU9JrUceUXDGq3 d/2n0mBt2mkmHYyqIMFShE5fnFrW4KXLVCKDCDy6mZ7/PBarB9y6lL8sVFXFpfVo 8hQInSR7fIEkREQQkpNtUddUHlCepyHj8QMKENjaxq6yrF3KvW+kWhAxvDutUzlr q1N7AkedZ6owP0ChELdQYPtsGOcuipkqQgfpVB3PVBAsYe8wm5HbjqZCbV+VgLl6 4WDyqmhJlOsT3KthLdNkmFyzL7BbkkyC5RX/X1xfyGhtYRpRNUF+5ewXItmpMnfI UmEKIVF1jTwpj7554dQSCVJNlNOFiyYgRmcNs1XFQfa0bmv2raWZf3Zb0yfYR+tl J2BuU3yBzhbFGmry7GdquqtbgRX+zFJsnkH7kGyP177QxDREwrhGZXcJgeO7Op8B TJfTGhhDclIei1EZvvlVetiQ8PKtRA4D/zsCloHrSTu8uOXQlj+GPivM6sfVjhZF F1I4FVeqUXze5vBz5O8IPfPuPcK+i5P2L0OZODpZ5CP30zY/L7wrgX2/fzJpGTz6 +Lh77SGczGwQRfB/+D2kJkwaYeXd764pPVy0bdKGw4QPGtvyUQ4+fWQa5hyZSoTR tj7fFYtYQvmPsMAIknR/lQxuZI7fX1M5j+FgijwUkv9fQzhorYK0Q0RhbmllbCBC YXJ0aG9sb21ldyAoTW9udHkgUHJvZ3JhbSBzaWduaW5nIGtleSkgPGRiYXJ0QGFz a21vbnR5Lm9yZz6IYAQTEQIAIAUCS2iEkAIbAwYLCQgHAwIEFQIIAwQWAgMBAh4B AheAAAoJEMvLCCobuUPboDgAoNQVrK4i5LXTgwnWke2MxsXCoHDnAJ93j733YuNk V64aHEUwWxNCkkwUkYkCHAQQAQIABgUCTWPEiQAKCRCRcRiZleRansGMD/96EvJv LiuoQvv/KkeftLfvwoULVBBdAKLFmPyMjDbMP+1I2YnyF/7pSVmn/37QAP05QdoP 51RlZwRkEEVRMOlKIqny2WGGm8oxtkd3Lvi2TDkYRdkbfCn983WEUXqziOLadB3r UPy+76D1GynoIerIyp9kzLtfJeHMWJumfh7poxnCup55eA5v4bbvToLacxca4ZJZ gcdGrYGKKmYubrFGlrJqeF83JfQqXvD9ip15iOs4fSAeHVs0XbTFIsErk1axIXnE mylHbSgu0Cri0ltNomAmFKuUR9hDamn8DaRWTTqAi9r7Mgm+KRB54Vn84yi3OAkE etc8Qvz98Mp4kucHxt9daU1sA6pYWFf8jY61AXn7Qbm5t2l+RZhdIrJeHK3zktnn MPoIwxgxogrTrLxL+WJGjCUAUfKzxd5eg+kqypIp5NIxpzKZrxXX+isLzjAiu+6l Z8wbyspjybiMrVQsLF3bxBS3vaV3PDbhH4RI66FtwWbiOUAoMJH67uWlSbAjeAok ZWJ0GchtgDfLI2olaM//gPxqDlNULkCsogypZCVYDcLR76kc3grhldtDfgU/PZLd TuVtJnYsUWUgzbi+MYjMNFvojVkBsZdi8xXMTTaJ4EBr/x7FKr0yQrmqY6SIkKUA RZqxMYERQm2toRfhWt5N9wKHuvqMv/eGYcCzcokCHAQQAQIABgUCTWPMCgAKCRBB 3cC0DaVvIjZREACImkZmDsZHOi3tZZKgttmxyK1uCJJoS8egX3DLQdBTci2PmiL1 f9io2r7ii1Au/vfEdFGDVHOy3ksrJlazVgneGLmVbin9+B7OiQGiINQFoZ9WGCnL MYt5BvBsP5nGuJHXpxG/OTAfWmqEx7wB15LMoAcA45o10IazIJB+78EwAbqJvhFm hWBCuM9bvaigemdIjyKZM6Fd4B5ElQIsw3XFBLWEVnCfdPvD++cZU6U9F5PCM+oL gmyGrpxbdiP2wGNhsh+w+jwRCPGVpivZMMHUVYJNLC2BModnyanz0obrw22U2LKT nQOOVRMmvO6jYxdMUrOz+qjILLClozZd83X5P3Yz9rZYDXwu526iCGfKcoTWecru oKw/nlHharrf97Kj9LZirHEUa3wrjEWTr1g90YgyVVqw5H1jdQ3kZ677bgJfSiT/ OXwUhrqXBrPxIfYBweISDttbV7XkNFOM8tV+fM/CyV97omep8pctLyHL4QTs1BW5 YhFsLEfw4M9hYcPD9EKs/f3EdDB9eKWbYkdWAnPwJtML6/OowtTM98FbsAbjKctb O9LXzfrzCwV7137vLNrzFQXupzK3D+ar+oEZQIyezJyWz/Kl4xatx/B2E6APDpyb iHwpzjHZbNY1uswuQTGJgi7huQRNooDJmMToYnGP+Mv9C1bcesf8K1qnjYkCHAQQ AQIABgUCTXeZrgAKCRBB3cC0DaVvIghPEACo1DbukXlf/7lbSOPMZ+eUPaVQoP3M QZC3e+KbbsQqw0YWwgmJRybyB8x5OYeBqoP1kOZX0MxOLqsMvFYNXGJIPbag+ufU Q4NhNXFnRMJD6Exlum3M30s7SvxzX9sVZCvoAyrqDp9xiFs0cKtU2DUTS/LawkJm 0ro4K5JFH9irmpsXMzf83EfTR62lzDYSf3JOh9605jkJCQt+gj/T8YzPIqTy2569 alBEEAFxoh+PMfxFNDv7siNLYBgbCTuE3ZifOD+3xZo4nlryGjzPI6C80nR9RPO7 pPoJ26zEwWKC5bcBHcnIXpG1v4+at9A0YQqdLeufL+b3W+tPulf1bYtgKPq6oMR3 lQSswaX0AockF4Dpz2smSiBdYX1XMkp1BjfAlqi+lhr4Uf68fZbQhhAf8puY4EQp mobXY6/Un8h0C6xH8KzRxAPhB3r8XMwgFD6PYzmy5tB0v+Lt/nzkRMrRrgtEqwKo BRzTy7jI7rr1hTkNdPKEiT/LbuQcNgrRqD4q1mM5N6RFqezx1pboTxdR5CppabwF 1qu1RUFt9xLsNcBFynAa8/Vmhn8dFggY240FJht2aKpj9S8G6ufwhq9JeAFqwDt5 kHNTjkEFF20XeXvYamF2dX6kRtGm+hauDiHzhGbAoHxJIvLqNyLtxIZGapeVL36M 1RAUOqlnMiqPhYkCHAQQAQIABgUCTXeZ8wAKCRCRcRiZleRannQDEACaIRmvVUrp d0LAKvtov9ZXfhHMxTbnIIvszbII8shPt29UO08er4Yd0ZnTIFHMvnX5MWCLWBlu aJ56ucoXMJpcNRPmNCw1bWnjFwQVxajzSpzm4duGQnakOKH7uywNaaUE81nd1VY6 XUW7J/IergcscMOOxHfbXu2hF/2AV7x9NkjbykuMBscgEc8CRuUHJ+A/52Ilwo9R sEsxKJfh86++h1jaLjs8RL2dEo2ioO0QfAW+rXLgctCe7v3Zs8xBv1qFIV7QW5a+ ZaYW1SRhMNJVnN5iP+WbFiMelzEqcxkgXErGeoDHPE4GDNIQyvhwhryOz1lJONix b+Cb5jqUoC0Wa96fKP2/t1Dlm+d3ZSp7nQSaQZJ+8pF0yYcAqbKam5zr/XY+EPex cGJ2GQuQ2y6tSz5kqy5qr5xQoHqif9dCFBkL7aOEO+5waBSy5oTb7uMHki+hKWTz dlldliXKt4P2tMa/2uFj5m9DXn+CneoHi3FzET24RbglDb445aPNMM+EWqRGQUR0 8wzp8X00WVRuLGenBws5LSjftHCdtVqdDLsM6eJ7BqH0wNPrMwXNz8lErNFnpIwT DbZiw7GcQGkjRNvDpovAB7OUcGQNXaLvbsjF93OY3lOeBoyPokONIzUPSUdKurbZ YyfT2mcqGEp1hkZVwPsKIA1y5ioxHQI2HbkEDQRLaIS4EBAApZ0wvxpQVlZ6OEFa 9SBQ5eclRIOjXjKqkYGkvIx+jUmqCYfOgfPixOGYS5Q2KwHNz4XEOIOA1kyClAoA AgOEGUxj8CxnbBk10IVo/JBONjdqKYPZ2YNdeIIrKXEmai4i5hK5AfZHoyqsV5aq xGkGeVUju/coyRJY6La8iL+RBuxiRuUPWymGjtISAR6fSiN8f/kRly/y9LmMO8Jc OpeieqLUFPK6KuzhI4F0nFkHJpZPDNOHHl+GmAZ+SqZxmIrpkGymd36hTKxW4nln N6kqc1gMwdn1L/u/D+C/jhMbTTssqiMZeyP9uFmnMB3ls1NV8OxvbxcTBG0M7g4A lffUQKpUrNhIBoC3R7UbYQ3CTZX1Qp/TBzbfRAgGhdWBQDQEd3/Ll9G4QaCs9I+4 W68rkAr7e7IylHyfEi9oYQkXFIEeaAhiENmJBpcLpas/yNJoLayqzPsQ+lRNg3om FntPtZolkMi6orRNixrgXV64m/01YNjmBFTqsp5wOq2j0cmTkbOWqdnlmGPg2El1 ufebJc6YWS1nFm6YRpN/B3QbtAnar1Cb+IHlr0haTOYhQp+XFN+k1brqs+Sufa8/ rz6N5tsm+W5GjHKvHr24FTa02u3H4lIqNlNBkzZZKhzAhxEWiJzwc/f2upG5vdpl rM/YCU+XTotYPb5ZEXQe2mD/rXMAAwUP/0f1DOJIfnMrh1o/3RKqDq8k7tlv2GEE v0VEnh8ty4dMb8Dos2M1Oc4Kv9QLB3DXcS4/L4JW5vF0QgSAzq1r5oBT1zaMcqDS 6OUlHrWUi8aDNt5EPQuEGdP2/iTDeAq4r8eCYrHRC7egldyRZrmWNfcZN6/G9K+J SjhWfSWWSBRIqb+UxcQNCp6i6tvVSxCfLK1R4P4kA/Z4Co2vywIfVfPhHd5nIWNl 1yl9O3r04GCNTjzwsv/dhUGDFIVsghgehZuL0Bb7hDuyvZ2ShALumZ5t7mU/SJ2h Ok3klO+2bIJB0gquUkWn/4g1h2Tp9XVWrI1x6GUBxRYkwC4tWajzWeVC5hcDVAdq YN0H0HVj/CEgrEWlCVv1hJ0JYAsjX8Cj1QuZB1i34fjEkgybMjo3oCU5GCSiNmvt TeUpexyY/7iHAdyoZHFT+fQS84VMYKFT4tTYH+5jTa62yfPhn63TYPorrRyTqG8a JQLnczm0NN5R5mriYJQjr4Pj8PSSwWck/Gt8R5vb+C69+uXINB6OKqhG6xU0bqnC Ixt3OhVS7v0SfHjn0+il/JOc/ev9wm6G5FxmEWOoYwibmaDzHfc9N1HMRzjTENI7 fyJPNFj9IDkpwk4E3ylrkuVl2KEmYDJ9T9ny4UMnQ7Sb6w59UhxMIFtRTPNpQJWC WXfhWUAo4WfCiEkEGBECAAkFAktohLgCGwwACgkQy8sIKhu5Q9vThgCeIHzJCz+Q M8u4iCTrGaJ9w/+jwz4AnRhdXcFVv7svt2qOd374EtCSjv24 =/Od8 -----END PGP PUBLIC KEY BLOCK----- * Connection #0 to host yum.mariadb.org left intact * Closing connection #0 So on this machine at least, the request was successful (as was "sudo rpm --import https://yum.mariadb.org/RPM-GPG-KEY-MariaDB ") . I'll try on other machines to try and duplicate, but no luck with this CentOS box.

Hide

Permalink

Elena Stepanova added a comment - 2013-09-23 23:00 - edited

Can it be that my "bundle file isn't adequate", as the error message says it might be?

"curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
...
"

Is there something specific I should do to make it adequate?

Here is my output:

[elenst@centos6-64 ~]$ curl -v https://yum.mariadb.org/RPM-GPG-KEY-MariaDB

About to connect() to yum.mariadb.org port 443 (#0)
Trying 173.203.201.148... connected
Connected to yum.mariadb.org (173.203.201.148) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Remote Certificate has expired.
NSS error -8181
Closing connection #0
Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
...

Show

Elena Stepanova added a comment - 2013-09-23 23:00 - edited Can it be that my "bundle file isn't adequate", as the error message says it might be? "curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. ... " Is there something specific I should do to make it adequate? Here is my output: [elenst@centos6-64 ~] $ curl -v https://yum.mariadb.org/RPM-GPG-KEY-MariaDB About to connect() to yum.mariadb.org port 443 (#0) Trying 173.203.201.148... connected Connected to yum.mariadb.org (173.203.201.148) port 443 (#0) Initializing NSS with certpath: sql:/etc/pki/nssdb CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none Remote Certificate has expired. NSS error -8181 Closing connection #0 Peer certificate cannot be authenticated with known CA certificates curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html ...

Hide

Permalink

Daniel Bartholomew added a comment - 2013-09-23 23:13

Just a guess, but is the ca-certificates package up to date? It's a mozilla package, but maybe curl makes use of it.

Show

Daniel Bartholomew added a comment - 2013-09-23 23:13 Just a guess, but is the ca-certificates package up to date? It's a mozilla package, but maybe curl makes use of it.

Hide

Permalink

Elena Stepanova added a comment - 2013-09-23 23:52 - edited

yum upgrade ca-certificates says there is nothing to update...

[elenst@centos6-64 ~]$ sudo yum info ca-certificates
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile

base: mirror.awanti.com
extras: mirror.awanti.com
updates: centosh5.centos.org
Installed Packages
Name : ca-certificates
Arch : noarch
Version : 2010.63
Release : 3.el6_1.5
Size : 1.3 M
Repo : installed
From repo : anaconda-CentOS-201207061011.x86_64
Summary : The Mozilla CA root certificate bundle
URL : http://www.mozilla.org/
License : Public Domain
Description : This package contains the set of CA certificates chosen by the
: Mozilla Foundation for use with the Internet PKI.

[elenst@centos6-64 ~]$ sudo yum upgrade ca-certificates
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile

base: mirror.awanti.com
extras: mirror.awanti.com
updates: mirror.yandex.ru
Setting up Upgrade Process
No Packages marked for Update

Show

Elena Stepanova added a comment - 2013-09-23 23:52 - edited yum upgrade ca-certificates says there is nothing to update... [elenst@centos6-64 ~] $ sudo yum info ca-certificates Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile base: mirror.awanti.com extras: mirror.awanti.com updates: centosh5.centos.org Installed Packages Name : ca-certificates Arch : noarch Version : 2010.63 Release : 3.el6_1.5 Size : 1.3 M Repo : installed From repo : anaconda-CentOS-201207061011.x86_64 Summary : The Mozilla CA root certificate bundle URL : http://www.mozilla.org/ License : Public Domain Description : This package contains the set of CA certificates chosen by the : Mozilla Foundation for use with the Internet PKI. [elenst@centos6-64 ~] $ sudo yum upgrade ca-certificates Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile base: mirror.awanti.com extras: mirror.awanti.com updates: mirror.yandex.ru Setting up Upgrade Process No Packages marked for Update

Hide

Permalink

Elena Stepanova added a comment - 2014-04-08 22:55

I found this topic on CentOS forum: https://www.centos.org/forums/viewtopic.php?t=1073 which shows that my problem was not unique at least. It seems it somehow affected self-signed certificates and SSL validation, so it fits. I tried to set sslverify=false in yum config, and it also helped.

However, the problem seems to be gone in CentOS 6.4 and Fedora 19. With the same visible settings (sslverify=true and SELinux enabled), I'm not getting the error there. I tried to copy ca-bundle.crt from CentOS 6.4 (where the key import works) to CentOS 6.3 (where it didn't), but it didn't help, so apparently the cause is somewhere deeper.

Anyway, since Fedora 18 is EOLed, and CentOS 6.3 is 2 releases old (the current one is 6.5), and we were not getting complaints from users about all this, I assume it's safe to close it as "Won't fix". We can always re-open later if needed.

Show

Elena Stepanova added a comment - 2014-04-08 22:55 I found this topic on CentOS forum: https://www.centos.org/forums/viewtopic.php?t=1073 which shows that my problem was not unique at least. It seems it somehow affected self-signed certificates and SSL validation, so it fits. I tried to set sslverify=false in yum config, and it also helped. However, the problem seems to be gone in CentOS 6.4 and Fedora 19. With the same visible settings (sslverify=true and SELinux enabled), I'm not getting the error there. I tried to copy ca-bundle.crt from CentOS 6.4 (where the key import works) to CentOS 6.3 (where it didn't), but it didn't help, so apparently the cause is somewhere deeper. Anyway, since Fedora 18 is EOLed, and CentOS 6.3 is 2 releases old (the current one is 6.5), and we were not getting complaints from users about all this, I assume it's safe to close it as "Won't fix". We can always re-open later if needed.

People

Assignee:

Daniel Bartholomew

Reporter:

Elena Stepanova

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2013-09-22 13:24

Updated:

2014-04-08 22:55

Resolved:

2014-04-08 22:55

Agile

View on Board