在configurationEPEL存储库时无法更新CentOS 6.7系统。
[epel] name=Extra Packages for Enterprise Linux 6 - $basearch mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=$basearch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 failovermethod=priority 我得到一个连接到mirrors.fedoraproject.org的证书错误。 我运行了启用了url grabber的yum命令,我看到我的系统没有CA来validation来自mirrors.fedoraproject.org的证书。
$ URLGRABBER_DEBUG=1 yum check-update 2015-12-17 14:05:00,510 attempt 1/10: https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=x86_64 INFO:urlgrabber:attempt 1/10: https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=x86_64 * About to connect() to mirrors.fedoraproject.org port 443 (#0) * Trying 140.211.169.206... * connected * Connected to mirrors.fedoraproject.org (140.211.169.206) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Peer's certificate issuer is not recognized: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US' * NSS error -8179 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates 2015-12-17 14:05:00,767 exception: [Errno 14] Peer cert cannot be verified or peer cert invalid INFO:urlgrabber:exception: [Errno 14] Peer cert cannot be verified or peer cert invalid 2015-12-17 14:05:00,774 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising INFO:urlgrabber:retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising Could not retrieve mirrorlist https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=x86_64 error was 14: Peer cert cannot be verified or peer cert invalid Error: Cannot find a valid baseurl for repo: epel
ca-certificate包没有更新
$ yum update ca-certificates --disablerepo epel Loaded plugins: fastestmirror Setting up Update Process Loading mirror speeds from cached hostfile * base: mirrors.kernel.org * extras: mirror.solarvps.com * updates: ftp.linux.ncsu.edu No Packages marked for Update
这是ca-certificates包的当前版本
Name : ca-certificates Arch : noarch Version : 2015.2.4 Release : 65.0.1.el6_6 Size : 3.2 M Repo : installed From repo : updates Summary : The Mozilla CA root certificate bundle URL : http://www.mozilla.org/ License : Public Domain Description : This package contains the set of CA certificates chosen by the : Mozilla Foundation for use with the Internet PKI.
你可以通过使用openssl来检查问题是否与ca-certificates没有关系:
> openssl s_client -connect 140.211.169.206:443 -servername mirrors.fedoraproject.org CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify return:1 depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org verify return:1 --- Certificate chain 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=*.fedoraproject.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
如果这也失败了,我会build议你运行sudo update-ca-trust 。
另外值得一提的是你的ca-bundle实际来自哪里:
sudo rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt
它应该来自ca-certificates包,但是如果没有的话,你可能想尝试重新安装它。