Sunday, November 13, 2011

yum update fails in Fedora 16 because of broken certificates

Today (and also the last days) I ran into trouble when updating my system.
yum update ran silently in to the error:
$ sudo yum update -y
Geladene Plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Fehler: Cannot retrieve repository metadata (repomd.xml) for repository:
fedora. Please verify its path and try again
That didn't tell me a lot about the error, also a yum clean metadata didn't help.
After a bit of googling I stumbled across the URLGRABBER_DEBUG variable which tells yum to debug all URL fetching stuff, this lead me to the error:
$ sudo URLGRABBER_DEBUG=1 yum update -y
Geladene Plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
...
Could not get metalink https://mirrors.fedoraproject.org/metalink?
repo=fedora-debug-16&arch=x86_64 error was
14: Peer cert cannot be verified or peer cert invalid
Fehler: Cannot retrieve repository metadata (repomd.xml) for repository: 
fedora. Please verify its path and try again
It was discovered last year that such errors are not passed to the user, but it might be a good idea to fix this.
To get around the error you can temporarily disable the verification of hosts using yum's setopt switch:
$ sudo yum update --setopt=sslverify=false

5 comments:

  1. This is from a broken NSS update. The certificates for mirrors.fedoraproject.org are valid and verifiable vs the normal set of Certificate Authorities.

    ReplyDelete
  2. What is the fix for this please do you know other than the temporary one you outlined?

    ReplyDelete
  3. jod, adamw desribes the origin of the problem and a solution.
    http://www.happyassassin.net/2011/11/15/psa-bad-nss-update-for-f16-messing-up-yum/

    ReplyDelete
  4. In a vast sense of cosmic irony, this got me around a current edit-node problem, and I didn't even notice your name at the bottom until I was finished.

    ReplyDelete