解决 RedHat problem making ssl connection 的问题

今天收到一台 Redhat 系统的机器,需要安装 ansible 以便部署持续集成。

在配置完清华大学的 epel-release 源之后搜索 ansible 应用时出现以下错误:

1
2
3
4
5
6
7
[root@2B2C-test-DB1 yum.repos.d]# yum search ansible
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
https://mirrors.tuna.tsinghua.edu.cn/epel/6/x86_64/repodata/repomd.xml: [Errno 14] problem making ssl connection
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again
[root@2B2C-test-DB1 yum.repos.d]#

刚开始以为是 open-ssl 的问题,但是在更新了 openssl 和 openssl-devel 后,问题依旧。

后来 google 了一下,看到很多网友都说是 ca-certificates 证书的问题,需要更新证书。更新的时候提示不用更新,为了确保无误,我重装了一遍证书,发现了一个问题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@2B2C-test-DB1 yum.repos.d]# yum install ca-certificates
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Package ca-certificates-2010.63-3.el6_1.5.noarch already installed and latest version
Nothing to do
[root@2B2C-test-DB1 yum.repos.d]# yum reinstall ca-certificates
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Reinstall Process
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================
Reinstalling:
ca-certificates noarch 2010.63-3.el6_1.5 Server 531 k

Transaction Summary
===================================================================================================================================================
Reinstall 1 Package(s)

Total download size: 531 k
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : ca-certificates-2010.63-3.el6_1.5.noarch 1/1
Verifying : ca-certificates-2010.63-3.el6_1.5.noarch 1/1

Installed:
ca-certificates.noarch 0:2010.63-3.el6_1.5

Complete!
[root@2B2C-test-DB1 yum.repos.d]#

为什么证书还是2010年的?所以我便去查看了源文件,终于发现了问题所在:

1
2
3
4
5
6
7
8
[root@2B2C-test-DB1 yum.repos.d]# more rhel-source.repo_20180324 
[Server]
name=Server
baseurl=file:///mnt/IOS/Server
enabled=1
gpgcheck=0
gpgkey=file:///media/RPM-GPG-KEY-redhat-release
[root@2B2C-test-DB1 yum.repos.d]#

原来这台系统用的不是在线仓库,而是使用光盘作为仓库,故 ca-certificates 证书一直得不到更新,导致连 https 仓库的时候,无法进行认证。

然后这套系统又没有购买 Radhat 服务,无法连接 Redhat 仓库进行更新。研究了许久,决定使用 CentOS 在线仓库对系统进行更新,反正部署包都是通用的。

由于 ca-certificates 证书是旧的,无法连接 https 仓库,故需要找一个 http 的仓库来对证书进行更新。上网找了一遍后,发现网易的 yum 源是使用 http 的。

换上网易的 yum 源后,将使用 https 的 epel 源停掉(enabled=0,然后终于可以更新 ca-certificates 证书了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[root@2B2C-test-DB1 ~]# yum install ca-certificates
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
...
...
...

Dependencies Resolved

===================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================
Updating:
ca-certificates noarch 2017.2.14-65.0.1.el6_9 updates 1.3 M
nss x86_64 3.28.4-4.el6_9 updates 879 k
Installing for dependencies:
p11-kit x86_64 0.18.5-2.el6_5.2 base 94 k
p11-kit-trust x86_64 0.18.5-2.el6_5.2 base 71 k
Updating for dependencies:
nspr x86_64 4.13.1-1.el6 base 114 k
nss-softokn x86_64 3.14.3-23.3.el6_8 base 262 k
nss-softokn-freebl i686 3.14.3-23.3.el6_8 base 157 k
nss-softokn-freebl x86_64 3.14.3-23.3.el6_8 base 168 k
nss-sysinit x86_64 3.28.4-4.el6_9 updates 51 k
nss-tools x86_64 3.28.4-4.el6_9 updates 447 k
nss-util x86_64 3.28.4-1.el6_9 updates 68 k

Transaction Summary
===================================================================================================================================================
Install 2 Package(s)
Upgrade 9 Package(s)

...
...
...

Updated:
ca-certificates.noarch 0:2017.2.14-65.0.1.el6_9 nss.x86_64 0:3.28.4-4.el6_9

Dependency Updated:
nspr.x86_64 0:4.13.1-1.el6 nss-softokn.x86_64 0:3.14.3-23.3.el6_8 nss-softokn-freebl.i686 0:3.14.3-23.3.el6_8
nss-softokn-freebl.x86_64 0:3.14.3-23.3.el6_8 nss-sysinit.x86_64 0:3.28.4-4.el6_9 nss-tools.x86_64 0:3.28.4-4.el6_9
nss-util.x86_64 0:3.28.4-1.el6_9

Complete!
[root@2B2C-test-DB1 ~]#

更新完 ca-certificates 证书后,再开启 epel 源(enabled=0,就可以进行正常的下载了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[root@2B2C-test-DB1 ~]# yum install ansible 
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
epel | 4.7 kB 00:00
epel/primary_db | 6.0 MB 00:01
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ansible.noarch 0:2.4.2.0-1.el6 will be installed
--> Processing Dependency: PyYAML for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: python-crypto2.6 for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: python-httplib2 for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: python-jinja2-26 for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: python-keyczar for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: python-six for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: sshpass for package: ansible-2.4.2.0-1.el6.noarch
--> Running transaction check
---> Package PyYAML.x86_64 0:3.10-3.1.el6 will be installed
--> Processing Dependency: libyaml-0.so.2()(64bit) for package: PyYAML-3.10-3.1.el6.x86_64
---> Package python-crypto2.6.x86_64 0:2.6.1-2.el6 will be installed
---> Package python-httplib2.noarch 0:0.7.7-1.el6 will be installed
---> Package python-jinja2-26.noarch 0:2.6-3.el6 will be installed
---> Package python-keyczar.noarch 0:0.71c-1.el6 will be installed
---> Package python-six.noarch 0:1.9.0-2.el6 will be installed
---> Package sshpass.x86_64 0:1.06-1.el6 will be installed
--> Running transaction check
---> Package libyaml.x86_64 0:0.1.3-4.el6_6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved
...
...
...
Installed:
ansible.noarch 0:2.4.2.0-1.el6

Dependency Installed:
PyYAML.x86_64 0:3.10-3.1.el6 libyaml.x86_64 0:0.1.3-4.el6_6 python-crypto2.6.x86_64 0:2.6.1-2.el6
python-httplib2.noarch 0:0.7.7-1.el6 python-jinja2-26.noarch 0:2.6-3.el6 python-keyczar.noarch 0:0.71c-1.el6
python-six.noarch 0:1.9.0-2.el6 sshpass.x86_64 0:1.06-1.el6

Complete!
[root@2B2C-test-DB1 ~]#