解决 RedHat problem making ssl connection 的问题

今天收到一台 系统的机器,需要安装 以便部署持续集成。

在配置完清华大学的 epel-release 源之后搜索 ansible 应用时出现以下错误:

[root@2B2C-test-DB1 .repos.d]#  search ansible
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
https://mirrors.tuna.tsinghua.edu.cn/epel/6/x86_64/repodata/repomd.xml: [Errno 14] problem making ssl connection
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again
[root@2B2C-test-DB1 .repos.d]# 

刚开始以为是 open-ssl 的问题,但是在更新了 openssl 和 openssl-devel 后,问题依旧。

后来 google 了一下,看到很多网友都说是 ca-certificates 证书的问题,需要更新证书。更新的时候提示不用更新,为了确保无误,我重装了一遍证书,发现了一个问题:

[root@2B2C-test-DB1 yum.repos.d]# yum install ca-certificates
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Package ca-certificates-2010.63-3.el6_1.5.noarch already installed and latest version
Nothing to do
[root@2B2C-test-DB1 yum.repos.d]# yum reinstall ca-certificates
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Reinstall Process
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================
 Package                                Arch                          Version                                  Repository                     Size
===================================================================================================================================================
Reinstalling:
 ca-certificates                        noarch                        2010.63-3.el6_1.5                        Server                        531 k

Transaction Summary
===================================================================================================================================================
Reinstall     1 Package(s)

Total download size: 531 k
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
Running _check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : ca-certificates-2010.63-3.el6_1.5.noarch                                                                                        1/1 
  Verifying  : ca-certificates-2010.63-3.el6_1.5.noarch                                                                                        1/1 

Installed:
  ca-certificates.noarch 0:2010.63-3.el6_1.5                                                                                                       

Complete!
[root@2B2C-test-DB1 yum.repos.d]# 

为什么证书还是2010年的?所以我便去查看了源文件,终于发现了问题所在:

[root@2B2C-test-DB1 yum.repos.d]# more rhel-source.repo_20180324 
[Server]
name=Server
baseurl=file:///mnt/IOS/Server  
enabled=1
gpgcheck=0
gpgkey=file:///media/RPM-GPG-KEY-redhat-release
[root@2B2C-test-DB1 yum.repos.d]#

原来这台系统用的不是在线仓库,而是使用光盘作为仓库,故 ca-certificates 证书一直得不到更新,导致连 https 仓库的时候,无法进行认证。

然后这套系统又没有购买 Radhat 服务,无法连接 Redhat 仓库进行更新。研究了许久,决定使用 在线仓库对系统进行更新,反正部署包都是通用的。

由于 ca-certificates 证书是旧的,无法连接 https 仓库,故需要找一个 http 的仓库来对证书进行更新。上网找了一遍后,发现网易的 yum 源是使用 http 的。

换上网易的 yum 源后,将使用 https 的 epel 源停掉(enabled=0,然后终于可以更新 ca-certificates 证书了:

[root@2B2C-test-DB1 ~]# yum install ca-certificates
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
...
...
...

Dependencies Resolved

===================================================================================================================================================
 Package                                Arch                       Version                                       Repository                   Size
===================================================================================================================================================
Updating:
 ca-certificates                        noarch                     2017.2.14-65.0.1.el6_9                        updates                     1.3 M
 nss                                    x86_64                     3.28.4-4.el6_9                                updates                     879 k
Installing for dependencies:
 p11-kit                                x86_64                     0.18.5-2.el6_5.2                              base                         94 k
 p11-kit-trust                          x86_64                     0.18.5-2.el6_5.2                              base                         71 k
Updating for dependencies:
 nspr                                   x86_64                     4.13.1-1.el6                                  base                        114 k
 nss-softokn                            x86_64                     3.14.3-23.3.el6_8                             base                        262 k
 nss-softokn-freebl                     i686                       3.14.3-23.3.el6_8                             base                        157 k
 nss-softokn-freebl                     x86_64                     3.14.3-23.3.el6_8                             base                        168 k
 nss-sysinit                            x86_64                     3.28.4-4.el6_9                                updates                      51 k
 nss-tools                              x86_64                     3.28.4-4.el6_9                                updates                     447 k
 nss-util                               x86_64                     3.28.4-1.el6_9                                updates                      68 k

Transaction Summary
===================================================================================================================================================
Install       2 Package(s)
Upgrade       9 Package(s)

...
...
...                 

Updated:
  ca-certificates.noarch 0:2017.2.14-65.0.1.el6_9                                    nss.x86_64 0:3.28.4-4.el6_9                                   

Dependency Updated:
  nspr.x86_64 0:4.13.1-1.el6                         nss-softokn.x86_64 0:3.14.3-23.3.el6_8      nss-softokn-freebl.i686 0:3.14.3-23.3.el6_8     
  nss-softokn-freebl.x86_64 0:3.14.3-23.3.el6_8      nss-sysinit.x86_64 0:3.28.4-4.el6_9         nss-tools.x86_64 0:3.28.4-4.el6_9               
  nss-util.x86_64 0:3.28.4-1.el6_9                  

Complete!
[root@2B2C-test-DB1 ~]# 

更新完 ca-certificates 证书后,再开启 epel 源(enabled=1,就可以进行正常的下载了:

[root@2B2C-test-DB1 ~]# yum install ansible 
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
epel                                                                                                                        | 4.7 kB     00:00     
epel/primary_db                                                                                                             | 6.0 MB     00:01     
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ansible.noarch 0:2.4.2.0-1.el6 will be installed
--> Processing Dependency: PyYAML for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: -crypto2.6 for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: -httplib2 for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: -jinja2-26 for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: -keyczar for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: -six for package: ansible-2.4.2.0-1.el6.noarch
--> Processing Dependency: sshpass for package: ansible-2.4.2.0-1.el6.noarch
--> Running transaction check
---> Package PyYAML.x86_64 0:3.10-3.1.el6 will be installed
--> Processing Dependency: libyaml-0.so.2()(64bit) for package: PyYAML-3.10-3.1.el6.x86_64
---> Package -crypto2.6.x86_64 0:2.6.1-2.el6 will be installed
---> Package -httplib2.noarch 0:0.7.7-1.el6 will be installed
---> Package -jinja2-26.noarch 0:2.6-3.el6 will be installed
---> Package -keyczar.noarch 0:0.71c-1.el6 will be installed
---> Package -six.noarch 0:1.9.0-2.el6 will be installed
---> Package sshpass.x86_64 0:1.06-1.el6 will be installed
--> Running transaction check
---> Package libyaml.x86_64 0:0.1.3-4.el6_6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved
...
...
...
Installed:
  ansible.noarch 0:2.4.2.0-1.el6                                                                                                                   

Dependency Installed:
  PyYAML.x86_64 0:3.10-3.1.el6                    libyaml.x86_64 0:0.1.3-4.el6_6                 -crypto2.6.x86_64 0:2.6.1-2.el6           
  -httplib2.noarch 0:0.7.7-1.el6            -jinja2-26.noarch 0:2.6-3.el6            -keyczar.noarch 0:0.71c-1.el6             
  -six.noarch 0:1.9.0-2.el6                 sshpass.x86_64 0:1.06-1.el6                   

Complete!
[root@2B2C-test-DB1 ~]# 
解决 RedHat problem making ssl connection 的问题

Leave a Reply

Your email address will not be published. Required fields are marked *