
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html;

      charset=windows-1252">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p><br>

    </p>

    <div class="moz-cite-prefix">On 21/11/2019 09:16, Berger J Nicklas

      wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:HE1PR0401MB265194BFF34806DF0C00D103F84E0@HE1PR0401MB2651.eurprd04.prod.outlook.com">

      <meta http-equiv="Content-Type" content="text/html;

        charset=windows-1252">

      <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

      <div>We are using squid for both http and https whitelisting for

        egress. Most of the whitelisting works fine but some specific

        once do not work.</div>

      <div>We have tried this on this versions of squid 3.5(amazon linux

        2), 4.1(centos7) and 4.4(centos8).<br>

      </div>

      <div>For instance when running yum update for redhat linux in aws

        from a server using squid for egress it fails:</div>

      <div><br>

      </div>

      <div><span>ec2-user]# yum update -v<br>

        </span>

        <div><b><span style="color: rgb(200, 38, 19);">Failed to set

              locale, defaulting to C</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">Loaded plugins:

              AmazonID, builddep, changelog, config-manager, copr,

              debug, debuginfo-install, download,

              generate_completion_cache, needs-restarting, playground,

              repoclosure, repodiff, repograph, repomanage, reposync,

              uploadprofile</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">DNF version:

              4.0.9</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">cachedir:

              /var/cache/dnf</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">repo: downloading

              from remote: rhui-client-config-server-8</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">error: Curl error

              (60): Peer certificate cannot be authenticated with given

              CA certificates for

<a class="moz-txt-link-freetext" href="https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os">https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os</a>

              [SSL certificate problem: self signed certificate in

              certificate chain]

(<a class="moz-txt-link-freetext" href="https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os">https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os</a>).</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">Red Hat Update

              Infrastructure 3 Client Configuration Server 8            

                                                                       

                                                       0.0  B/s |   0  B

                  00:01    </span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">Cannot download

'<a class="moz-txt-link-freetext" href="https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os">https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os</a>':

              Cannot prepare internal mirrorlist: Curl error (60): Peer

              certificate cannot be authenticated with given CA

              certificates for

<a class="moz-txt-link-freetext" href="https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os">https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os</a>

              [SSL certificate problem: self signed certificate in

              certificate chain].</span><br>

          </b></div>

        <div><b><span style="color: rgb(200, 38, 19);">Error: Failed to

              synchronize cache for repo 'rhui-client-config-server-8'</span></b></div>

        <div><span style="color: rgb(200, 38, 19);"><br>

          </span></div>

      </div>

    </blockquote>

    <p>The problem has nothing to do with Squid, <span style="color:

        rgb(0, 0, 0);"><span><a class="moz-txt-link-freetext" href="https://rhui3.eu-north-1.aws.ce.redhat.com">https://rhui3.eu-north-1.aws.ce.redhat.com</a>

          is indeed using a self-signed certificate.</span></span></p>

    <p><span style="color: rgb(0, 0, 0);"><span><br>

        </span></span></p>

    <p><span style="color: rgb(0, 0, 0);"><span>You could add that cert

          to CA trust in your system, once you have verified the

          authenticity.<br>

        </span></span></p>

    <p><br>

    </p>

    <pre class="moz-signature" cols="72">-- 

Giles Coochey</pre>

  </body>

</html>