[squid-users] yum update fails when using squid even though .redhat.com is whitelisted

Giles Coochey giles at coochey.net
Thu Nov 21 09:31:30 UTC 2019 

On 21/11/2019 09:16, Berger J Nicklas wrote:
> We are using squid for both http and https whitelisting for egress. 
> Most of the whitelisting works fine but some specific once do not work.
> We have tried this on this versions of squid 3.5(amazon linux 2), 
> 4.1(centos7) and 4.4(centos8).
> For instance when running yum update for redhat linux in aws from a 
> server using squid for egress it fails:
>
> ec2-user]# yum update -v
> *Failed to set locale, defaulting to C
> *
> *Loaded plugins: AmazonID, builddep, changelog, config-manager, copr, 
> debug, debuginfo-install, download, generate_completion_cache, 
> needs-restarting, playground, repoclosure, repodiff, repograph, 
> repomanage, reposync, uploadprofile
> *
> *DNF version: 4.0.9
> *
> *cachedir: /var/cache/dnf
> *
> *repo: downloading from remote: rhui-client-config-server-8
> *
> *error: Curl error (60): Peer certificate cannot be authenticated with 
> given CA certificates for 
> https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os 
> [SSL certificate problem: self signed certificate in certificate 
> chain] 
> (https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os).
> *
> *Red Hat Update Infrastructure 3 Client Configuration Server 8         
>                                  0.0  B/s |   0  B     00:01
> *
> *Cannot download 
> 'https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os': 
> Cannot prepare internal mirrorlist: Curl error (60): Peer certificate 
> cannot be authenticated with given CA certificates for 
> https://rhui3.eu-north-1.aws.ce.redhat.com/pulp/mirror/protected/rhui-client-config/rhel/server/8/x86_64/os 
> [SSL certificate problem: self signed certificate in certificate chain].
> *
> *Error: Failed to synchronize cache for repo 
> 'rhui-client-config-server-8'*
>
The problem has nothing to do with Squid, 
https://rhui3.eu-north-1.aws.ce.redhat.com is indeed using a self-signed 
certificate.


You could add that cert to CA trust in your system, once you have 
verified the authenticity.


-- 
Giles Coochey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191121/2a68ae78/attachment.html>

More information about the squid-users mailing list