Page 1 of 1

[Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror.

Posted: 2021/10/05 22:59:01
by simon@bp
Does anyone have any insight into this and the Let's encrypt problem?

Code: Select all

http://vault.centos.org/6.10/os/x86_64/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
It was impossible to connect to the Red Hat servers.
I have pointed the Centos-Base.repo to the vault:

Code: Select all

baseurl=http://vault.centos.org/6.10/os/$basearch/
and similar changes for updates.


It's not a network problem at my end. Working around the issue would be sufficient.

I have tried putting "sslverify=0" in /etc/yum.conf. It didn't help.

Please, we all know that CentOS 6 is EOL, but I have customers that I need to support who are still on CentOS 6.

Re: [Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror.

Posted: 2021/10/06 09:14:35
by TrevorH
It's the letsencrypt CA certificate problem. You'd need to remove the expired one from the CA bundle but whether CentOS 6's openssl will have the necessary code to follow the alternate certificate path is another question.

Sorry, but CentOS 6 is dead. It came out in 2010 with a 7 year lifespan, subsequently extended to 10 years. It died in 2020. Everyone had plenty of notice that it was going away so to still be on it a year after it died makes this a predictable breakage.

Get off CentOS 6.

Re: [Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror.

Posted: 2021/10/06 17:56:53
by Hellkeeper
I don't want to encourage anyone to stay on Centos 6, on the contrary ... upgrade your servers to the latest version ... but ... this problem can be solved if really needed ...

See here: https://community.letsencrypt.org/t/rhe ... ion/161032

Build openssl RPM:

Code: Select all

yum install wget
yum install krb5-devel zlib-devel lksctp-tools-devel util-linux make gcc rpm-build
curl -o openssl-1.0.2k-21.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/openssl-1.0.2k-21.el7_9.src.rpm
rpm -i openssl-1.0.2k-21.el7_9.src.rpm
cd ~/rpmbuild/SOURCES/
sed -i 's/secure_getenv(/getenv(/g' *patch
cd ../SPECS/
sed -i 's/%patch68 -p1 -b .secure-getenv/#%patch68 -p1 -b .secure-getenv/g' openssl.spec
rpmbuild -bb openssl.spec
cd ../RPMS/x86_64
rpm -U openssl-libs-1.0.2k-21.el6.x86_64.rpm openssl-1.0.2k-21.el6.x86_64.rpm

Build ca-certificates RPM:

Code: Select all

yum install asciidoc java-1.6.0-openjdk
mkdir /dl/ca-cert; cd /dl/ca-cert;
curl -o ca-certificates-2020.2.41-65.1.el6_10.src.rpm https://vault.centos.org/6.10/updates/Source/SPackages/ca-certificates-2020.2.41-65.1.el6_10.src.rpm
rpm -i ca-certificates-2020.2.41-65.1.el6_10.src.rpm
curl -o ca-certificates-2021.2.50-72.el7_9.src.rpm https://vault.centos.org/7.9.2009/updates/Source/SPackages/ca-certificates-2021.2.50-72.el7_9.src.rpm
rpm2cpio ca-certificates-2021.2.50-72.el7_9.src.rpm | cpio -idmv
cp certdata.txt ~/rpmbuild/SOURCES/
sed -i 's/Version: 2020.2.41/Version: 2021.2.50/g' ~/rpmbuild/SPECS/ca-certificates.spec
rpmbuild -bb ca-certificates.spec
cd /root/rpmbuild/RPMS/noarch/
rpm -U ca-certificates-2021.2.50-65.1.el6.noarch.rpm
Andreas S.

Re: [Errno 14] Peer cert cannot be verified or peer cert invalid Trying other mirror.

Posted: 2021/10/06 18:15:19
by simon@bp
Manually downloading the latest (for CentOS6) rpms for openssl and ca-certificates, installing them using rpm, allowed the system to be updated to the most recent (but still outdated) packages using yum (with 'sslverify=0" in /etc/yum.conf).