[RESOLVED] YUM Error - Peer cert cannot be verified

General support questions
Post Reply
Posts: 1
Joined: 2011/07/21 14:25:14

[RESOLVED] YUM Error - Peer cert cannot be verified

Post by Roturgo » 2011/08/03 14:38:47

I wanted to share this information with everyone in the hopes that it might save someone some of the frustration that I've had in dealing with this issue. Hope it helps! :-)

While attempting to do a CentOS 6.0 kickstart install, I ran into a fun error when Anaconda started trying to pull from our local YUM repository. The error was:

[quote][Errno 14] Peer cert cannot be verified or peer cert invalid
At that point, the install bombed out. The local repository that I was trying to use runs over https and has a self-signed certificate. This was never an issue in CentOS 5.x, but the default behavior of YUM has changed in 6.0. In RHEL6 (and by extension CentOS 6), SSL certs are now validated by YUM and if validation fails, YUM will error out with the above message.

If you have a RHN subscription, see [url=https://access.redhat.com/kb/docs/DOC-53910]https://access.redhat.com/kb/docs/DOC-53910[/url]

From the KB article:
[quote]In RHEL5 SSL certs were not validated, now in RHEL6 they are by default. SSL validation can be disabled by adding sslverify=false to /etc/yum.conf. However if validation the server's SSL certificate is need, then the certificate authority's certificate (cacert) need to be downloaded to the yum client and then a pointer to that cacert file needs to be added to yum.conf using the sslcacert option, such as sslcacert=/etc/yum.cacert.
Apparently this bug has been reported upstream and fixed in Anaconda 14.10 and pykickstart-1.76, and a '--noverifyssl' kickstart flag has been added.

This fix won't help current CentOS 6.0 users, but there is a workaround listed on the Bugzilla page:


Basically, you'll need to add the CA cert for your repository to the global trusted cert store in your kickstart script like this:

cat >/etc/pki/tls/certs/ca-bundle.crt <<END
I searched all through the CentOS forums and site and didn't see anyone mention this issue so far, so hopefully this information saves someone some trouble of piecing together what's going on and how to work around it.

I also just want to make clear that this is an upstream vendor "bug," so it's through no fault of the CentOS team. The CentOS team is doing a fantastic job, and I want to thank everyone for all the time and effort that they've put into bringing us the excellent 6.0 release! 8-)

Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

[RESOLVED] YUM Error - Peer cert cannot be verified

Post by pschaff » 2011/08/03 23:36:04

Welcome to the CentOS fora and thanks for the helpful post. I will add a note to the [url=http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.0]release notes[/url] with a pointer here.

User avatar
Forum Moderator
Posts: 9338
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Post by AlanBartlett » 2011/08/04 00:33:55

And, for posterity, this thread is marked [RESOLVED].

Posts: 1
Joined: 2012/01/05 05:47:52

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Post by bfallik-aereo » 2012/01/05 06:02:38


I'm wondering if you had a chance to actually test the procedure in the bug report or if you're just the messenger.

I'm fairly certain I'm encountering the same issue but my attempts to workaround the problem aren't working. So far I've:
1. encountered the error during kickstart, switched VTs and saw the "Peer certificate" message in the logs
2. reproduced the error in the stalled kickstart environment using python & pycurl to retrieve the URL over via HTTPS
3. browsed to the same URL in firefox and exported the cert (X.509 PEM)
4. copied the cert into the stalled kickstart session, overwrote /etc/pkt/.../ca-bundle.crt and repeated the experiment

Unfortunately I still encounter the same message."Peer certificate cannot be authenticated..." message. It seems I'm either exporting incorrectly or not understanding how to update the local ca-bundle.crt file. Anyone have any suggestions?


Posts: 1
Joined: 2012/03/13 11:30:41

Re: [RESOLVED] YUM Error - Peer cert cannot be verified

Post by delong » 2012/03/13 11:41:16


I am still having this error on Centos 6.2 ( client ) trying to get repomd.xml from Centos 6.0:
[code][Errno 14] Peer cert cannot be verified or peer cert invalid[/code]

I have exported my repository's certificate from firefox, located it in /etc/yum.cert and pointed yum.conf to it with sslcacert but it didn't help.
I can't disable ssl verification so I ask for help with this.

Any help would be appreciated.


Post Reply

Return to “CentOS 6 - General Support”