Can't update a CentOS 6.7 system with the EPEL repository configured.
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
failovermethod=priority
I get a certificate error connecting to mirrors.fedoraproject.org. I ran the yum command with url grabber enabled and I see my system lacks the CA to validate the cert from mirrors.fedoraproject.org.
$ URLGRABBER_DEBUG=1 yum check-update
2015-12-17 14:05:00,510 attempt 1/10: https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=x86_64
INFO:urlgrabber:attempt 1/10: https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=x86_64
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
* Trying 140.211.169.206... * connected
* Connected to mirrors.fedoraproject.org (140.211.169.206) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
2015-12-17 14:05:00,767 exception: [Errno 14] Peer cert cannot be verified or peer cert invalid
INFO:urlgrabber:exception: [Errno 14] Peer cert cannot be verified or peer cert invalid
2015-12-17 14:05:00,774 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising
INFO:urlgrabber:retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising
Could not retrieve mirrorlist https://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=x86_64 error was
14: Peer cert cannot be verified or peer cert invalid
Error: Cannot find a valid baseurl for repo: epel
There are no updates to the ca-certificate package
$ yum update ca-certificates --disablerepo epel
Loaded plugins: fastestmirror
Setting up Update Process
Loading mirror speeds from cached hostfile
* base: mirrors.kernel.org
* extras: mirror.solarvps.com
* updates: ftp.linux.ncsu.edu
No Packages marked for Update
Here's the current version of the ca-certificates package
Name : ca-certificates
Arch : noarch
Version : 2015.2.4
Release : 65.0.1.el6_6
Size : 3.2 M
Repo : installed
From repo : updates
Summary : The Mozilla CA root certificate bundle
URL : http://www.mozilla.org/
License : Public Domain
Description : This package contains the set of CA certificates chosen by the
: Mozilla Foundation for use with the Internet PKI.
Best Answer
Like iwaseantenbyagrue pointed out you can see the certificate offered with openssl s_client. The problem is that the server (mirrors.fedoraproject.org) does not offer the intermediate certificate, the
and you don't have the cert in your ca-bundle.
The best thing in my opinion is if the intermediate cert was added on the mirrors.fedoraproject.org, but it is not much you or I could do about this, so either you try updating the ca bundle package, or else you can download the intermediate cert yourself from DigiCert Root Ca download page. You can convert it to the x509 with openssl like this (omit -text if you want only the certificate).
I don't remember how it is done in CentOS, but somehing like put the pem file in /etc/pki/ca-trust/source/anchors/ and run
update-ca-trust
to add this cert to your truststore.