I am trying install a RPM from an url directly from anaconda kickstart (CentOS7) %post phase but I encountered an interesting error:
“`
+ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or –insecure) option.
error: skipping https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm – transfer failed
“`
Running the same command after system reboots works well but inside post it fails and opposed to curl which has a -k parameter, I found no option to give to rpm.
This is double weird because this address is not supposed to have an invalid SSL certificate anyway.
I know that I could split this into two commands, one curl that downloads the file and another one to install the rpm.
Still, I am looking for a beter solution, one line one.
Update
My first attempt was to add epel-release inside the list of packages but this raised and error:
You have specified that the package 'epel-release' should be installed. This
package does not exist. Would you like to ignore this package and continue with
installation?
Please respond 'yes' or 'no':
Best Answer
These SSL erros were caused by the presense of http_proxy environment variable which made rpm use a proxy.
Once I installed the custom CA certificate, this was sorted.