We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Linux Red Hat Enterprise Server RHEL 5.4 certificate issue when trying to Update or install packages

Medium Priority
244 Views
Last Modified: 2019-07-29
Hello Experts,

We have inherited a RHEL 5.4 server and need to setup cloud backup, however I am not able to install anything because of a certificate issue, if I try to install anything or do an update I get the error below, is there a way to bypass this certificate message? The time and date on the server are correct and the system is registered, I was wondering if someone could point me into the right direction.


Regards,
Paul

[root@brick ~]# yum update
Loaded plugins: rhnplugin, security
Traceback (most recent call last):
  File "/usr/bin/yum", line 29, in ?
    yummain.user_main(sys.argv[1:], exit_code=True)
  File "/usr/share/yum-cli/yummain.py", line 309, in user_main
    errcode = main(args)
  File "/usr/share/yum-cli/yummain.py", line 157, in main
    base.getOptionsConfig(args)
  File "/usr/share/yum-cli/cli.py", line 187, in getOptionsConfig
    self.conf
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 664, in <lambda>
    conf = property(fget=lambda self: self._getConfig(),
  File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 253, in _getConf                                              ig
    self.plugins.run('init')
  File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 179, in run
    func(conduitcls(self, self.base, conf, **kwargs))
  File "/usr/lib/yum-plugins/rhnplugin.py", line 111, in init_hook
    login_info = up2dateAuth.getLoginInfo()
  File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 217, in getLoginInfo
    login()
  File "/usr/share/rhn/up2date_client/up2dateAuth.py", line 184, in login
    li = server.up2date.login(systemId)
  File "/usr/share/rhn/up2date_client/rhnserver.py", line 64, in __call__
    raise up2dateErrors.SSLCertificateVerifyFailedError()
up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is                                               expired. Please ensure you have the correct certificate and your system time is                                               correct.
[root@brick ~]#
Comment
Watch Question

nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You can ignore certificate validation by adding  the next line to a repo config:
sslverify=0

Open in new window


If you want to disable it for ALL repo;s you can add the folowing to  "/etc/yum.conf":
sslverify=false

Open in new window


Now this also makes MITM attacks simple as there are no precautions against defective software repo's in place anymore.
Scott SilvaNetwork Administrator
CERTIFIED EXPERT

Commented:
Is 5.4 even still on support? Seems ancient in RedHat years... Especially since it should be on a higher dot level if it had been updated in the last several years...

Author

Commented:
Hi Scott, Talking about ancient, that's the first thing I thought when I saw it, I guess cloud backup is out of the question for this setup unless I patch it up to date.
Hi Noci, many thanks for the info, I will give it a go and let you know if it worked


Regards,
Dan
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
That said, it might also be the client certificate that  has been expired.., in that case you probably need to upgrade or signon for a new support contract.  
RHEL released RHEL 8.0 a month ago.

You may be able to replace it with CentOS..
see: https://wiki.centos.org/Download
[ afaict CentOS 5.11 being the last one , with 2 releases / year that would mean it is effectively EOL 5+ years old ] .  
CentOS only allows downloads for CentOS 6 or 7.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Just build zstd from scratch (super easy), then make a tarball of your system, then copy the tarball offsite somewhere.

I suggest zstd, because your OS is so old you may have a hard time finding or building xz + pixz.

Since you're using RedHat-5.4 best keep in mind this version of RedHat contains all manner of hackable software, to best upgrade immediately... by restoring a tarball to a sensible system, like Ubuntu Bionic which has a recent Kernel, as latest RedHat 7.x has a multi-year old Kernel missing all manner of important updates.

# Backup database(s) into /path-to-site (however you do this)
cd /path-to-site
mysqldump -uroot -p$pass --force --opt --single-transaction --routines --triggers dbname > dbname.sql

# Backup all files + database dumps
tar -Izstd -cf your-tarball-name.tar.zst /path-to-site

# Copy backup offsite
rsync -i $key your-tarball-name.tar.zst $user@$host:.

Open in new window

Scott SilvaNetwork Administrator
CERTIFIED EXPERT

Commented:
Although RedHat does have older kernels, they do backport all possible security fixes...
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Scott, i agree all things are backported until a product is EOL.  (in general 5 years after release.)
5.0 was released in 2008.  (release notes) 5.11 in 2014.
5.4 is definitely EOL, 5.11 very soon will be. (sept 2019).
https://access.redhat.com/articles/3078#RHEL5

RHEL 8.0 is out now.
Scott SilvaNetwork Administrator
CERTIFIED EXPERT

Commented:
I was referencing the newer versions and their security levels.

Author

Commented:
Hi Noci,

I have tried what you suggested with adding the sssverify in the repo and yum.conf + reboot but no luck, I will check the client certificate if I can find out where it's located and see if I can renew / update it.

Hi David,

Thanks for your suggestion, I will give that a try and see if I can backup the whole system, is it possible to restore the tarball to a virtual machine that has a similar configuration to the existing hardware?

Regards,
Paul

By the way our client is running bespoke software on the RHEL server that is managing their sales / accounts and till systems and currently backing up to an external HDD

We are thinking of upgrading it to a higher version of RHEL and preferably virtualize it but we want to make sure that we have a full backup of everything before migrating and obviously the client to go ahead with the upgrade
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Restoring a tarball is not sufficient. The tarball will most likely not contain all filesystems etc. or at least it is missing the boot partition.

Here is a template to create a KVM VM... it shows all steps involved (might hidden behind a window when using graphic based tools)
it just show what is needed to virtualize: https://manuel.kiessling.net/2013/03/19/converting-a-running-physical-machine-to-a-kvm-virtual-machine/


Better use a virtualisation tool or dd (dd-rescue)  to copy the disk (including partitioning,  boot code etc.)
to an image / disk. The trick is to do this while booted from a CDROM or at least from single usermode when  no services are active.
(no network is started).
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Download the ISO for 5.11 and update using the CD/DVD rom as the source of the packages.

Author

Commented:
Hello Guys,

Many thanks for all the suggestions so far, I think I have enough to work with and try out for now, hopefully I can get the certificate issue resolved so I can do the necessary updates

Regards,
Paul
Hello Guy's, many thanks for your help on this, I have managed to get the certificate renewed by using the commands below, and I was able to do the required installations and updates on the server

rm /usr/share/rhn/RHNS-CA-CERT
wget -P /usr/share/rhn http://f.cl.ly/items/1B19031O2E0m1k3E2n3u/RHNS-CA-CERT



I think someone out there is still kind enough to allow certificates to be updated on ancient RHEL Systems

See this article if interested: http://kb.eclipseinc.com/kb/fix-rhn-certificate-errors/

Kind Regards,
Dan

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Hello Experts, I would like to that you all for all participating and your suggestions and alternative solutions, definitely will keep them in mind if I get any similar situations in the future :)

Kind Regards,
Paul and Dan
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.