Link to home
Start Free TrialLog in
Avatar of Christian Palacios
Christian PalaciosFlag for Canada

asked on

Cannot install packages on Oracle Linux 8

Hi there,

I have already configured the proxy for one of our Oracle Linux 8 servers, but every time I try to install a package, I keep getting this error.  Any suggestions?

[root@ora08 yum.repos.d]# yum install gcc
Oracle Linux 8 BaseOS Latest (x86_64)
Failed to download metadata for repo 'ol8_baseos_latest'
Error: Failed to download metadata for repo 'ol8_baseos_latest'

Thanks!
Avatar of noci
noci
verify if the URL for the repo is reachable.  the repo is described in /etc/yum.conf or one of the files in /etc/yum.conf.d/
Avatar of Christian Palacios
Christian Palacios
Flag of Canada image

ASKER

Thanks.  In /etc/yum.conf all I see is this:

[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
proxy=http://proxyIP:80

Open in new window


I don't have a /etc/yum.conf.d/ location.

I did find this entry enabled in /etc/yum.repos.d/oracle-linux-o18.repo, is this what I should check?

[ol8_baseos_latest]
name=Oracle Linux 8 BaseOS Latest ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

Open in new window



Avatar of noci
noci
This is the URL to be rtrieved....
https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/$basearch/
where $ociregion   depends on configuration (can be empty?)
$basearch is x386, x86_64 etc. etc. whatever architecture is in use.

so try: curl -v https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/  -x  http://proxyIP:80    from that system
possibly specifying the proxy info  (check the various --proxy-.... setting for authentication info)

Avatar of Christian Palacios
Christian Palacios
Flag of Canada image

ASKER

Thank you, does it look like it worked?  I've replaced our proxy IP with "<IP>".  

[root@cne-ora08 yum.repos.d]# curl -v https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/  -x  http://<IP>:80
*   Trying <IP>...
* TCP_NODELAY set
* Connected to <IP> (<IP>) port 80 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to yum.oracle.com:443
> CONNECT yum.oracle.com:443 HTTP/1.1
> Host: yum.oracle.com:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-Agent: Zscaler/6.0
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html


curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Open in new window

Avatar of noci
noci
* SSL certificate problem: self signed certificate in certificate chain * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html

You have a proxy that replaces the certificate. This certificate is not trusted by yum / curl / etc. ==> no trust in the download.
(a proxy that wrecks the original certificate is in effect a Man In The Middle attack on the secured connection. (Eves dropping)).

Maybe you can copy the proxy certificate  file (.pem) to /etc/ssl/certs directory. and also create the symlink based on the authorisation hash.
It will work for curl, maybe not for yum.
Avatar of David Favor
David Favor
Flag of United States of America image
The reported problem relates to your proxy running HTTP rather than HTTPS.

Solutions...

1) Simple solution, don't use a proxy.

2) Alternative solution, cover the proxy with a cert, so it runs HTTPS.

This can be a bit tricky, if your proxy only has a LAN address (no public IP).

https://www.experts-exchange.com/questions/29178281/Wildcard-SSL-certs.html provides how I cover LAN (local/private/unroutable) IPs.

Summary: Generate a wildcard cert somewhere, then name your LAN IP to any hostname.foo.com where *.foo.com is covered by your wildcard cert, then just copy the wildcard certs off the public machine (where cert created) onto any LAN machines.

Takes a few minutes to get this working first time, then will work forever with no human intervention.
Avatar of noci
noci
@david: there is a certificate presented.., it is self signed. No "respectable" organisation depends on self-signed certificates.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.