Christian Palacios
asked on
Cannot install packages on Oracle Linux 8
Hi there,
I have already configured the proxy for one of our Oracle Linux 8 servers, but every time I try to install a package, I keep getting this error. Any suggestions?
[root@ora08 yum.repos.d]# yum install gcc
Oracle Linux 8 BaseOS Latest (x86_64)
Failed to download metadata for repo 'ol8_baseos_latest'
Error: Failed to download metadata for repo 'ol8_baseos_latest'
Thanks!
I have already configured the proxy for one of our Oracle Linux 8 servers, but every time I try to install a package, I keep getting this error. Any suggestions?
[root@ora08 yum.repos.d]# yum install gcc
Oracle Linux 8 BaseOS Latest (x86_64)
Failed to download metadata for repo 'ol8_baseos_latest'
Error: Failed to download metadata for repo 'ol8_baseos_latest'
Thanks!
verify if the URL for the repo is reachable. the repo is described in /etc/yum.conf or one of the files in /etc/yum.conf.d/
ASKER
Thanks. In /etc/yum.conf all I see is this:
I don't have a /etc/yum.conf.d/ location.
I did find this entry enabled in /etc/yum.repos.d/oracle-linux-o18.repo, is this what I should check?
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
proxy=http://proxyIP:80
I don't have a /etc/yum.conf.d/ location.
I did find this entry enabled in /etc/yum.repos.d/oracle-linux-o18.repo, is this what I should check?
[ol8_baseos_latest]
name=Oracle Linux 8 BaseOS Latest ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1
This is the URL to be rtrieved....
https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/$basearch/
where $ociregion depends on configuration (can be empty?)
$basearch is x386, x86_64 etc. etc. whatever architecture is in use.
so try: curl -v https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/ -x http://proxyIP:80 from that system
possibly specifying the proxy info (check the various --proxy-.... setting for authentication info)
https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/$basearch/
where $ociregion depends on configuration (can be empty?)
$basearch is x386, x86_64 etc. etc. whatever architecture is in use.
so try: curl -v https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/ -x http://proxyIP:80 from that system
possibly specifying the proxy info (check the various --proxy-.... setting for authentication info)
ASKER
Thank you, does it look like it worked? I've replaced our proxy IP with "<IP>".
[root@cne-ora08 yum.repos.d]# curl -v https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/ -x http://<IP>:80
* Trying <IP>...
* TCP_NODELAY set
* Connected to <IP> (<IP>) port 80 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to yum.oracle.com:443
> CONNECT yum.oracle.com:443 HTTP/1.1
> Host: yum.oracle.com:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
< Proxy-Agent: Zscaler/6.0
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
* SSL certificate problem: self signed certificate in certificate chain * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.htmlYou have a proxy that replaces the certificate. This certificate is not trusted by yum / curl / etc. ==> no trust in the download.
(a proxy that wrecks the original certificate is in effect a Man In The Middle attack on the secured connection. (Eves dropping)).
Maybe you can copy the proxy certificate file (.pem) to /etc/ssl/certs directory. and also create the symlink based on the authorisation hash.
It will work for curl, maybe not for yum.
The reported problem relates to your proxy running HTTP rather than HTTPS.
Solutions...
1) Simple solution, don't use a proxy.
2) Alternative solution, cover the proxy with a cert, so it runs HTTPS.
This can be a bit tricky, if your proxy only has a LAN address (no public IP).
https://www.experts-exchange.com/questions/29178281/Wildcard-SSL-certs.html provides how I cover LAN (local/private/unroutable) IPs.
Summary: Generate a wildcard cert somewhere, then name your LAN IP to any hostname.foo.com where *.foo.com is covered by your wildcard cert, then just copy the wildcard certs off the public machine (where cert created) onto any LAN machines.
Takes a few minutes to get this working first time, then will work forever with no human intervention.
Solutions...
1) Simple solution, don't use a proxy.
2) Alternative solution, cover the proxy with a cert, so it runs HTTPS.
This can be a bit tricky, if your proxy only has a LAN address (no public IP).
https://www.experts-exchange.com/questions/29178281/Wildcard-SSL-certs.html provides how I cover LAN (local/private/unroutable)
Summary: Generate a wildcard cert somewhere, then name your LAN IP to any hostname.foo.com where *.foo.com is covered by your wildcard cert, then just copy the wildcard certs off the public machine (where cert created) onto any LAN machines.
Takes a few minutes to get this working first time, then will work forever with no human intervention.
@david: there is a certificate presented.., it is self signed. No "respectable" organisation depends on self-signed certificates.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.