在 CentOS 上使用 https 安装 repos 会破坏 yum

在 CentOS 上使用 https 安装 repos 会破坏 yum

我们有一个非常类似的问题https://stackoverflow.com/questions/48320850/installing-epel-repository-on-centos-7-breaks-yum- functionality/58177576#58177576。我在网上搜索答案时,看到过很多求助请求,最常见的回答是“不要使用‘https’,但这会让你遭受 MITM 攻击”。如果这真的是问题所在,那么一定有一个更好的答案,或者至少有一个关于如何使用“https”的答案;所以,我重新问这个问题:

我们刚刚在服务器上全新安装了 CentOS Linux 版本 7.7.1908 (Core),和其他人一样,每当我们尝试时sudo yum install epel-release,yum 都会被破坏。如果我们删除 epel-release,yum 就会再次工作。通过查看 /etc/yum.repos.d 中的文件,我发现 epel.repo 是唯一一个启用了使用 https 的存储库的文件:

metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch

当我们尝试安装也使用“https”的 MonogDB 时,我们实际上遇到了(我相信是)一个相关的问题:

baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/

这是 EPEL 安装:

-bash-4.2$ sudo yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.sonic.net
 * extras: mirror.fileplanet.com
 * updates: mirror.fileplanet.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================================
 Package                                                     Arch                                                  Version                                             Repository                                             Size
===================================================================================================================================================================================================================================
Installing:
 epel-release                                                noarch                                                7-11                                                extras                                                 15 k

Transaction Summary
===================================================================================================================================================================================================================================
Install  1 Package

Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm                                                                                                                                                                                |  15 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-11.noarch                                                                                                                                                                                        1/1 
  Verifying  : epel-release-7-11.noarch                                                                                                                                                                                        1/1 

Installed:
  epel-release.noarch 0:7-11                                                                                                                                                                                                       

Complete!

现在如果我们尝试运行yum list它就会失败:

-bash-4.2$ yum list
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again

这是 /etc/yum.repos.d/epel.repo:

-bash-4.2$ cat epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

那么,问题出在我们尝试访问的存储库上,还是我们尝试使用“https”协议进行访问?如果是前者,我该如何找到正确的存储库?如果是后者,我们该如何诊断潜在问题?这是一个非常新的安装 - 我们实际上所做的只是安装autofs和挂载主目录,安装rvm和创建一些用户和组。

仅供参考,yum check-update没有报告任何内容并且yum update curl(有或没有“--disablerepo=epel”)也没有做任何事情。

我已经为此绞尽脑汁一天了,需要专业人士的帮助。;-/

如上所述,我们在尝试使用以下说明安装 MongoDB 时遇到了类似的问题:https://docs.mongodb.com/v4.0/tutorial/install-mongodb-on-red-hat/#using-rpm-packages-recommended

我们创作的/etc/yum.repos.d/mongodb-org-4.0.repo内容如下:

[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

然后尝试安装 MongoDB 并收到略有不同的错误:

-bash-4.2$ sudo vi /etc/yum.repos.d/mongodb-org-4.0.repo
-bash-4.2$ sudo yum install -y mongodb-org
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.keystealth.org
 * extras: mirror.fileplanet.com
 * updates: mirrors.sonic.net
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system clock.
You can try to solve this issue by using the instructions on https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use https://bugs.centos.org/.



 One of the configured repositories failed (MongoDB Repository),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=mongodb-org-4.0 ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable mongodb-org-4.0
        or
            subscription-manager repos --disable=mongodb-org-4.0

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=mongodb-org-4.0.skip_if_unavailable=true

failure: repodata/repomd.xml from mongodb-org-4.0: [Errno 256] No more mirrors to try.
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized.”

但是,现在经过多次尝试修复后,如果我尝试这样做,我会收到“(未知)”错误。

如能提供关于如何诊断和解决该问题的任何指导,我们将不胜感激。

相关内容