PDA

View Full Version : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cert



sume
28-Jul-2014, 13:50
Hi,

I'm new to SUSE and getting the following error when running a zypper search.

The version I'm running is SLES 11 SP3

===error==========
Refreshing service 'susecloud'.
Problem retrieving the repository index file for service 'susecloud':
Download (curl) error for 'http://eu-west-1-ec2-update.susecloud.net/repo/repoindex.xml?cookies=0':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Check if the URI is valid and accessible.
Download (curl) error for 'http://eu-west-1-ec2-update.susecloud.net/repo/update/SLE11-SDK-SP3-Pool/sle-11-x86_64/repodata/repomd.xml':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

=====================



====info===========

zypper repos
# | Alias | Name | Enabled | Refresh
---+-----------------------------------------+-------------------------------+---------+--------
1 | nVidia-Driver-SLE11-SP3 | nVidia-Driver-SLE11-SP3 | Yes | Yes
2 | susecloud:SLE11-SDK-SP1 | SLE11-SDK-SP1 | No | Yes
3 | susecloud:SLE11-SDK-SP1-Pool | SLE11-SDK-SP1-Pool | No | Yes
4 | susecloud:SLE11-SDK-SP1-Updates | SLE11-SDK-SP1-Updates | No | Yes
5 | susecloud:SLE11-SDK-SP2-Core | SLE11-SDK-SP2-Core | No | Yes
6 | susecloud:SLE11-SDK-SP2-Updates | SLE11-SDK-SP2-Updates | No | Yes
7 | susecloud:SLE11-SDK-SP3-Pool | SLE11-SDK-SP3-Pool | Yes | Yes
8 | susecloud:SLE11-SDK-SP3-Updates | SLE11-SDK-SP3-Updates | Yes | Yes
9 | susecloud:SLE11-SP1-Debuginfo-Pool | SLE11-SP1-Debuginfo-Pool | No | Yes
10 | susecloud:SLE11-SP1-Debuginfo-Updates | SLE11-SP1-Debuginfo-Updates | No | Yes
11 | susecloud:SLE11-SP2-Debuginfo-Core | SLE11-SP2-Debuginfo-Core | No | Yes
12 | susecloud:SLE11-SP2-Debuginfo-Updates | SLE11-SP2-Debuginfo-Updates | No | Yes
13 | susecloud:SLE11-SP2-WebYaST-1.3-Pool | SLE11-SP2-WebYaST-1.3-Pool | No | Yes
14 | susecloud:SLE11-SP2-WebYaST-1.3-Updates | SLE11-SP2-WebYaST-1.3-Updates | No | Yes
15 | susecloud:SLE11-SP3-Debuginfo-Pool | SLE11-SP3-Debuginfo-Pool | No | Yes
16 | susecloud:SLE11-SP3-Debuginfo-Updates | SLE11-SP3-Debuginfo-Updates | No | Yes
17 | susecloud:SLE11-WebYaST-SP1 | SLE11-WebYaST-SP1 | No | Yes
18 | susecloud:SLE11-WebYaST-SP1-Updates | SLE11-WebYaST-SP1-Updates | No | Yes
19 | susecloud:SLE11-WebYaST-SP2-Pool | SLE11-WebYaST-SP2-Pool | No | Yes
20 | susecloud:SLE11-WebYaST-SP2-Updates | SLE11-WebYaST-SP2-Updates | No | Yes
21 | susecloud:SLES11-Extras | SLES11-Extras | Yes | Yes
22 | susecloud:SLES11-SP1 | SLES11-SP1 | No | Yes
23 | susecloud:SLES11-SP1-Pool | SLES11-SP1-Pool | No | Yes
24 | susecloud:SLES11-SP1-Updates | SLES11-SP1-Updates | No | Yes
25 | susecloud:SLES11-SP2-Core | SLES11-SP2-Core | No | Yes
26 | susecloud:SLES11-SP2-Extension-Store | SLES11-SP2-Extension-Store | No | Yes
27 | susecloud:SLES11-SP2-Updates | SLES11-SP2-Updates | No | Yes
28 | susecloud:SLES11-SP3-Extension-Store | SLES11-SP3-Extension-Store | Yes | Yes
29 | susecloud:SLES11-SP3-Pool | SLES11-SP3-Pool | Yes | Yes
30 | susecloud:SLES11-SP3-Updates | SLES11-SP3-Updates | Yes | Yes
================

Your help would be greatly appreciated!!


Many thanks
Sume

ab
28-Jul-2014, 15:17
The heart of the problem is probably that the certificate presented by the
SUSE Cloud server isn't trusted by your system. Interestingly, the root
CA's certificate is expired, though the intermediate certificate is not.
I did not think that was supposed to happen, but perhaps I'm running on
old information.

Steps to explicitly trust a certificate are available in forums, but I do
not know that this will work since the root CA is expired. I'll see what
I can find from the SUSE folks on this. In the meantime, this may be
interesting reading for SSL geeks:

https://forums.opensuse.org/showthread.php/445106-How-to-import-root-CA-into-system-wide-trusted-store

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ConcreteVitamin
28-Jul-2014, 19:18
I got the exact same error today, be it "zypper refresh" or "zypper install":

Retrieving repository 'SLES11-Extras' metadata [error]
Repository 'SLES11-Extras' is invalid.
[|] Valid metadata not found at specified URL(s)
Please check if the URIs defined for this repository are pointing to a valid repository.
Warning: Disabling repository 'SLES11-Extras' because of the above error.
Retrieving repository 'SLES11-SP3-Extension-Store' metadata [|]
Download (curl) error for 'http://default-ec2-update.susecloud.net/repo/update/SLES11-SP3-Extension-Store/sle-11-x86_64/repodata/repomd.xml':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This error msg seems to be the same for all SLES11-SP3-* repos. This happened on a newly launched EC2 machine. Note that this *did not* happen last week. So I am wondering if there's anything wrong on the server side.

ab
28-Jul-2014, 20:20
Yes, I've reported this to SUSE already. The problem likely started
2014-07-26 when the old root certificate expired before since the service
is explicitly sending out the old one instead of a new one.

Out of curiosity, are these the default repositories being configured by a
SLES box after initial registration, or have you added any other
repositories from the Open Build Service (OBS) for other software? I have
not seen the susecloud.net address used in the past, but of course I do
not look closely when things just work, so thus my question about the
systems' histories.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

ConcreteVitamin
28-Jul-2014, 21:30
Thanks for looking into this. I only added Apache Ambari repos to /etc/zypper/repo.d, and the repos in the error messages I believe are from initial configuration.

Here's the output of 'zypper lr' on my box:

# | Alias | Name | Enabled | Refresh
---+-----------------------------------------+-------------------------------+---------+--------
1 | Updates-ambari-1.6.1 | ambari-1.6.1 - Updates | Yes | No
2 | ambari-1.x | Ambari 1.x | Yes | No
3 | nVidia-Driver-SLE11-SP3 | nVidia-Driver-SLE11-SP3 | Yes | Yes
4 | susecloud:SLE11-SDK-SP3-Pool | SLE11-SDK-SP3-Pool | Yes | Yes
5 | susecloud:SLE11-SDK-SP3-Updates | SLE11-SDK-SP3-Updates | Yes | Yes
6 | susecloud:SLE11-SP2-WebYaST-1.3-Pool | SLE11-SP2-WebYaST-1.3-Pool | No | Yes
7 | susecloud:SLE11-SP2-WebYaST-1.3-Updates | SLE11-SP2-WebYaST-1.3-Updates | No | Yes
8 | susecloud:SLE11-WebYaST-SP3 | SLE11-WebYaST-SP3 | No | Yes
9 | susecloud:SLE11-WebYaST-SP3-Updates | SLE11-WebYaST-SP3-Updates | No | Yes
10 | susecloud:SLES11-Extras | SLES11-Extras | Yes | Yes
11 | susecloud:SLES11-SP3-Extension-Store | SLES11-SP3-Extension-Store | Yes | Yes
12 | susecloud:SLES11-SP3-Pool | SLES11-SP3-Pool | Yes | Yes
13 | susecloud:SLES11-SP3-Updates | SLES11-SP3-Updates | Yes | Yes

ConcreteVitamin
29-Jul-2014, 00:28
Hi ab,

Again, thanks for looking into this. Is there a short-term workaround? I guess I don't care much about security at the moment, and just want to be able to run "zypper refresh" and "zypper install".

ab
29-Jul-2014, 04:44
Turn back your clock three days?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

aosthof
29-Jul-2014, 11:56
Hi,

I'm new to SUSE and getting the following error when running a zypper search.

The version I'm running is SLES 11 SP3

===error==========
Refreshing service 'susecloud'.
Problem retrieving the repository index file for service 'susecloud':
Download (curl) error for 'http://eu-west-1-ec2-update.susecloud.net/repo/repoindex.xml?cookies=0':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Check if the URI is valid and accessible.
Download (curl) error for 'http://eu-west-1-ec2-update.susecloud.net/repo/update/SLE11-SDK-SP3-Pool/sle-11-x86_64/repodata/repomd.xml':
Error code: Unrecognized error
Error message: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

=====================



====info===========

zypper repos
# | Alias | Name | Enabled | Refresh
---+-----------------------------------------+-------------------------------+---------+--------
1 | nVidia-Driver-SLE11-SP3 | nVidia-Driver-SLE11-SP3 | Yes | Yes
2 | susecloud:SLE11-SDK-SP1 | SLE11-SDK-SP1 | No | Yes
3 | susecloud:SLE11-SDK-SP1-Pool | SLE11-SDK-SP1-Pool | No | Yes
4 | susecloud:SLE11-SDK-SP1-Updates | SLE11-SDK-SP1-Updates | No | Yes
5 | susecloud:SLE11-SDK-SP2-Core | SLE11-SDK-SP2-Core | No | Yes
6 | susecloud:SLE11-SDK-SP2-Updates | SLE11-SDK-SP2-Updates | No | Yes
7 | susecloud:SLE11-SDK-SP3-Pool | SLE11-SDK-SP3-Pool | Yes | Yes
8 | susecloud:SLE11-SDK-SP3-Updates | SLE11-SDK-SP3-Updates | Yes | Yes
9 | susecloud:SLE11-SP1-Debuginfo-Pool | SLE11-SP1-Debuginfo-Pool | No | Yes
10 | susecloud:SLE11-SP1-Debuginfo-Updates | SLE11-SP1-Debuginfo-Updates | No | Yes
11 | susecloud:SLE11-SP2-Debuginfo-Core | SLE11-SP2-Debuginfo-Core | No | Yes
12 | susecloud:SLE11-SP2-Debuginfo-Updates | SLE11-SP2-Debuginfo-Updates | No | Yes
13 | susecloud:SLE11-SP2-WebYaST-1.3-Pool | SLE11-SP2-WebYaST-1.3-Pool | No | Yes
14 | susecloud:SLE11-SP2-WebYaST-1.3-Updates | SLE11-SP2-WebYaST-1.3-Updates | No | Yes
15 | susecloud:SLE11-SP3-Debuginfo-Pool | SLE11-SP3-Debuginfo-Pool | No | Yes
16 | susecloud:SLE11-SP3-Debuginfo-Updates | SLE11-SP3-Debuginfo-Updates | No | Yes
17 | susecloud:SLE11-WebYaST-SP1 | SLE11-WebYaST-SP1 | No | Yes
18 | susecloud:SLE11-WebYaST-SP1-Updates | SLE11-WebYaST-SP1-Updates | No | Yes
19 | susecloud:SLE11-WebYaST-SP2-Pool | SLE11-WebYaST-SP2-Pool | No | Yes
20 | susecloud:SLE11-WebYaST-SP2-Updates | SLE11-WebYaST-SP2-Updates | No | Yes
21 | susecloud:SLES11-Extras | SLES11-Extras | Yes | Yes
22 | susecloud:SLES11-SP1 | SLES11-SP1 | No | Yes
23 | susecloud:SLES11-SP1-Pool | SLES11-SP1-Pool | No | Yes
24 | susecloud:SLES11-SP1-Updates | SLES11-SP1-Updates | No | Yes
25 | susecloud:SLES11-SP2-Core | SLES11-SP2-Core | No | Yes
26 | susecloud:SLES11-SP2-Extension-Store | SLES11-SP2-Extension-Store | No | Yes
27 | susecloud:SLES11-SP2-Updates | SLES11-SP2-Updates | No | Yes
28 | susecloud:SLES11-SP3-Extension-Store | SLES11-SP3-Extension-Store | Yes | Yes
29 | susecloud:SLES11-SP3-Pool | SLES11-SP3-Pool | Yes | Yes
30 | susecloud:SLES11-SP3-Updates | SLES11-SP3-Updates | Yes | Yes
================

Your help would be greatly appreciated!!


Many thanks
Sume


Hi,

the issue you've experienced should be fixed now - sorry for the inconvenience.


Greetings,
Alex