Skip to Main Content

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Please ask technical questions in the appropriate category. Thank you!

Leapp Upgrade Fails On Trusted Certificates

Dmitry DonskikhFeb 12 2023

Hello. When trying to upgrade 7.9 to 8 with Leapp I've faced the following problem halfway:

2023-02-12 19:16:17.460 DEBUG    PID: 110122 leapp.workflow.Download.dnf_package_download: [MIRROR] libcgroup-0.41-19.el8.x86_64.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/getPackage/libcgroup-0.41-19.el8.x86_64.rpm [SSL certificate problem: self signed certificate in certificate chain]
2023-02-12 19:16:17.465 DEBUG    PID: 110122 leapp.workflow.Download.dnf_package_download: [MIRROR] libcgroup-0.41-19.el8.x86_64.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/getPackage/libcgroup-0.41-19.el8.x86_64.rpm [SSL certificate problem: self signed certificate in certificate chain]
2023-02-12 19:16:17.466 DEBUG    PID: 110122 leapp.workflow.Download.dnf_package_download: [MIRROR] efibootmgr-16-1.0.1.el8.x86_64.rpm: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://yum.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/getPackage/efibootmgr-16-1.0.1.el8.x86_64.rpm [SSL certificate problem: self signed certificate in certificate chain]
2023-02-12 19:16:17.468 DEBUG    PID: 110122 leapp.workflow.Download.dnf_package_download: [FAILED] efibootmgr-16-1.0.1.el8.x86_64.rpm: No more mirrors to try - All mirrors were already tried without success

My company uses firewall, its trusted root-intermediary certificates are installed in the system with update-ca-trust. Yum updates work fine.

So, what causes the problem:

  1. Leapp creates userspace in /var/lib/leapp/el8userspace;
  2. It downloads and installs el8 packages including dnf into userspace;
  3. Then it runs dnf to install dependencies;
  4. dnf knows nothing about local system trusted certificates, and throws an error.

As an ugly workaround I've started the following command in another session:

# while [[ ! -s /var/lib/leapp/el8userspace/etc/dnf/dnf.conf ]] ; do echo -n "." ; sleep 1; done ; sleep 2; echo "sslverify=0" >>/var/lib/leapp/el8userspace/etc/dnf/dnf.conf ; echo “done.”

And started leapp upgrade again, it finished successfully.

But, am I missing a proper way to install self-signed certificates /disable validation for dnf?

If not, may I ask for an appropriate enhancement in Leapp?

Cheers, Dmitry Donskikh.

Comments
Post Details
Added on Feb 12 2023
1 comment
1,300 views