We have a very similar problem to https://stackoverflow.com/questions/48320850/installing-epel-repository-on-centos-7-breaks-yum-functionality/58177576#58177576. I've seen several pleas for help as I've searched the web for an answer with the most common response being "don't use 'https' but that exposes you to MITM attacks". There has to be a better answer or at least an answer on how to use "https" if that is truly the problem; so, I'm re-asking the question:
We just did a fresh install of CentOS Linux release 7.7.1908 (Core) on a server and like others whenever we attempt sudo yum install epel-release, we break yum. If we remove the epel-release, yum works again. From looking at the files in /etc/yum.repos.d, I see that epel.repo is the only file with an enabled repository that uses https:
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
We actually ran into (what I believe is) a related problem, when we tried to install MonogDB, which also uses "https":
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
Here is the epel install:
-bash-4.2$ sudo yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.sonic.net
* extras: mirror.fileplanet.com
* updates: mirror.fileplanet.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================================================================================================================
Installing:
epel-release noarch 7-11 extras 15 k
Transaction Summary
===================================================================================================================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
Now if we even just try to run yum list it fails:
-bash-4.2$ yum list
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
One of the configured repositories failed (Unknown),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=<repoid> ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable <repoid>
or
subscription-manager repos --disable=<repoid>
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again
And here is /etc/yum.repos.d/epel.repo:
-bash-4.2$ cat epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
So is the problem with the repository we're trying access or the fact that we are trying to access using the "https" protocol? If the former, how do I find the right repository? If the latter, how do we go about diagnosing the underlying problem? This is a pretty fresh install -- all we've really done is installed autofs and mounted the home directory, installed rvm and created some users and groups.
FWIW, yum check-update doesn't report anything and yum update curl (with or without "--disablerepo=epel") didn't do anything either.
I've been banging my head against this for a day now and need professional help. ;-/
As noted above, we ran into a similar problem while trying to install MongoDB using these instructions: https://docs.mongodb.com/v4.0/tutorial/install-mongodb-on-red-hat/#using-rpm-packages-recommended
We created /etc/yum.repos.d/mongodb-org-4.0.repo with the contents:
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
and then tried to install MongoDB and got a somewhat different error:
-bash-4.2$ sudo vi /etc/yum.repos.d/mongodb-org-4.0.repo
-bash-4.2$ sudo yum install -y mongodb-org
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.keystealth.org
* extras: mirror.fileplanet.com
* updates: mirrors.sonic.net
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system clock.
You can try to solve this issue by using the instructions on https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use https://bugs.centos.org/.
One of the configured repositories failed (MongoDB Repository),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=mongodb-org-4.0 ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable mongodb-org-4.0
or
subscription-manager repos --disable=mongodb-org-4.0
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=mongodb-org-4.0.skip_if_unavailable=true
failure: repodata/repomd.xml from mongodb-org-4.0: [Errno 256] No more mirrors to try.
https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's Certificate issuer is not recognized.”
However, now after various attempts at fixes, if I try this I get the "(Unknown)" error.
Any guidance on how to diagnose and fix this problem would be greatly appreciated.
