I wanted to import the following updates that I have already reported several times:

nethserver-pulledpork noarch 2.1.8-1.ns7 nethserver-updates 25 k

I usually carry out updates via the command line, this time again. This worked on two servers, not on two more. The servers are similarly configured with regard to reposes.

yum update
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events, versionlock
Loading mirror speeds from cached hostfile

• stephdl: mirror.de-labrusse.fr
  http://vault.centos.org/centos/7.9.2009/os/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  http://vault.centos.org/centos/7.9.2009/extras/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  http://vault.centos.org/centos/7.9.2009/sclo/x86_64/rh/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  http://vault.centos.org/centos/7.9.2009/sclo/x86_64/sclo/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  http://vault.centos.org/centos/7.9.2009/updates/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  http://download.fedoraproject.org/pub/epel/7/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  http://download.fedoraproject.org/pub/epel/7/x86_64/debug/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
  Trying other mirror.
  https://mrmarkuz.dynu.net/mirror/mrmarkuz/7/repodata/repomd.xml: [Errno 14] curl#60 - “Issuer certificate is invalid.”
  Trying other mirror.
  It was impossible to connect to the CentOS servers.
  This could mean a connectivity issue in your environment, such as the requirement to configure a proxy,
  or a transparent proxy that tampers with TLS security, or an incorrect system clock.
  You can try to solve this issue by using the instructions on https://wiki.centos.org/yum-errors
  If above article doesn’t help to resolve this issue please use https://bugs.centos.org/.

http://mirror.nethserver.org/nethserver/7.9.2009/nethforge/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
http://mirror.nethserver.org/nethserver/7.9.2009/base/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
http://mirror.nethserver.org/nethserver/7.9.2009/updates/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
https://stephdl.familybrown.org/7/repodata/repomd.xml: [Errno 14] curl#60 - “Issuer certificate is invalid.”
Trying other mirror.
http://mirror.de-labrusse.fr/NethServer/7/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
http://mirror.framassa.org/stephdl/NethServer/7/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
https://mirrors.sys42.eu/nethserver-stephdl/7/repodata/repomd.xml: [Errno 14] curl#60 - “Issuer certificate is invalid.”
Trying other mirror.
https://stephdl.fly2net.it/7/repodata/repomd.xml: [Errno 14] curl#6 - “Could not resolve host: stephdl.fly2net.it; Unknown error”
Trying other mirror.
https://nethesis-mirror.nokken.co.uk/stephdl/7/repodata/repomd.xml: [Errno 14] curl#6 - “Could not resolve host: nethesis-mirror.nokken.co.uk; Unknown error”
Trying other mirror.
http://stephdl.mrmarkuz.dynu.net/7/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
http://stephdl.dargels.de/7/repodata/repomd.xml: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.
https://stephdl.klinknetz.de/7/repodata/repomd.xml: [Errno 14] curl#60 - “Issuer certificate is invalid.”
Trying other mirror.
https://repos.sparkrack.com/mirror-stephdl/7/repodata/repomd.xml: [Errno 14] curl#60 - “Issuer certificate is invalid.”
Trying other mirror.
Excluding 1 update due to versionlock (use “yum versionlock status” to show it)
Resolving Dependencies
→ Running transaction check
—> Package nethserver-pulledpork.noarch 0:2.1.7-1.ns7 will be updated
—> Package nethserver-pulledpork.noarch 0:2.1.8-1.ns7 will be an update
→ Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================
Package Arch Version Repository Size

Updating:
nethserver-pulledpork noarch 2.1.8-1.ns7 nethserver-updates 25 k

Transaction Summary

Upgrade 1 Package

Total download size: 25 k
Is this ok [y/d/N]: y

Downloading packages:
No Presto metadata available for nethserver-updates
nethserver-pulledpork-2.1.8-1. FAILED
http://mirror.nethserver.org/nethserver/7.9.2009/updates/x86_64/Packages/nethserver-pulledpork-2.1.8-1.ns7.noarch.rpm: [Errno 14] HTTPS Error 302 - Found
Trying other mirror.

Error downloading packages:
nethserver-pulledpork-2.1.8-1.ns7.noarch: [Errno 256] No more mirrors to try.

Compared to the other servers, I found nothing noticeable in the configuration or the DNS resolution, except that some host names were resolved differently.

There is also no proxy that would interfere (in this direction). The time setting was also correct. So far there have never been any problems with updates - except if an updated package caused problems itself. And I am surprised that this happens on two servers at the same time (different places).

sudo yum clean all

made everything worse.

Now I get:

yum update
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events, versionlock
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=ce-base&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found

One of the configured repositories failed (Unknown),
and yum doesn’t have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work “fix” this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=<repoid> ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable <repoid>
    or
        subscription-manager repos --disable=<repoid>

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: ce-base/7/x86_64
[root@udisrv colombe]# host mirrorlist.nethserver.org
mirrorlist.nethserver.org is an alias for packages.nethserver.org.
packages.nethserver.org has address 159.89.233.254

What can be the reason for the problem and how can I fix it? I haven’t adjusted anything about the repository configuration?

I would take this as an occasion for an early Neth8 upgrade, but of course the upgrading tool is also missing.

Everything else works perfectly.

Regards Yummiweb

Any Firewall / IPS / Fail2Ban related blockage?

Other unrelated mirrors

imatge761×151 16.7 KB

rpm -q ca-certificates

Edit /etc/yum.repos.d/NethServer.repo, and uncomment (remove # starting line character) from all baseurl=

Do yum clean all --enablerepo=\* && yum makecache and try update again.

^ Just noticed it but probably unrelated to the original topic.

Thank you for your feedback.

I can exclude a firewall configuration as the cause. I do not use it on the NethServer and I disconnected the external (s) - that made no difference.

The output of

rpm -q ca-certificates

is:

ca-certificates-2023.2.60_v7.0.306-72.el7_9.noarch

The file:

/etc/yum.repos.d/nethserver.repo

Looks exactly the same as on another server that does not cause these problems.

But I still try and escape all lines with “From all baseurl =”

yum clean all --enablerepo=\* && yum makecache

Result:

Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events, versionlock
Cleaning repos: C7.0.1406-base C7.0.1406-centosplus C7.0.1406-extras C7.0.1406-fasttrack C7.0.1406-updates
: C7.1.1503-base C7.1.1503-centosplus C7.1.1503-extras C7.1.1503-fasttrack C7.1.1503-updates
: C7.2.1511-base C7.2.1511-centosplus C7.2.1511-extras C7.2.1511-fasttrack C7.2.1511-updates
: C7.3.1611-base C7.3.1611-centosplus C7.3.1611-extras C7.3.1611-fasttrack C7.3.1611-updates
: C7.4.1708-base C7.4.1708-centosplus C7.4.1708-extras C7.4.1708-fasttrack C7.4.1708-updates
: C7.5.1804-base C7.5.1804-centosplus C7.5.1804-extras C7.5.1804-fasttrack C7.5.1804-updates
: C7.6.1810-base C7.6.1810-centosplus C7.6.1810-extras C7.6.1810-fasttrack C7.6.1810-updates
: C7.7.1908-base C7.7.1908-centosplus C7.7.1908-extras C7.7.1908-fasttrack C7.7.1908-updates
: C7.8.2003-base C7.8.2003-centosplus C7.8.2003-extras C7.8.2003-fasttrack C7.8.2003-updates
: C7.9.2009-base C7.9.2009-centosplus C7.9.2009-extras C7.9.2009-fasttrack C7.9.2009-updates base
: base-debuginfo base-source c7-media ce-base ce-extras ce-sclo-rh ce-sclo-sclo ce-updates
: centos-kernel centos-kernel-experimental centos-sclo-rh centos-sclo-rh-debuginfo
: centos-sclo-rh-source centos-sclo-rh-testing centos-sclo-sclo centos-sclo-sclo-debuginfo
: centos-sclo-sclo-source centos-sclo-sclo-testing centosplus centosplus-source cr epel
: epel-debuginfo epel-source epel-testing epel-testing-debuginfo epel-testing-source extras
: extras-source fasttrack mrmarkuz nethforge nethforge-testing nethserver-base nethserver-testing
: nethserver-updates sb-base sb-centos-sclo-rh sb-centos-sclo-sclo sb-epel sb-extras
: sb-nethserver-base sb-nethserver-updates sb-updates stephdl stephdl-dolibarr
: stephdl-roundcubemail updates updates-source
Cleaning up list of fastest mirrors
Loaded plugins: auto-update-debuginfo, changelog, fastestmirror, nethserver_events, versionlock
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=ce-base&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=ce-extras&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=ce-sclo-rh&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=ce-sclo-sclo&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=ce-updates&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found
Could not retrieve mirrorlist http://mirrorlist.nethserver.org/?release=7&repo=nethforge&arch=x86_64&nsrelease=7.9.2009 error was
14: HTTPS Error 302 - Found

One of the configured repositories failed (Unknown),
and yum doesn’t have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work “fix” this:

 1. Contact the upstream for the repository and get them to fix the problem.

 2. Reconfigure the baseurl/etc. for the repository, to point to a working
    upstream. This is most often useful if you are using a newer
    distribution release than is supported by the repository (and the
    packages for the previous distribution release still work).

 3. Run the command with the repository temporarily disabled
        yum --disablerepo=<repoid> ...

 4. Disable the repository permanently, so yum won't use it by default. Yum
    will then just ignore the repository until you permanently enable it
    again or use --enablerepo for temporary usage:

        yum-config-manager --disable <repoid>
    or
        subscription-manager repos --disable=<repoid>

 5. Configure the failing repository to be skipped, if it is unavailable.
    Note that yum will try to contact the repo. when it runs most commands,
    so will have to try and fail each time (and thus. yum will be be much
    slower). If it is a very temporary problem though, this is often a nice
    compromise:

        yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: nethforge/7/x86_64

And of course “Yum Update” is not better.

I’m really a bit perplexed. The servers do not actually differ in basic configuration. And yet the updates only work on two of four.

The update itself is still offered on all fours by e-mail notification, only the update itself only went on two (or Dreine?), In any case, the search fails in two. And with one it looks like just described.

There are also no more DNS or thread filters on the NethServer, which I deactivated many weeks ago.

At the moment I can no longer present this in concrete terms, but when I first examined the problem, I noticed that the hosts were dissolved for different IPs.

The apparent locations (external IPV4) are shown to me as follows:

curl ipinfo.io

Update works:

“city”: “Osnabrück”,
“region”: “Lower Saxony”,
“country”: “DE”,
“loc”: “52.2726,8.0498”,
“org”: “AS6805 Telefonica Germany GmbH & Co.OHG”,

Update works:

“city”: “Forst”,
“region”: “Baden-Wurttemberg”,
“country”: “DE”,
“loc”: “49.1586,8.5808”,
“org”: “AS15987 Portunity GmbH”,

Updates do not work:

Here I wanted to determine the issue of Curl Ipinfo.io from the two problematic servers.
It turns out that an Ngingx Reverse Proxy has his fingers in the game here:

<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.21.3</center>
</body>
</html>

It is not entirely clear to me why the upstream NgingX (which takes care of the certificates for web applications and the SOGO) in this direction, but I can do more than with repository problems.

I spanned how it ends, regrads yummiweb