Adding --no-check-certificate to yum repositories

Question

I have added virtio-win.repo according to this guide. The content of /etc/yum.repo.d/virtio-win.repo is now

[virtio-win-stable]
name=virtio-win builds roughly matching what was shipped in latest RHEL
baseurl=http://fedorapeople.org/groups/virt/virtio-win/repo/stable
enabled=1
skip_if_unavailable=1
gpgcheck=0
[virtio-win-latest]
[virtio-win-source]

The last two [] have similar options as the first (which are not my problem). Now, when I run yum makecache, I get this error

http://fedorapeople.org/groups/virt/virtio-win/repo/stable/repodata/repomd.xml: [Errno 14] problem making ssl connection

I tried running wget http://fedorapeople.org/groups/virt/virtio-win/repo/stable/repodata/repomd.xml manually, but it recommends me to add --no-check-certificate to wget which will solve the problem.

I want to know how can I add that option in the /etc/yum.repo.d/virtio-win.repo?

score 51 · Answer 1 · answered Mar 27 '16 at 16:55

51

For one repo you can add the following in the repo configuration:

sslverify=0

For all repos, you can add the following to "/etc/yum.conf":

sslverify=false

answered Mar 27 '16 at 16:55

Aslan Brooke

611

score 10 · Answer 2 · answered Jul 31 '18 at 18:34

10

On CentOS 7.5, running this worked:

yum-config-manager --save --setopt=<REPONAME>.sslverify=false

answered Jul 31 '18 at 18:34

Mike

201

score 4 · Answer 3 · answered Nov 26 '20 at 11:13

The ssl check is there for a reason. It is really dangerous to disable ssl certificate check. I prefer this approach: One of my customer's environment is not set u properly, where the SSL certificate of the proxy server signs every ssl cert of every site. To verify that this is the problem, I run

curl https://www.google.com

It fails, so, get the certificate with one command using openssl-client

openssl s_client -showcerts -servername www.google.com -connect www.google.com:443 > cacert.pem

The big file has the server cert in the middle, copy it, and save it to new file, we will call it mycert.pem. The cert starts with Begin Certificate, and ends with End of Certificate

Let's test it to verify

curl https://www.google.com --cacert mycert.pem

It it works, then the problem is resolved. All what we need to do is to add it to the repository where curl uses as trusted repository. To get the location of the certificates, do the following

strace curl https://www.google.com |& grep open

Lots of output, but right near the end I see: open("/etc/ssl/certs/578d5c04.0", O_RDONLY) = 4

Which is where my certificates are stored. Then simply append the file got earlier.

echo "#Added by me , the client\'s certificate" >> /etc/pki/tls/certs/ca-bundle.crt
cat mycert.pem >> /etc/pki/tls/certs/ca-bundle.crt

Then test again with curl, now without the certificate as an option

curl https://www.google.com

It should get the certificate.

score 2 · Answer 4 · answered Sep 30 '24 at 09:44

2

this works for me:

yum --setopt=sslverify=false install ca-certificates

answered Sep 30 '24 at 09:44

Рамиль Матрасов

121
2

score 1 · Answer 5 · answered Apr 23 '20 at 23:41

1

On Centos 6, need to update nss

yum update nss

The error "... [Errno 14] problem making ssl connection" no longer occurs

answered Apr 23 '20 at 23:41

Michael

11

Adding --no-check-certificate to yum repositories

5 Answers5

yum update nss