I have been trying to build something with Leap 15.3. During this process I have been getting the following error for the past couple days. Is there something wrong in the repository? It is always this specific RPM out of the hundreds used that fails. (I'm not sure this is a factory or some other list's interest. Sorry if I have posted to the wrong place. If so, where is a better pace to post this kind of question?) DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) DEBUG: 16:21:46 | system: Retrieving: libexiv2-27-0.27.3-lp153.151.1.x86_64.rpm [.error (397 B/s)] DEBUG: 16:21:46 | system: Abort, retry, ignore? [a/r/i/...? shows all options] (a): a ERROR: 16:21:46 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... 4.rpm': Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain Problem occurred during or after installation or removal of packages: Installation has been aborted as directed. Please see the above error message for a hint. -- Roger Oberholtzer
On Wed, May 26, 2021 at 4:26 PM Roger Oberholtzer <roger.oberholtzer@gmail.com> wrote:
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
download.opensuse.org is just a bouncer to the mirror locations of the actual download bits as the servers sometimes on the era of ssl/tls tend to forget to renew or to apply proper ssl certificates you get these results i guess. turn on verbosity or turn up a few levels and see what server mirror location actually the curl complains about zypper used to have verbosity levels as well that shows these technical levels of stuff happening.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2021-05-26 at 17:41 +0200, cagsm wrote:
On Wed, May 26, 2021 at 4:26 PM Roger Oberholtzer <> wrote:
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
download.opensuse.org is just a bouncer to the mirror locations of the actual download bits as the servers sometimes on the era of ssl/tls tend to forget to renew or to apply proper ssl certificates you get these results i guess. turn on verbosity or turn up a few levels and see what server mirror location actually the curl complains about
zypper used to have verbosity levels as well that shows these technical levels of stuff happening.
The thing is, the download+zypper system is http only, https is not supported. So, it using SSL/TLS is an error in itself. I think you (Roger) have to open a ticket. - -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYK6LShwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVSOQAnipJua7bvvMNAUAG4aP3 jKK/GYV1AJ4nOenUDXCFI2NuBwNQrh94JoS69A== =nRAF -----END PGP SIGNATURE-----
On Wed, May 26, 2021 at 7:54 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
The thing is, the download+zypper system is http only, https is not supported. So, it using SSL/TLS is an error in itself.
huh? why? clearly the download. server is being offered as http as we as https as the main entry point/mirrorbrain bouncer and even the mirror targets holding actual bits are being advertised as https on the .mirrorlist meta pages of the objects see e.g.
http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... https://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_6...
and the results these two links produce.
On 26/05/2021 21.04, cagsm wrote:
On Wed, May 26, 2021 at 7:54 PM Carlos E. R. <> wrote:
The thing is, the download+zypper system is http only, https is not supported. So, it using SSL/TLS is an error in itself.
huh? why? clearly the download. server is being offered as http as we as https as the main entry point/mirrorbrain bouncer
and even the mirror targets holding actual bits are being advertised as https on the .mirrorlist meta pages of the objects see e.g.
http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... https://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_6...
and the results these two links produce.
Nevertheless, it is an error and can not work: Archived-At: <https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/message/HV3PJPFGERRNZLQYHOAKBK567RTQQ7BY/> If you want the explanation, you should ask the admins, I only know that it is so. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 26.05.2021 22:04, cagsm wrote:
On Wed, May 26, 2021 at 7:54 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
The thing is, the download+zypper system is http only, https is not supported. So, it using SSL/TLS is an error in itself.
huh? why? clearly the download. server is being offered as http as we as https as the main entry point/mirrorbrain bouncer
mirrorbrain may redirect https to http (actually it happens almost every time, there are just a couple of mirrors listed with https) which is rejected by libcurl as "security downgrade".
and even the mirror targets holding actual bits are being advertised as https on the .mirrorlist meta pages of the objects see e.g.
http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... https://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_6...
and the results these two links produce.
I'm using kiwi, who is actually calling zypper. The repositories are defines as: obs://graphics/openSUSE_Leap_15.3 It has always been this way. So either kiwi has changed something, or the repo/mirror has an issue. It is only this repo. So I suspect the later. On Wed, May 26, 2021 at 7:54 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday, 2021-05-26 at 17:41 +0200, cagsm wrote:
On Wed, May 26, 2021 at 4:26 PM Roger Oberholtzer <> wrote:
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
download.opensuse.org is just a bouncer to the mirror locations of the actual download bits as the servers sometimes on the era of ssl/tls tend to forget to renew or to apply proper ssl certificates you get these results i guess. turn on verbosity or turn up a few levels and see what server mirror location actually the curl complains about
zypper used to have verbosity levels as well that shows these technical levels of stuff happening.
The thing is, the download+zypper system is http only, https is not supported.
So, it using SSL/TLS is an error in itself.
I think you (Roger) have to open a ticket.
- -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar)
-----BEGIN PGP SIGNATURE-----
iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYK6LShwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVSOQAnipJua7bvvMNAUAG4aP3 jKK/GYV1AJ4nOenUDXCFI2NuBwNQrh94JoS69A== =nRAF -----END PGP SIGNATURE-----
-- Roger Oberholtzer
Roger Oberholtzer wrote:
I have been trying to build something with Leap 15.3. During this process I have been getting the following error for the past couple days. Is there something wrong in the repository? It is always this specific RPM out of the hundreds used that fails.
(I'm not sure this is a factory or some other list's interest. Sorry if I have posted to the wrong place. If so, where is a better pace to post this kind of question?)
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) DEBUG: 16:21:46 | system: Retrieving: libexiv2-27-0.27.3-lp153.151.1.x86_64.rpm [.error (397 B/s)] DEBUG: 16:21:46 | system: Abort, retry, ignore? [a/r/i/...? shows all options] (a): a ERROR: 16:21:46 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... 4.rpm': Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
Perhaps not really a topic for factory, but never mind - it looks like your request to http://d.o.o is being diverted to an https mirror [1] - why curl thinks there is a self-signed certificate in the chain, I don't know. Maybe check that your CA bundle is recent ? [1] There aren't that many repositories/ mirrors, should be easy to find. -- Per Jessen, Zürich (9.6°C) Member, openSUSE Heroes
Per Jessen wrote:
Roger Oberholtzer wrote:
I have been trying to build something with Leap 15.3. During this process I have been getting the following error for the past couple days. Is there something wrong in the repository? It is always this specific RPM out of the hundreds used that fails.
(I'm not sure this is a factory or some other list's interest. Sorry if I have posted to the wrong place. If so, where is a better pace to post this kind of question?)
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) DEBUG: 16:21:46 | system: Retrieving: libexiv2-27-0.27.3-lp153.151.1.x86_64.rpm [.error (397 B/s)] DEBUG: 16:21:46 | system: Abort, retry, ignore? [a/r/i/...? shows all options] (a): a ERROR: 16:21:46 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... 4.rpm': Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
Perhaps not really a topic for factory, but never mind - it looks like your request to http://d.o.o is being diverted to an https mirror [1] - why curl thinks there is a self-signed certificate in the chain, I don't know. Maybe check that your CA bundle is recent ?
[1] There aren't that many repositories/ mirrors, should be easy to find.
At a quick glance, with https:// we have only ftp.gwdg.de and provo-mirror.opensuse.org - both of them worked fine for me. -- Per Jessen, Zürich (9.9°C) Member, openSUSE Heroes
On Thu, May 27, 2021 at 10:53 AM Per Jessen <per@opensuse.org> wrote:
Roger Oberholtzer wrote:
I have been trying to build something with Leap 15.3. During this process I have been getting the following error for the past couple days. Is there something wrong in the repository? It is always this specific RPM out of the hundreds used that fails.
(I'm not sure this is a factory or some other list's interest. Sorry if I have posted to the wrong place. If so, where is a better pace to post this kind of question?)
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) DEBUG: 16:21:46 | system: Retrieving: libexiv2-27-0.27.3-lp153.151.1.x86_64.rpm [.error (397 B/s)] DEBUG: 16:21:46 | system: Abort, retry, ignore? [a/r/i/...? shows all options] (a): a ERROR: 16:21:46 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... 4.rpm': Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
Perhaps not really a topic for factory, but never mind - it looks like your request to http://d.o.o is being diverted to an https mirror [1] - why curl thinks there is a self-signed certificate in the chain, I don't know. Maybe check that your CA bundle is recent ?
The tricky bit is that I am using a kiwi buildbox for this. That is, kiwi maintains and uses a virtual environment for building images so that the host computer does not get in the way. I built a Leap 15.3 image this way a couple weeks ago. So it is something that has happened since then. -- Roger Oberholtzer
On Thu, May 27, 2021 at 11:52 AM Roger Oberholtzer <roger.oberholtzer@gmail.com> wrote: I see the following in the release notes for 15.3. Hard to tell if this is related. Unlike 15.2, the default installation of openSUSE Leap 15.3 contains the majority of rpms from SUSE Linux Enterprise Server. These rpms are signed by SUSE LLC instead of using the openSUSE key. The libzypp package version 12.25.8 introduced whitelist for the SUSE LLC and openSUSE vendor exchange to allow seamless migration. This whitelist removes the need to specify --allow-vendor-change for openSUSE and SUSE LLC vendor exchange only. You might still need to specify --allow-vendor-change during migration if you are using OBS repositories signed with other keys. -- Roger Oberholtzer
Moin, Am Donnerstag, 27. Mai 2021, 11:52:00 CEST schrieb Roger Oberholtzer:
On Thu, May 27, 2021 at 10:53 AM Per Jessen <per@opensuse.org> wrote:
Roger Oberholtzer wrote:
I have been trying to build something with Leap 15.3. During this process I have been getting the following error for the past couple days. Is there something wrong in the repository? It is always this specific RPM out of the hundreds used that fails.
(I'm not sure this is a factory or some other list's interest. Sorry if I have posted to the wrong place. If so, where is a better pace to post this kind of question?)
DEBUG: 16:21:46 | system: Retrieving package libexiv2-27-0.27.3-lp153.151.1.x86_64 (28/1737), 745.7 KiB ( 2.8 MiB unpacked) DEBUG: 16:21:46 | system: Retrieving: libexiv2-27-0.27.3-lp153.151.1.x86_64.rpm [.error (397 B/s)] DEBUG: 16:21:46 | system: Abort, retry, ignore? [a/r/i/...? shows all options] (a): a ERROR: 16:21:46 | KiwiInstallPhaseFailed: System package installation failed: Download (curl) error for 'http://download.opensuse.org/repositories/graphics/openSUSE_Leap_15.3/x86_64... 4.rpm': Error code: Curl error 60 Error message: SSL certificate problem: self signed certificate in certificate chain
Perhaps not really a topic for factory, but never mind - it looks like your request to http://d.o.o is being diverted to an https mirror [1] - why curl thinks there is a self-signed certificate in the chain, I don't know. Maybe check that your CA bundle is recent ?
The tricky bit is that I am using a kiwi buildbox for this. That is, kiwi maintains and uses a virtual environment for building images so that the host computer does not get in the way.
Make sure you have "ca-certificates-mozilla" as part of <packages type="bootstrap"/>, otherwise zypper inside the chroot fails. Cheers, Fabian
I built a Leap 15.3 image this way a couple weeks ago. So it is something that has happened since then.
participants (6)
-
Andrei Borzenkov -
cagsm -
Carlos E. R. -
Fabian Vogt -
Per Jessen -
Roger Oberholtzer