In one of the automation tasks running for the Kmods SIG we need to download files from koji.mbox.centos.org. Doing that I run into the following issue:
curl -f -I -o /dev/null https://koji.mbox.centos.org/pkgs/packages/kernel/4.18.0/348.7.1.el8_5/aarch64/kernel-devel-4.18.0-348.7.1.el8_5.aarch64.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html
I can work around that issue on my side, but I assume this should be fixed in general.
Note: kojihub.stream.centos.org is not affected.
Yes, that's because you're reaching it "internally" and not through haproxy that has the proper TLS cert. The koji.mbox setup is (actually but should move soon) itself an openshift 3 setup with self-signed certs.
That's the reason why cbs itself is pointing to different VM that doesn't suffer from this (so not accessing kojihub/koji.mbox direclty) :
cbs list-external-repos|grep centos8s-buildroot centos8s-buildroot http://kojifiles.rdu2.centos.org/kojifiles/repos/dist-c8-stream-build/latest/$arch/
So just replace your job to download from kojifiles.rdu2.centos.org and it will work (internally from CI) :
curl -O http://kojifiles.rdu2.centos.org/pkgs/packages/kernel/4.18.0/348.7.1.el8_5/aarch64/kernel-devel-4.18.0-348.7.1.el8_5.aarch64.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 18.9M 100 18.9M 0 0 309M 0 --:--:-- --:--:-- --:--:-- 315M
Metadata Update from @arrfab: - Issue assigned to arrfab
Metadata Update from @arrfab: - Issue tagged with: centos-ci-infra, low-gain, low-trouble
Metadata Update from @arrfab: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Changing the download URL to point to kojifiles.rdu2.c.o works as expected. Thanks for the explanation about the internal network. Actually made me realize that there is an obvious solution how to handle this case once CentOS Linux 8 is EOL and no new builds will be available for it on koji.mbox.c.o by changing the url to http://mirror1.rdu2.centos.org/RHEL/8/... which is only accessible internally.
Once again thanks for your quick and excellent support!
Login to comment on this ticket.