54

I've got a VM running CentOS 6 (64bit) and I'm attempting to add the EPEL repo like usual to install various packages as I do quite regularly.

Today, I'm experiencing some strange errors yet I'm doing absolutely nothing differently.

I'm adding EPEL like so:

# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm # rpm -ivh epel-release-6-8.noarch.rpm

Yet when I try running yum for anything, I'm getting this error:

[root@core /]# yum list

Loaded plugins: fastestmirror

Determining fastest mirrors

Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

Any ideas? I'm stumped!

Improve this question
3
  • 4
    What happened when you attempted to do what it told you to do? Commented Oct 16, 2014 at 15:17
  • I'm pretty sure it has nothing to do with the path. This is the same way I've added EPEL countless times before and never encountered an error like this. Something must be going on behind the scenes, right? Commented Oct 16, 2014 at 15:22
  • 1
    The extras repository has a package to enable the EPEL repository and I usually install it from there. Since extras is enabled by default this is done by just doing yum install epel-release Commented Oct 16, 2014 at 15:52

4 Answers 4

Reset to default
118

The correct fix is to update your SSL certificates.

sudo yum upgrade ca-certificates --disablerepo=epel

You need to disable the epel repo so that this command will succeed. After you update your certificates you can use yum normally as EPEL will work again.

Improve this answer
6
  • 2
    this is the correct way to fix the problem. Commented Dec 29, 2014 at 12:30
  • I've tested this on the CentOS 6.5 bento box which is affected by this issue and it does make things slightly more reliable when running yum clean all && yum makecache. However, it still fails sometimes. Adding a retry to my script made it even more reliable. I suspect that some mirrors are unreliable and a retry can give another mirror that works. So if at first it doesn't succeed, try try again! Commented Jan 26, 2015 at 5:38
  • Don't forget to run "sudo yum upgrade" after you run this command to actually do the full upgrade. Commented May 5, 2016 at 16:18
  • yum upgrade would work on box with http. However my box doesn't have access to internet. Any alternatives? Commented Jun 30, 2016 at 17:04
  • 1
    Ok, answering my own comment. Use yum remove epel-release --disablerepo=epel on box that has no internet access (yes I accidentally rpm -Uvh epel-release on a prod box) Commented Jun 30, 2016 at 17:41
15

I had this problem, and it boiled down to the SSL certificate not being verifiable when getting the updated metalink file for EPEL via HTTPS. I suppose that I could have drilled down through the certificate chain to find out why, but in order to get my server working again, I sidestepped the problem by adding the following line into /etc/yum.repos.d/epel.repo:

[epel] ... sslverify=false

I didn't think this was insanely unsafe, because the packages themselves are still verified by GPG-signature check.

Improve this answer
1
  • 3
    All I did was change https to http in the repo list and it just worked, but I shouldn't have had to. Commented Oct 17, 2014 at 20:53
9

You can modify the epel repo to use http instead of https by running the following as root/sudo

sed -i "s/mirrorlist=https/mirrorlist=http/" /etc/yum.repos.d/epel.repo
Improve this answer
0
6

Ridiculously using secure HTTP is causing a problem yet normal HTTP is working fine. This shouldn't be happening with a fresh install so there must be an issue with Fedora's repositories. It's working now.

Improve this answer
2
  • 3
    If you update your systems 'ca-certificates' it will work again. Probably has to do with the CA's, perhaps expired and/or revoked? (yum update ca-certificates) Commented Dec 17, 2014 at 9:40
  • Not only did this not work for me, I started getting the error trying to install ca-certificates, and then when I had the latest, I am still seeing it occur here and there during builds. Changing the protocol to http is NOT an answer. Commented Feb 18, 2015 at 23:30

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.