116

I'm trying to update Orion ContextBroker using the command yum install contextBroker. Unfortunatelly I get the following error:

Loaded plugins: fastestmirror, refresh-packagekit, security Loading

mirror speeds from cached hostfile

Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

What could be going wrong ?

JosepB
  • 1,913
  • 2
  • 14
  • 30
  • 3
    Suggested troubleshooting step: can your system `curl -v https://mirrors.fedoraproject.org`? – mwfearnley Aug 20 '19 at 15:59
  • 1
    The selected answer is a workaround that doesn't fix the root issue, and in fact package installation may continue to fail. I suggest deselecting the best answer, and let the vote count sort the answers to the one that worked for most people. – Paul May 07 '20 at 16:24

22 Answers22

182

You just needed to update ca-certificates package. Before that just disable all repos with https that are failing. That's why solution with commenting mirrorlist or using http instead https would work also.

For example if you need to disable only epel repo:

yum --disablerepo=epel -y update  ca-certificates

This will also help wget, curl, and anything else that uses SSL certificates.

Darryl Hein
  • 134,677
  • 87
  • 206
  • 257
XoR
  • 2,386
  • 4
  • 16
  • 15
  • 12
    This should be accepted as the correct answer, as it diagnoses the real source of the problem, rather than just providing a work-around. – Horatio Alderaan Jan 23 '15 at 00:22
  • 1
    I've tested this on the CentOS 6.5 [bento box](https://github.com/chef/bento) and it does make things slightly more reliable when running `yum clean all && yum makecache`. However, it still fails sometimes. Adding a retry to my script made it even more reliable. I suspect that some mirrors are unreliable and a retry can give another mirror that works. So if at first it doesn't succeed, try try again! – TrinitronX Jan 26 '15 at 05:31
  • Wonder how you found that solution ... the error message was quite criptic for me – Stéphane Mar 10 '15 at 13:44
  • 1
    Well this comes from experience, and yes, message is cryptic :) – XoR Mar 10 '15 at 15:45
  • 1
    I needed this and also http://stackoverflow.com/a/31066100/41223 to sort my issue out. – tzrlk May 14 '17 at 22:19
  • 2
    make sure if you're behind a corporate proxy to also set it for https e.g. `export https_proxy=` – Markus Aug 11 '17 at 07:01
  • 4
    epel-repo RPM should have ca-certificates has dependency !! – Stéphane Oct 19 '17 at 15:39
  • thank you @Markus !!! - I had followed all the answers (except the ones saying to disable https) and it still wasn't working, actually the problem was I only set `http_proxy` and not `https_proxy`, how stupid of me :) – Adam Burley Jul 18 '19 at 17:37
  • I also needed to update `curl` (or one of its dependencies) - I was getting `SSL_ERROR_NO_CYPHER_OVERLAP` when trying to `curl https://mirrors.fedoraproject.org`. – mwfearnley Aug 20 '19 at 15:48
  • I had a system I'd done a few updates on then fail as above on `centosplus` and `epel` - I found the solution was to disable both and just run `yum update`, then run it again with both repos enabled. As someone above hints... it's probably safest to do an update before you add epel's repo to a system ;-) – Ralph Bolton Oct 14 '20 at 15:45
140

I solved this issue editing both /etc/yum.repos.d/epel.repo and /etc/yum.repos.d/epel-testing.repo files, commenting all entries starting with mirrorlist=... and uncommenting all the entries starting with baseurl=....

Darryl Hein
  • 134,677
  • 87
  • 206
  • 257
fgalan
  • 10,250
  • 6
  • 36
  • 70
  • In my case, this fix allowed yum to successfully download metadata for the epel repo, but trying to install packages then failed with `[Errno 14] Peer cert cannot be verified or peer cert invalid`. The correct fix was to update ca-certificates, as in the answer below. – bain May 18 '18 at 10:21
  • 3
    commenting all entries starting with metalink=... and uncommenting all the entries starting with baseurl=.... worked for me on RHEL7.1 – Anurag Singh Jul 12 '19 at 06:59
  • 2
    Tried your method, then `yum clean all && yum update` worked. But not completely, it said `epel-release-7-11.noarch: [Errno 256] No more mirrors to try` etc. So I tried `yum update curl --disablerepo=epel` as sbetharia suggested, and tried `yum clean all && yum update` again, it finally worked now. – Hosi Golden Jul 18 '19 at 09:27
  • Worked for me. Thanks a lot. – tarekahf Oct 25 '19 at 16:27
  • 3
    I had no `mirrorlist=` lines, but I had `metalink=` lines, and those needed to be commented. – JellicleCat Apr 22 '20 at 16:13
  • This is the accepted answer, but as some of the answer may imply: there appear to be multiple possible causes of this. Maybe a community wiki would be good for listing them all? – Chris2048 Oct 16 '20 at 11:20
65

use this command:

sudo sed -i "s/mirrorlist=https/mirrorlist=http/" /etc/yum.repos.d/epel.repo

or alternatively use command

vi /etc/yum.repos.d/epel.repo

go to line number 4 and change the url from

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch

to

mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
AliLotfi
  • 1,102
  • 3
  • 16
  • 37
sumit pandit
  • 821
  • 6
  • 9
  • Thanks; this just worked for me after trying many of the other documented solutions (my error was, `Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again`). My question is, **why did this work?** is this due to a configuration problem at the repository site? – CODE-REaD Jul 19 '19 at 21:07
  • 1
    Probably not the HTTPS server, but HTTPS client-side support on systems can go out of date, as root certificate authorities aren't updated, or the SSL libraries don't support new ciphers. – mwfearnley Aug 20 '19 at 15:58
  • After many tries, solved with your sed command. Just Copy+Paste, that's what I needed because usually I'm not in charge of this kind of things, just installing a test computer to be used only by me to test some database updates. – EAmez Oct 31 '19 at 11:40
  • 1
    In Cent OS 7.6, this is `sudo sed -i "s/metalink=https/metalink=http/" /etc/yum.repos.d/epel.repo` – JamesThomasMoon Feb 04 '20 at 23:16
21

I guess this should work. I solved my problem with this.

$ sudo yum clean all

$ sudo yum --disablerepo="epel" update nss

Varun
  • 5,501
  • 18
  • 69
  • 107
20

For my case commenting out mirrorlist and uncomenting entries with baseurl din't work. I noticed the problem was with the https iniside the .repofedora files. I solved it by going in /etc/yum.repository.d and replacing all https with http in different .repo files. That worked!!

Joseph N.
  • 2,229
  • 1
  • 19
  • 31
18

Updating curl worked for us. Somehow yum uses curl for its transactions.

yum update curl --disablerepo=epel
sbetharia
  • 313
  • 3
  • 7
  • 1
    Your answer is better than the accepted answer, needn't change epel.repo or epel-testing.repo. – Hosi Golden Jul 19 '19 at 06:53
  • I tracked this down and updated curl before reading this or some of the other answers. I see that updating curl also updated nss... so I wonder if that was the issue. In my case, I curl'ed the metalink URL, saw that it failed, and saw that it worked with --tlsv1 (https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1170339). Assumed curl was out of date and updated it. So now I wonder if NSS could have been updated w/o updating curl and it would have worked or not. – Paul May 07 '20 at 16:21
10

Check if you access internet through a proxy, and then your add internet proxy address to yum configuration.

add 

proxy=http://ip:port

to /etc/yum.conf

Community
  • 1
  • 1
Rashad Saif
  • 1,267
  • 10
  • 15
8

Walkthrough Steps

Running the following command will update the repo to use HTTP rather than HTTPS:

sudo sed -i "s/mirrorlist=https/mirrorlist=http/" /etc/yum.repos.d/epel.repo

You should then be able to update with this command:

yum -y update
Dalton Cézane
  • 3,016
  • 2
  • 24
  • 48
Varadhan Work
  • 373
  • 3
  • 6
6

You may come across this message/error, after installing epel-release. The quick fix is to update your SSL certificates:

yum -y upgrade ca-certificates

Chances are the above error may also occur while certificate update, if so, just disable the epel repo i.e. use the following command:

yum -y upgrade ca-certificates --disablerepo=epel

Once the certificates will be updated, you'll be able to use yum normally, even the epel repo will work fine. In case you're getting this same error for a different repo, just put it's name against the --disablerepo=<repo-name> flag.

Note: use sudo if you're not the root user.

Nabeel Ahmed
  • 14,549
  • 4
  • 50
  • 54
5

I solved this problem by this solution.

you just change in this file /etc/yum.repos.d/epel.repo

mirrorlist= change this url https to http

baseurl= change this url https to http

bummi
  • 26,435
  • 13
  • 58
  • 97
how to i start
  • 87
  • 1
  • 1
4

All of the above did not work for me, but a rebuild of the rpm database, with the following command, did:

sudo rpm --rebuilddb

Thanks all for the help.

Dalton Cézane
  • 3,016
  • 2
  • 24
  • 48
Beavus Slagerty
  • 41
  • 2
3

For boxes that does not have internet access, you can remove epel repository:

yum remove epel-release --disablerepo=epel

This happened to me as I accidentally installed epel-release using rpm on a prod box.

Howard Lee
  • 877
  • 1
  • 10
  • 20
3

I encountered the same issue even though the ca-certificates package is up-to-date. The mirror https://mirrors.fedoraproject.org/ is currently signed by DigiCert High Assurance EV Root CA which is included in my ca-bundle

$ grep -A 3 "DigiCert High" /etc/ssl/certs/ca-bundle.crt 
# DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

The reason why https connections failed in my case, was that system date was set to the year 2002 in which the DigiCert High Assurance EV Root CA is not (yet) valid.

$ date
Di 1. Jan 11:10:35 CET 2002

Changing the system time fixed the issue.

sauerburger
  • 2,843
  • 3
  • 21
  • 33
2

I solved it by going in /etc/yum.repository.d/. For my case i comment out mirrorlist and uncomenting entries with baseurl. as well as added sslverify=false.

https://serverfault.com/questions/637549/epel-repo-for-centos-6-causing-error

Community
  • 1
  • 1
Laxman S
  • 21
  • 1
  • Not only that, but also changing the URLs to http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/$releasever/Everything/source/SRPMS/ (for fedora.repo and fedora-updates.repo). Note the "archives" in front and the "pub/archive" in the path) – dagelf Mar 24 '15 at 07:07
  • yum install -y yum-utils --disablerepo=epel && yum-config-manager --save --setopt=epel.sslverify=false – Andrei Sedoi Oct 20 '19 at 05:44
2

I've workaround this issue by changing the https entries in epel.repo file to http.

Fabricio
  • 21
  • 1
1

In my case when I comment out mirrorlist the error got away but the repo was also not working so I manually point the right baseurl in /etc/yum.repos.d/epel.repo as below

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://iad.mirror.rackspace.com/epel/7Server/x86_64/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://iad.mirror.rackspace.com/epel/7Server/x86_64/debug/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://iad.mirror.rackspace.com/epel/7Server/SRPMS/
#metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
Rohit Sharma
  • 474
  • 3
  • 15
0

Changing the mirrorlist URL from https to http fixed the issue for me.

Anil Reddy
  • 21
  • 1
0

Fixed mine like this:

yum install elfutils-default-yama-scope-0.168-8.el7.noarch --disablerepo=epel
yum install nss-pem -disablerepo=epel
yum reinstall ca-certificates --disablerepo=epel
yum clean all
rm -rf /var/cache/yum
yum update`
Dalton Cézane
  • 3,016
  • 2
  • 24
  • 48
Future
  • 339
  • 5
  • 19
0

None of these worked for me (I didn't even try the hacks like manually editing the repo file).

However it worked after a simple yum update -y

jaustin
  • 908
  • 1
  • 7
  • 9
0

Another possible cause is that your architecture is not supported. I ran into this because I was provided with a CentOS VM, wanted to install EPEL and couldn't for the life of me get it done.

Turns out the VM was CentOS 7 i386, which is an architecture that is apparently no longer supported by EPEL. I guess the only remedy in this case is to reinstall.

aross
  • 2,557
  • 3
  • 29
  • 33
0

Try

yum clean all --enablerepo=*

Then

yum update --disablerepo=epel
Omid Estaji
  • 136
  • 1
  • 5
0

I tried most of these solutions and none of them worked for me.

The only thing that worked for me was to disable and remove the offending repo.

sudo yum --disablerepo=epel\* remove epel-release.noarch
Fred
  • 836
  • 1
  • 8
  • 26