Curl error 60 (after MLM 5.1 upgrade)

[Alex Gooch]

Good morning!

Just for some quick background, we recently upgraded/migrated our SUMA environment to MLM5.1. As a part of that process, we generated new certs for the hub. I suspect that this is causing my issue, but I am not sure exactly how to resolve it.

This is an example of the errors that I am seeing during the build process:

After the package/collection stage:

[ INFO    ]: Processing: [                                        ] 0%

[ DEBUG   ]: 10:29:22 | system: Building repository 'Leap_15_6' cache [....done]
[ DEBUG   ]: 10:29:23 | system: Building repository 'Leap_15_6_backports' cache [....done]
[ DEBUG   ]: 10:29:37 | system: Building repository 'Leap_15_6_sle' cache [....done]
[ DEBUG   ]: 10:29:38 | system: Building repository 'Leap_15_6_update' cache [....done]
[ DEBUG   ]: 10:29:38 | system: Retrieving repository 'backports_15_6_updates' metadata [...error]
[ DEBUG   ]: 10:29:38 | system: Warning: Skipping repository 'backports_15_6_updates' because of the above error.
[ DEBUG   ]: 10:29:38 | system: Retrieving repository 'leap_15_6_pool' metadata [...error]
[ DEBUG   ]: 10:29:38 | system: Warning: Skipping repository 'leap_15_6_pool' because of the above error.
[ DEBUG   ]: 10:29:38 | system: Retrieving repository 'leap_15_6_updates' metadata [...error]
[ DEBUG   ]: 10:29:38 | system: Warning: Skipping repository 'leap_15_6_updates' because of the above error.
[ DEBUG   ]: 10:29:38 | system: Retrieving repository 'libnvidia' metadata [...error]
[ DEBUG   ]: 10:29:38 | system: Warning: Skipping repository 'libnvidia' because of the above error.
[ DEBUG   ]: 10:29:38 | system: Retrieving repository 'mysql_80' metadata [...error]
[ DEBUG   ]: 10:29:38 | system: Warning: Skipping repository 'mysql_80' because of the above error.

...

When it ultimately fails, I see errors like this:

[ ERROR   ]: 10:29:44 | KiwiInstallPhaseFailed: System package installation failed: Repository 'backports_15_6_updates' is invalid.
[backports_15_6_updates|http://some_server.company.com/rhn/manager/download/spe_leap_15_6_x86_64-production-opensuse-backports-15.6-updates-x86_64] Valid metadata not found at specified URL
History:
 - [|] Error trying to read from 'http://some_server.company.com/rhn/manager/download/spe_leap_15_6_x86_64-production-opensuse-backports-15.6-updates-x86_64'
 - Download (curl) error for 'http://some_server.company.com  /rhn/manager/download/spe_leap_15_6_x86_64-production-opensuse-backports-15.6-updates-x86_64/content':
   Error code: Curl error 60
   Error message: SSL certificate problem: unable to get local issuer certificate

Please check if the URIs defined for this repository are pointing to a valid repository.
Repository 'leap_15_6_pool' is invalid.
[leap_15_6_pool|http://some_server.company.com  /rhn/manager/download/spe_leap_15_6_x86_64-production-opensuse-leap-15.6-pool-x86_64] Valid metadata not found at specified URL
History:
 - [|] Error trying to read from 'http://some_server.company.com  /rhn/manager/download/spe_leap_15_6_x86_64-production-opensuse-leap-15.6-pool-x86_64'
 - Download (curl) error for 'http://some_server.company.com  /rhn/manager/download/spe_leap_15_6_x86_64-production-opensuse-leap-15.6-pool-x86_64/content':
   Error code: Curl error 60
   Error message: SSL certificate problem: unable to get local issuer certificate

...

At this point, my appliance.kiwi file is the same as it was before the MLM upgrade. I read through other posts and have confirmed that I already had the following in my build file:

    <packages type="bootstrap">

        <package name="ca-certificates"/>

        <package name="ca-certificates-cacert"/>

        <package name="ca-certificates-mozilla"/>

On my newly migrated hub (where I am sourcing the packages), I have these certificate files generated:

/systems/certs
└── /systems/certs/server
    ├── /systems/certs/server/certs
    │   ├── /systems/certs/server/certs/combined-server.pem
    │   ├── /systems/certs/server/certs/server.company.com.key
    │   └── /systems/certs/server/certs/server.company.com.pem
    ├── /systems/certs/server/trust
    │   └── /systems/certs/server/trust/anchors
    │       ├── /systems/certs/server/trust/anchors/company-ca-combined.pem
    │       ├── /systems/certs/server/trust/anchors/company-ca-t1.pem
    │       └── /systems/certs/server/trust/anchors/company-root-ca.pem
    ├── /systems/certs/server/server.company.com.cert.download.decoded
    ├── /systems/certs/server/server.company.com.cert.download.result
    ├── /systems/certs/server/server.company.com.cnf
    ├── /systems/certs/server/server.company.com.csr
    ├── /systems/certs/server/server.company.com.csr.check.result
    ├── /systems/certs/server/server.company.com.csr.enrollment.result
    └── /systems/certs/server/server.company.com.key

Do I need to install any of these files onto my kiwi server in order for the build to be able to reach the standalone hub? If so, could you point me to which ones I should install, and where on the kiwi build host? If this is not the issue, have you seen anything like this before? 

Any help is greatly appreciated!

Thank you,

  Alex