54

I've got a VM running CentOS 6 (64bit) and I'm attempting to add the EPEL repo like usual to install various packages as I do quite regularly.

Today, I'm experiencing some strange errors yet I'm doing absolutely nothing differently.

I'm adding EPEL like so:

# wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# rpm -ivh epel-release-6-8.noarch.rpm

Yet when I try running yum for anything, I'm getting this error:

[root@core /]# yum list

Loaded plugins: fastestmirror

Determining fastest mirrors

Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

Any ideas? I'm stumped!

Tom Wilson
  • 719
  • 1
  • 6
  • 7
  • 4
    What happened when you attempted to do what it told you to do? – Michael Hampton Oct 16 '14 at 15:17
  • I'm pretty sure it has nothing to do with the path. This is the same way I've added EPEL countless times before and never encountered an error like this. Something must be going on behind the scenes, right? – Tom Wilson Oct 16 '14 at 15:22
  • 1
    The extras repository has a package to enable the EPEL repository and I usually install it from there. Since extras is enabled by default this is done by just doing `yum install epel-release` – Brian Oct 16 '14 at 15:52

4 Answers4

118

The correct fix is to update your SSL certificates.

sudo yum upgrade ca-certificates --disablerepo=epel

You need to disable the epel repo so that this command will succeed. After you update your certificates you can use yum normally as EPEL will work again.

Jo Rhett
  • 1,310
  • 1
  • 9
  • 5
  • 2
    this is the correct way to fix the problem. – TlmaK0 Dec 29 '14 at 12:30
  • I've tested this on the CentOS 6.5 [bento box](https://github.com/chef/bento) which is affected by this issue and it does make things slightly more reliable when running `yum clean all && yum makecache`. However, it still fails sometimes. Adding a retry to my script made it even more reliable. I suspect that some mirrors are unreliable and a retry can give another mirror that works. So if at first it doesn't succeed, try try again! – TrinitronX Jan 26 '15 at 05:38
  • Don't forget to run "sudo yum upgrade" after you run this command to actually do the full upgrade. – skidadon May 05 '16 at 16:18
  • `yum upgrade` would work on box with http. However my box doesn't have access to internet. Any alternatives? – Howard Lee Jun 30 '16 at 17:04
  • 1
    Ok, answering my own comment. Use `yum remove epel-release --disablerepo=epel` on box that has no internet access (yes I accidentally `rpm -Uvh epel-release` on a prod box) – Howard Lee Jun 30 '16 at 17:41
  • to fix epel in centos 6 in 2019 you need to install nss-tools with dependencies: `yum --disablerepo=\* --enablerepo=base,updates intall nss-tools` – Alec Istomin Jul 15 '19 at 03:27
15

I had this problem, and it boiled down to the SSL certificate not being verifiable when getting the updated metalink file for EPEL via HTTPS. I suppose that I could have drilled down through the certificate chain to find out why, but in order to get my server working again, I sidestepped the problem by adding the following line into /etc/yum.repos.d/epel.repo:

[epel]
...
sslverify=false

I didn't think this was insanely unsafe, because the packages themselves are still verified by GPG-signature check.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
9

You can modify the epel repo to use http instead of https by running the following as root/sudo

sed -i "s/mirrorlist=https/mirrorlist=http/" /etc/yum.repos.d/epel.repo
siebo
  • 129
  • 1
  • 1
6

Ridiculously using secure HTTP is causing a problem yet normal HTTP is working fine. This shouldn't be happening with a fresh install so there must be an issue with Fedora's repositories. It's working now.

Tom Wilson
  • 719
  • 1
  • 6
  • 7
  • 3
    If you update your systems 'ca-certificates' it will work again. Probably has to do with the CA's, perhaps expired and/or revoked? (yum update ca-certificates) – Soprano Dec 17 '14 at 09:40
  • Not only did this not work for me, I started getting the error trying to install ca-certificates, and then when I had the latest, I am still seeing it occur here and there during builds. Changing the protocol to http is NOT an answer. – DrStrangepork Feb 18 '15 at 23:30