Bug 1713627

Summary: dnf exits with "Error: Failed to synchronize cache for repo 'xxx'" without further details
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: dnfAssignee: Pavla Kratochvilova <pkratoch>
Status: CLOSED ERRATA QA Contact: Eva Mrakova <emrakova>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: amatej, james.antill, jblazek, kwalker, mdomonko, pkratoch
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnf-4.2.17-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:47:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1755139    

Description Renaud Métrich 2019-05-24 09:59:44 UTC 
Description of problem:

When using an internal HTTPS repo instead of subscription-manager and HTTP server certificate is self-signed, trying to use dnf fails with a cryptic error:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Error: Failed to synchronize cache for repo 'os'
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

/var/log/dnf.log shows even cryptic backtrace:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 566, in load
    ret = self._repo.load()
  File "/usr/lib64/python3.6/site-packages/libdnf/repo.py", line 503, in load
    return _repo.Repo_load(self)
RuntimeError: Failed to synchronize cache for repo 'os'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 64, in main
    return _main(base, args, cli_class, option_parser_class)
  File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 99, in _main
    return cli_run(cli, base)
  File "/usr/lib/python3.6/site-packages/dnf/cli/main.py", line 115, in cli_run
    cli.run()
  File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 1124, in run
    self._process_demands()
  File "/usr/lib/python3.6/site-packages/dnf/cli/cli.py", line 828, in _process_demands
    load_available_repos=self.demands.available_repos)
  File "/usr/lib/python3.6/site-packages/dnf/base.py", line 400, in fill_sack
    self._add_repo_to_sack(r)
  File "/usr/lib/python3.6/site-packages/dnf/base.py", line 135, in _add_repo_to_sack
    repo.load()
  File "/usr/lib/python3.6/site-packages/dnf/repo.py", line 568, in load
    raise dnf.exceptions.RepoError(str(e))
dnf.exceptions.RepoError: Failed to synchronize cache for repo 'os'
2019-05-24T09:45:02Z CRITICAL Error: Failed to synchronize cache for repo 'os'
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Administration can only understand what the real issue is by looking at /var/log/dns.librepo.log log and checking DEBUG logs:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
2019-05-24T09:45:02Z DEBUG check_transfer_statuses: Transfer finished: repodata/repomd.xml (Effective url: https://<HTTPS_URL>/repodata/repomd.xml)
2019-05-24T09:45:02Z DEBUG check_transfer_statuses: Error during transfer: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://<HTTPS_URL>/repodata/repomd.xml [SSL certificate problem: unable to get local issuer certificate]
2019-05-24T09:45:02Z DEBUG check_transfer_statuses: Ignore error - Try another mirror
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This needs improvment (at least this shouldn't be DEBUG level).


Version-Release number of selected component (if applicable):

dnf-4.0.9.2-5.el8.noarch


How reproducible:

Always


Steps to Reproduce:
1. Use some internal HTTPS repository, self-signed or without known certificate
Comment 7 Pavla Kratochvilova 2019-11-19 10:11:04 UTC 
I created patch that prints all the errors of the individual mirrors (in this case it would be the curl error): https://github.com/rpm-software-management/dnf/pull/1492

The errors are printed only when the whole download fails, so if it's a mirrorlist with only a few unavailable mirrors, nothing is printed (but the messages are stil visible in --verbose mode and in dnf.librepo.log).

Tests in ci-dnf-stack: https://github.com/rpm-software-management/ci-dnf-stack/pull/643
Comment 11 errata-xmlrpc 2020-04-28 16:47:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1823