Upgrade from 5.4.13 to 5.5.4 failing

[GhostRider2110]

VMware system from the Nagios appliance Centos 6.10
When I try to upgrade to latest I get the following error. Taking from /usr/local/nagiosxi/tmp/upgrade.log

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using iganagios.iga.local for ServerName
[ OK ]
No entry for terminal type "unknown";
using dumb terminal settings.
Checking required prereqs...
Please wait...

OLD VERSION: 5413
Loaded plugins: fastestmirror, security
Setting up Update Process
Loading mirror speeds from cached hostfile
* base: ftp.ussg.iu.edu
* epel: mirror.steadfastnet.com
* extras: ftp.ussg.iu.edu
* updates: ftp.ussg.iu.edu
http://repo.nagios.com/nagios/6/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
It was impossible to connect to the Red Hat servers.
This could mean a connectivity issue in your environment, such as the requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system clock.
Please collect information about the specific failure that occurs in your environment,
using the instructions in: https://access.redhat.com/solutions/1527033 and open a ticket with Red Hat Support.

Error: Cannot retrieve repository metadata (repomd.xml) for repository: nagios-base. Please verify its path and try

I've check the error, but that does not seem to apply since the system is Centos and not Redhat....
Also I disabled the entries in /etc/yum.repos.d/nagios-6.repo and all works fine enable them and I get the error.

I have also updated the nagios-repo-6-3.el6.noarch.rpm file:
wget --no-check-certificate https://repo.nagios.com/nagios/6/nagios ... noarch.rpm
rpm -Uvh ./nagios-repo-6-3.el6.noarch.rpm

Kinda stuck right now.

[tgriep]

First thing to try when having repository issues is to clear the yum cache so the system can update it settings with up to date information and mirror servers.
Run this as root to clear it out

Code: Select all

yum clean all

Then try the XI upgrade again to see if it works.

If it still fails, run the following command to show which repositories are setup on the server and post it here.

Code: Select all

yum repolist

[GhostRider2110]

Sorry I forgot to put that in the original post. I had done a yum clean all, and removed the yum cache directory etc.. without any luck.
Did it again and here is repolist. The nagios repository seems to be a problem for it.

[root@iganagios pki]# yum clean all
Loaded plugins: fastestmirror, security
Cleaning repos: base cr epel extras nagios-base nagiosxi-deps updates
Cleaning up Everything
Cleaning up list of fastest mirrors
[root@iganagios pki]# yum repolist
Loaded plugins: fastestmirror, security
Determining fastest mirrors
epel/metalink | 18 kB 00:00
* base: mirror.team-cymru.com
* epel: mirror.steadfastnet.com
* extras: centos.mirrors.tds.net
* updates: mirrors.gigenet.com
base | 3.7 kB 00:00
base/primary_db | 4.7 MB 00:00
cr | 3.3 kB 00:00
cr/primary_db | 1.2 kB 00:00
epel | 3.2 kB 00:00
epel/primary | 3.2 MB 00:00
epel 12520/12520
extras | 3.4 kB 00:00
extras/primary_db | 26 kB 00:00
http://repo.nagios.com/nagios/6/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
It was impossible to connect to the Red Hat servers.
This could mean a connectivity issue in your environment, such as the requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect system clock.
Please collect information about the specific failure that occurs in your environment,
using the instructions in: https://access.redhat.com/solutions/1527033 and open a ticket with Red Hat Support.

http://repo.nagios.com/nagios/6/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
http://repo.nagios.com/nagiosxi-deps/6/ ... repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
updates | 3.4 kB 00:00
updates/primary_db | 1.2 MB 00:00
repo id repo name status
base CentOS-6 - Base 6,713
cr CentOS-6 - CR 0
epel Extra Packages for Enterprise Linux 6 - x86_64 12,520
extras CentOS-6 - Extras 33
nagios-base Nagios 0
nagiosxi-deps Nagios XI Dependencies 0
updates CentOS-6 - Updates 125
repolist: 19,391
[root@iganagios pki]#

[tgriep]

One thing, make sure the system date and time is correct.

The other option is to add sslverify=false in the /etc/yum.conf file.

[GhostRider2110]

DTG good... and that setting was already in place in /etc/yum.conf.
Here is the yum.conf file.

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php? ... tegory=yum
distroverpkg=centos-release
sslverify=false
# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
# It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d

[GhostRider2110]

curl and wget have errors trying to reach https site, repo.nagios.com:

[root@iganagios ~]# curl https://repo.nagios.com/nagios/6/repodata/repomd.xml:
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@iganagios ~]# wget https://repo.nagios.com/nagios/6/repodata/repomd.xml:
--2018-09-26 16:07:32-- https://repo.nagios.com/nagios/6/repodata/repomd.xml:
Resolving repo.nagios.com... 72.14.181.71, 2600:f03c:91ff:fedf:b821
Connecting to repo.nagios.com|72.14.181.71|:443... connected.
ERROR: cannot verify repo.nagios.com’s certificate, issued by “/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA”:
Self-signed certificate encountered.
To connect to repo.nagios.com insecurely, use ‘--no-check-certificate’.

[GhostRider2110]

I think I figured out the issue.

The baseurl for both entries had http://... I change that to https:// and things are working again.

This can be closed.. Thanks

[GhostRider2110]

Well spoke to soon: Now there error:

Stopping nagios: .done.
Stopping nagios: No lock file found in /var/run/nagios.lock
Starting nagios: done.
UPGRADE: Nagios Core upgraded OK.
Fixing wkhtmltox version...
INSTALL: wkhtmltox is being installed...
--2018-09-26 16:34:23-- https://assets.nagios.com/downloads/nag ... x86_64.rpm
Resolving assets.nagios.com... 72.14.181.71, 2600:f03c:91ff:fedf:b821
Connecting to assets.nagios.com|72.14.181.71|:443... connected.
ERROR: cannot verify assets.nagios.com’s certificate, issued by “/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA”:
Self-signed certificate encountered.
To connect to assets.nagios.com insecurely, use ‘--no-check-certificate’.

[tgriep]

Does the Nagios server have direct access to the internet it is it going through a Proxy server or getting redirected through some sort of Network Device?

Add the following to /etc/wgetrc:

Code: Select all

check_certificate = off

Then try again. Do note this is not something you should leave in-place any longer than you need to for running the upgrade, as it will prevent the wget command from checking certificates.

[GhostRider2110]

Yes, well it's NAT'ed, but no proxy and this has worked from day one.. (for several years)
It was not until I tried the latest update that I ran into the problem

I'll try that workaround.

Thanks
Mitch