[URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9
Michał Kępień
michal at isc.org
Mon May 9 11:52:42 UTC 2022
> Hello--sorry it took so long to respond. And I apologize for the length of this email.
>
> Yes, the curl command returns an xml file. I included an excerpt from the output:
>
> "About to connect() to download.copr.fedorainfracloud.org port 443 (#0)
> * Trying 13.32.153.64...
> * Connected to download.copr.fedorainfracloud.org (13.32.153.64) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> * Server certificate:
> * subject: CN=download.copr.fedorainfracloud.org
> * start date: Nov 30 00:00:00 2021 GMT
> * expire date: May 11 19:03:32 2022 GMT
> * common name: download.copr.fedorainfracloud.org
> * issuer: CN=DoD WCF Signing CA 2,OU=WCF PKI,OU=DoD,O=U.S. Government,C=US
This really looks like on-path TLS interception to me - note the
certificate issuer in your output. This is certainly not the TLS
certificate I see for 13.32.153.64 from my vantage point (also note the
different cipher suite chosen, despite the same, stock RHEL 7 curl
version being used):
* About to connect() to download.copr.fedorainfracloud.org port 443 (#0)
* Trying 13.32.153.64...
* Connected to download.copr.fedorainfracloud.org (13.32.153.64) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=download.copr.fedorainfracloud.org
* start date: Nov 30 00:00:00 2021 GMT
* expire date: Dec 28 23:59:59 2022 GMT
* common name: download.copr.fedorainfracloud.org
* issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US
Given this, I am pretty certain that whatever transparent proxy
intercepts the HTTPS requests which yum sends from your host does not
like *something* about them and returns HTTP 503 Service Unavailable
errors. I am afraid you will have to figure out what that "something"
is yourself, though, because it looks like an environment-specific issue
to me at this point and not a problem with Copr itself.
Good luck!
--
Best regards,
Michał Kępień
More information about the bind-users
mailing list