[URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

Michał Kępień michal at isc.org
Mon May 9 11:52:42 UTC 2022 

> Hello--sorry it took so long to respond. And I apologize for the length of this email.
> 
> Yes, the curl command returns an xml file.  I included an excerpt from the output:
> 
> "About to connect() to download.copr.fedorainfracloud.org port 443 (#0)
> *   Trying 13.32.153.64...
> * Connected to download.copr.fedorainfracloud.org (13.32.153.64) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> * Server certificate:
> *       subject: CN=download.copr.fedorainfracloud.org
> *       start date: Nov 30 00:00:00 2021 GMT
> *       expire date: May 11 19:03:32 2022 GMT
> *       common name: download.copr.fedorainfracloud.org
> *       issuer: CN=DoD WCF Signing CA 2,OU=WCF PKI,OU=DoD,O=U.S. Government,C=US

This really looks like on-path TLS interception to me - note the
certificate issuer in your output.  This is certainly not the TLS
certificate I see for 13.32.153.64 from my vantage point (also note the
different cipher suite chosen, despite the same, stock RHEL 7 curl
version being used):

    * About to connect() to download.copr.fedorainfracloud.org port 443 (#0)
    *   Trying 13.32.153.64...
    * Connected to download.copr.fedorainfracloud.org (13.32.153.64) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * skipping SSL peer certificate verification
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    * 	subject: CN=download.copr.fedorainfracloud.org
    * 	start date: Nov 30 00:00:00 2021 GMT
    * 	expire date: Dec 28 23:59:59 2022 GMT
    * 	common name: download.copr.fedorainfracloud.org
    * 	issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US

Given this, I am pretty certain that whatever transparent proxy
intercepts the HTTPS requests which yum sends from your host does not
like *something* about them and returns HTTP 503 Service Unavailable
errors.  I am afraid you will have to figure out what that "something"
is yourself, though, because it looks like an environment-specific issue
to me at this point and not a problem with Copr itself.

Good luck!

-- 
Best regards,
Michał Kępień

More information about the bind-users mailing list