View Issue Details

IDProjectCategoryView StatusLast Update
0017790CentOS-7yumpublic2020-10-10 22:05
Reporterrksimon 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.8-2003 
Target VersionFixed in Version 
Summary0017790: Yum update fails with HTTP 403 error on repodata/repomd.xml fails, accessing url with cURL is OK
DescriptionNo proxy is defined, and there are no http proxies in the system

Yum updates fail, all repository URL's return 403

Case 1: in /etc/yum.repos.d/CentOS-Base.repo - baseurl is commented out, using mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra

[cdvadmin@catdv ~]$ sudo yum update
Loaded plugins: langpacks
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: HTTP Error 403 - Forbidden


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64

Case 2 in /etc/yum.repos.d/CentOS-Base.repo - mirrorlist is commented out, using baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/

[cdvadmin@catdv ~]$ sudo yum update
Loaded plugins: langpacks
http://mirror.centos.org/centos/7/os/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 403 - Forbidden
Trying other mirror.
To address this issue please refer to the below wiki article

https://wiki.centos.org/yum-errors

If above article doesn't help to resolve this issue please use https://bugs.centos.org/.



 One of the configured repositories failed (CentOS-7 - Base),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=base ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable base
        or
            subscription-manager repos --disable=base

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=base.skip_if_unavailable=true

failure: repodata/repomd.xml from base: [Errno 256] No more mirrors to try.
http://mirror.centos.org/centos/7/os/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 403 - Forbidden

[cdvadmin@catdv ~]$ sudo curl -v "http://mirror.centos.org/centos/7/os/x86_64/repodata/repomd.xml"
* About to connect() to mirror.centos.org port 80 (#0)
* Trying 78.129.150.37...
* Connected to mirror.centos.org (78.129.150.37) port 80 (#0)
> GET /centos/7/os/x86_64/repodata/repomd.xml HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mirror.centos.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 10 Oct 2020 17:39:49 GMT
< Server: Apache/2.4.6 (CentOS)
< X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< X-Frame-Options: SAMEORIGIN
< Last-Modified: Tue, 21 Apr 2020 23:37:50 GMT
< ETag: "e98-5a3d580f3c11f"
< Accept-Ranges: bytes
< Content-Length: 3736
< Content-Type: text/xml
<
<?xml version="1.0" encoding="UTF-8"?>
<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
 <revision>1587512243</revision>
<data type="group">
  <checksum type="sha256">cca56f3cffa18f1e52302dbfcf2f0250a94c8a37acd8347ed6317cb52c8369dc</checksum>
  <location href="repodata/cca56f3cffa18f1e52302dbfcf2f0250a94c8a37acd8347ed6317cb52c8369dc-c7-x86_64-comps.xml"/>
  <timestamp>1587512270</timestamp>
  <size>744670</size>
</data>
<data type="filelists">
  <checksum type="sha256">d32de2aea425b1c121b5aa9040f15c3d30c9b1c10b0dcbfaa3407c869e3e69e6</checksum>
  <open-checksum type="sha256">63f5b23f2a9ab401683fb90699ebaff5f2e1407a939fd8f01c65d1863ad8bed0</open-checksum>
  <location href="repodata/d32de2aea425b1c121b5aa9040f15c3d30c9b1c10b0dcbfaa3407c869e3e69e6-filelists.xml.gz"/>
  <timestamp>1587512256</timestamp>
  <size>7469883</size>
  <open-size>108041923</open-size>
</data>
<data type="group_gz">
  <checksum type="sha256">a4e2b46586aa556c3b6f814dad5b16db5a669984d66b68e873586cd7c7253301</checksum>
  <open-checksum type="sha256">cca56f3cffa18f1e52302dbfcf2f0250a94c8a37acd8347ed6317cb52c8369dc</open-checksum>
  <location href="repodata/a4e2b46586aa556c3b6f814dad5b16db5a669984d66b68e873586cd7c7253301-c7-x86_64-comps.xml.gz"/>
  <timestamp>1587512270</timestamp>
  <size>156763</size>
</data>
<data type="primary">
  <checksum type="sha256">513e52a5206d5c03f193f7e35a5634fa9689415961cde425624fc891a62f55a8</checksum>
  <open-checksum type="sha256">52657270fbaeb2d8721acbd7727303aa151668353b0fedaed9bcbac4e0d74f88</open-checksum>
  <location href="repodata/513e52a5206d5c03f193f7e35a5634fa9689415961cde425624fc891a62f55a8-primary.xml.gz"/>
  <timestamp>1587512256</timestamp>
  <size>2994117</size>
  <open-size>28028167</open-size>
</data>
<data type="primary_db">
  <checksum type="sha256">f09552edffa70f49f553e411c2282fbccfffbeafa21e81e32622b103038b8bae</checksum>
  <open-checksum type="sha256">56d1f4463613a2a79381a2d3e23970d3676da23a8174252b6aa6517c3c28d2de</open-checksum>
  <location href="repodata/f09552edffa70f49f553e411c2282fbccfffbeafa21e81e32622b103038b8bae-primary.sqlite.bz2"/>
  <timestamp>1587512270</timestamp>
  <database_version>10</database_version>
  <size>6350223</size>
  <open-size>31612928</open-size>
</data>
<data type="other_db">
  <checksum type="sha256">e1e7ec29a1611d9c2d4392139e11889645b2eeac53b7b0351d3fc3d881e77930</checksum>
  <open-checksum type="sha256">f80f2caf22da43bd7a06c39a80175401444ee49e5de02ba333ea1399b9c6f48a</open-checksum>
  <location href="repodata/e1e7ec29a1611d9c2d4392139e11889645b2eeac53b7b0351d3fc3d881e77930-other.sqlite.bz2"/>
  <timestamp>1587512259</timestamp>
  <database_version>10</database_version>
  <size>2681194</size>
  <open-size>18609152</open-size>
</data>
<data type="other">
  <checksum type="sha256">df075017dc5a54decc92ab0e5626aa0ab6b6b0ddb764cc2b59b09c767e103415</checksum>
  <open-checksum type="sha256">0b689aff797abaf469c8b6e069a041b4446caf81b00a0226dda17115d47ca094</open-checksum>
  <location href="repodata/df075017dc5a54decc92ab0e5626aa0ab6b6b0ddb764cc2b59b09c767e103415-other.xml.gz"/>
  <timestamp>1587512256</timestamp>
  <size>1627604</size>
  <open-size>20192270</open-size>
</data>
<data type="filelists_db">
  <checksum type="sha256">6882feea31727f25dc12063b4bab119501d25dbf6cb6fa0f5b78b8e3d5401ea4</checksum>
  <open-checksum type="sha256">60ba8b8bf24790e2b517e0e322cc54cdecd57a548db527b350c669955d382da7</open-checksum>
  <location href="repodata/6882feea31727f25dc12063b4bab119501d25dbf6cb6fa0f5b78b8e3d5401ea4-filelists.sqlite.bz2"/>
  <timestamp>1587512266</timestamp>
  <database_version>10</database_version>
  <size>7492887</size>
  <open-size>49159168</open-size>
</data>
</repomd>
* Connection #0 to host mirror.centos.org left intact
Additional InformationIssue first began Friday morning US East timezone. Issue continues as of Saturday afternoon US East time.

yum.conf:

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release


# This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
# It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d

/etc/yum.repos.d/CentOS-Base.repo

TagsNo tags attached.
abrt_hash
URL

Activities

rksimon

rksimon

2020-10-10 21:36

reporter   ~0037805

Hi Manuel-

Would you please clarify the syntax, would this be testing:

mirrorlist=http://mirror.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra

or

baseurl=http://mirrorlist.centos.org/centos/$releasever/os/$basearch/
baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/

Thanks,

Rachel
ManuelWolfshant

ManuelWolfshant

2020-10-10 22:05

manager   ~0037806

by default Centos-Base.repo contains:

name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1

with similar definitions for the other regular repos ( updates / extras / centosplus )
baseurl should NOT point to mirrorlist.centos.org and mirrorlist should not point to mirror.c.o, if this what you were asking.

My previous ( now deleted ) note was trying to identify if your local DNS hijacks the centos.org domain. For the simple reason that there are millions of centos instances which do not exhibit the issues you faced and your problems are most likely explained by a stupid proxy or by a stupid DNS. but the curl invocation showed a valid value i.e. an official centos mirror ( which I did not notice initially ) so I assumed previously yum also used an official mirror.

Issue History

Date Modified Username Field Change
2020-10-10 17:44 rksimon New Issue
2020-10-10 21:36 rksimon Note Added: 0037805
2020-10-10 22:05 ManuelWolfshant Note Added: 0037806