How to Disable SSL Certificate Verification in RPM Package Manager on CentOS 7 Behind Proxy


7 views

When working behind corporate proxies with CentOS 7, RPM package manager's dependency on curl for HTTPS operations can cause SSL verification failures. The error you're seeing indicates the system doesn't trust the certificate chain from Fedora's repository.

For immediate package installation while troubleshooting, use this workaround:

curl -k -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm

1. Configure curl to trust your corporate CA:

sudo cp your_company_ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

2. Permanent RPM SSL handling configuration:
Create/edit /etc/yum.conf:

[main]
sslverify=0
proxy=https://USERNAME:PASSWORD@my.proxy.com:8080/

RPM uses libcurl internally for HTTP/HTTPS operations. The error surfaces through RPM but originates from curl's SSL verification. Key configuration files:

  • /etc/curlrc (global curl config)
  • ~/.curlrc (user-specific)

For complex proxy environments, consider these additional steps:

export http_proxy=http://proxy.example.com:8080/
export https_proxy=http://proxy.example.com:8080/
export no_proxy="localhost,127.0.0.1,.internal.example.com"

While sslverify=0 works, it's not recommended for production. Better alternatives:

# Import repo GPG key
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

# Verify package signature
rpm --checksig package.rpm

For deeper investigation:

strace -f -e trace=network rpm -Uvh package.rpm 2>&1 | grep connect
curl -v https://dl.fedoraproject.org/pub/epel/

When working behind corporate proxies on CentOS 7, you might encounter SSL certificate verification failures when using RPM with HTTPS repositories. The error occurs because:

curl: (60) Peer's certificate issuer has been marked as not trusted by the user
error: skipping https://dl.fedoraproject.org/... - transfer failed

RPM actually uses libcurl under the hood for HTTPS transfers, which explains why you're seeing cURL errors during RPM operations. There are three approaches to solve this:

While RPM doesn't directly expose cURL's -k/--insecure flag, you can temporarily configure it:

# Create temporary curl config
echo "insecure" > ~/.curlrc

# Retry your RPM command
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# Remove the config when done
rm ~/.curlrc

A more secure approach is to properly configure certificates:

# Install CA certificates
yum install ca-certificates

# Update the certificate bundle
update-ca-trust force-enable
update-ca-trust extract

# Configure proxy properly in /etc/yum.conf
echo "proxy=https://USERNAME:PASSWORD@my.proxy.com:8080" >> /etc/yum.conf

For persistent insecure connections (not recommended for production):

# Edit the global curl configuration
echo "insecure" | tee -a /etc/curlrc

# Or modify the rpm macros file
echo "%_curl_flags -k" >> /etc/rpm/macros.curl

When working behind MITM proxies, you might need to:

# Add proxy's CA certificate to the trust store
cp proxy-ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust extract

# Or configure both proxy and no-verify
export https_proxy=https://proxy.example.com:8080
export CURLOPT_SSL_VERIFYPEER=0
export CURLOPT_SSL_VERIFYHOST=0

Test your configuration with:

curl -v https://google.com
strace -e trace=network rpm -q --whatprovides curl
rpm --eval '%_curl_flags'