Re: BUG #17224: Postgres Yum repo mirror has expired SSL certificate

As mentioned, it's entirely intermittent. The playbook action immediately
prior to the failing step is to verify that the installed ca-certificates
us up-to-date, which it is:

$ rpm -qa | grep ca-certificates
ca-certificates-2021.2.50-72.el7_9.noarch

Rerunning the playbook more often than gets past the issue, but this is
obviously not ideal for an automated environment.

On Tue, Oct 12, 2021, 10:52 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> > In our automation we first install the PGDG Yum repo
> > pgdg-redhat-repo-latest.noarch.rpm and then install the individual
> > components needed by our applications and servers. Starting about a week
> > ago, with the expiration of the Let's Encrypt! CA cert, we've been
> > experiencing intermittent repo failures due to an expired SSL cert on
> one of
> > the repo mirrors.
>
> This indicates out-of-date software on your end.
> We are aware of two possible sources of trouble:
>
> * You might have a very out-of-date system trust store that
> doesn't list the "ISRG Root X1" root certificate as trusted.
>
> * Versions of OpenSSL up through 1.0.2 or so won't believe
> that ISRG Root X1 is the cert to check for, as a result of
> a hack that Let's Encrypt are using to preserve compatibility
> with equally ancient Android installations. Details and
> possible workarounds are mentioned at [1].
>
> regards, tom lane
>
> [1]
> https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
>