Installing Passenger fails: "repomd.xml signature could not be verified for passenger" but works interactively

Archives Ansible Project
1

Hi all;

I’m pretty new to Ansible, but have generally made good progress with a playbook to set up a (vagrant) CentOS 7 box. One point of grief is my translation of Phusion’s instructions for installing Passenger, from here.

Running the following playbook (as root) fails with “[Errno -1] repomd.xml signature could not be verified for passenger”
yet works perfectly when done interactively.

Any ideas what the difference is?

Thanks,
Tim

`

  • name: Passenger | Add Phusion’s EL7 YUM repository
    shell: sudo curl --fail -sSLo /etc/yum.repos.d/passenger.repo https://oss-binaries.phusionpassenger.com/yum/definitions/el-passenger.repo

  • name: Passenger | Set root as owner of passenger.repo and allow only root to read and write passenger.repo
    file: path=/etc/yum.repos.d/passenger.repo owner=root mode=600

  • name: Passenger | Install mod_passenger
    yum: name={{ item }} state=present enablerepo=passenger
    with_items:

  • mod_passenger
    `

Results in:

`

^@failed: [localhost] (item=[u’mod_passenger’]) => {“failed”: true, “invocation”: {“module_args”: {“conf_file”: null, “disable_gpg_check”: false, “disablerepo”: null, “enablerepo”: “passenger”, “exclude”: null, “install_repoquery”: true, “list”: null, “name”: [“mod_passenger”], “state”: “present”, “update_cache”: false, “validate_certs”: true}, “module_name”: “yum”}, “item”: [“mod_passenger”], “msg”: “Failure talking to yum: failure: repodata/repomd.xml from passenger: [Errno 256] No more mirrors to try.\nhttps://oss-binaries.phusionpassenger.com/yum/passenger/el/7/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml signature could not be verified for passenger”}
`

Transcript of interactive installation:

`
[vagrant@test-httpd ~]$ sudo yum install -y mod_passenger
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
epel/x86_64/metalink | 11 kB 00:00:00
epel | 4.3 kB 00:00:00
extras | 3.4 kB 00:00:00
passenger/7/x86_64/signature | 836 B 00:00:00
Retrieving key from https://packagecloud.io/gpg.key
Importing GPG key 0xD59097AB:
Userid : “packagecloud ops (production key) ops@packagecloud.io
Fingerprint: 418a 7f2f b0e1 e6e7 eabf 6fe8 c2e7 3424 d590 97ab
passenger/7/x86_64/signature | 1.0 kB 00:00:00 !!!
passenger-source/7/signature


Total 337 kB/s | 6.4 MB 00:00:19
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : “Fedora EPEL (7) epel@fedoraproject.org
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-5.noarch (@extras)
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : selinux-policy-3.13.1-60.el7_2.3.noarch 1/8
Installing : 1:rubygem-rack-1.6.4-2.el7.noarch 2/8
Installing : rubygem-rake-0.9.6-25.el7_1.noarch 3/8
Installing : passenger-5.0.26-8.el7.x86_64 4/8
Installing : mod_passenger-5.0.26-8.el7.x86_64 5/8

Installed:
mod_passenger.x86_64 0:5.0.26-8.el7
Dependency Installed:
passenger.x86_64 0:5.0.26-8.el7 rubygem-rack.noarch 1:1.6.4-2.el7 rubygem-rake.noarch 0:0.9.6-25.el7_1

Dependency Updated:
selinux-policy.noarch 0:3.13.1-60.el7_2.3 selinux-policy-targeted.noarch 0:3.13.1-60.el7_2.3

Complete!
[vagrant@test-httpd ~]$

`

2

Hi Tim,

I had similar issue with VirtualBox repo. In my case, removing line repo_gpgcheck=1 from repo file (i.e. el-passenger.repo) helped.

Best Regards,
Kacper

W dniu niedziela, 3 kwietnia 2016 14:18:00 UTC+2 użytkownik TJG napisał:

3

Thanks, Kacper.

I’ll give that a shot!
Tim

4

DONT! You lose all security provided by gpg signatures of the
packages. (Sorry for the yelling... ;-))

I would rather add the rpm-key with the corresponding module, the link
is in your output:

https://packagecloud.io/gpg.key

Johannes

5

Ah, okay. Good point, Johannes.

And, on RHEL, turning of the GPG check wouldn’t be a good plan anyways!

Tim

6

On CentOS-machines I use this snippet to install the epel-release
package and import the rpm-key:

- name: CentOS - install epel-release
  yum: name=epel-release state=latest
  when: ansible_os_family == "RedHat"

- name: CentOS - install epel-release Key
  rpm_key: key="/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{
ansible_distribution_major_version }}" state=present
  when: ansible_os_family == "RedHat"

Johannes

7

Johannes… I appreciate you sharing your snippet of code. That should save me some time!

Tim

8

This is the snippet that worked for me, in case anyone experiences the same problem:

# Extra Packages for Enterprise Linux (EPEL)
- name: Extra Packages for Enterprise Linux (EPEL)
yum: name=epel-release state=latest
- name: EPEL repository key
rpm_key:
key: “/etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}”
state: present