How to create and host a local yum repository using HTTP/HTTPS ?
Environment
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 7
Issue
- Need to create a local yum repository configured to use http/s.
- Need to modify our local yum repository to use http/s.
Resolution
Server Configuration
-
Install packages for HTTP web server.
# yum install @web-server OR # yum install httpd mod_sslNOTE : Make sure repositories or packages are downloaded using DVD or
reposyncfor RHEL 7 and RHEL 8 and 9 respectively.
For HTTP :
-
If Firewall is running, allow port and service in firewall .
# firewall-cmd --state running # firewall-cmd --add-service=http --permanent success # firewall-cmd --reload success -
Confirm the httpd configuration, then enable and start the
httpdservice. By default, content in /var/www/html will be shared.# httpd -t # systemctl enable httpd # systemctl start httpd
For HTTPS (Secure HTTP) : [Optional]
-
If Firewall is running, allow port and service in firewall .
# firewall-cmd --state running # firewall-cmd --add-service=https --permanent success # firewall-cmd --reload success -
Generating the Certificate
For RHEL 7 : # openssl genrsa -out /var/lib/yum/server.key 2048 # openssl req -new -x509 -text -key /var/lib/yum/server.key -out /var/lib/yum/server.cert # chmod 600 /var/lib/yum/server.key For RHEL 8 and later : # openssl genrsa -out /var/lib/dnf/server.key 2048 # openssl req -new -x509 -text -key /var/lib/dnf/server.key -out /var/lib/dnf/server.cert # chmod 600 /var/lib/dnf/server.keyNote: Ensure the common name (CN) used while creating the cert file matches with the hostname/IP mentioned in the
baseurlof the repository configuration. -
Modify
ssl.confto use your new certificates OR add these entries to your<VirtualHost *:443>entry.
/etc/httpd/conf.d/ssl.confhas a pre-defined structure and syntax which is provided by themod_sslpackage.For RHEL 7 : # vi /etc/httpd/conf.d/ssl.conf SSLCertificateFile /var/lib/yum/server.cert SSLCertificateKeyFile /var/lib/yum/server.key For RHEL 8 and later : # vi /etc/httpd/conf.d/ssl.conf SSLCertificateFile /var/lib/dnf/server.cert SSLCertificateKeyFile /var/lib/dnf/server.key -
If
selinuxis enabled, you need to change the label ofserver.certandserver.keyfiles to allowhttpdprocess access it:For RHEL 7 : # semanage fcontext -a -s system_u -t cert_t /var/lib/yum/server.cert # semanage fcontext -a -s system_u -t cert_t /var/lib/yum/server.key # restorecon -vF /var/lib/yum/server.key /var/lib/yum/server.cert For RHEL 8 and later : # semanage fcontext -a -s system_u -t cert_t /var/lib/dnf/server.cert # semanage fcontext -a -s system_u -t cert_t /var/lib/dnf/server.key # restorecon -vF /var/lib/dnf/server.key /var/lib/dnf/server.cert -
Restart the httpd service
# systemctl restart httpd
Client Configuration
-
If HTTPS (Secure HTTP) server is configured, copy the self signed cert into the client trust store.
Note: If the certificate is signed by an internal CA, add the full trust chain to your hosts trust.
-
Now create a
.repofile./// For HTTP Repo : # vi /etc/yum.repos.d/http.repo [http-repo] name=Local https repository baseurl=http://<ip-address>/<repo-id>/ enabled=1 gpgcheck=0 /// For HTTPS Repo : # vi /etc/yum.repos.d/https.repo [https-repo] name=Local https repository baseurl=https://<ip-address>/<repo-id>/ enabled=1 sslverify=true gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-releaseNote :
- Replace
ip_addressto HTTP server's IP address. - Hostname can also be used if the DNS is configured.
- For RHEL 8 and later,
BaseOSandAppStreamrepositories should be created separately with respective baseurls of each repo directory on HTTP Server.
- Replace
Additional Note
-
To enable gpgchecks, uncomment the gpgkey and gpgcheck variables above. Ensure that you are using the same gpgkey that verifies the packages. Note the gpgkey id from the gpgkey and the package both match (fd431d51)
# grep ^pub /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release pub 4096R/FD431D51 2009-10-22 Red Hat, Inc. (release key 2) <security@redhat.com> # rpm -qip bash-5.1.8-6.el9_1.x86_64.rpm | grep Signature Signature : RSA/SHA256, Thu 24 Nov 2022 12:09:39 PM EST, Key ID 199e2f91fd431d51 -
sslverify=Trueis the default. if you do not add this to the ca-trust you will have to usesslverify=falsein order to access the repository.
Diagnostic Steps
Customized DocumentRoot
-
The default Document Root path in HTTP is
/var/www/htmlas mentioned in/etc/httpd/conf/httpd.conf. If path of Repository directory needs to be other than/var/www/html, below content should be changed accordingly.# vi /etc/httpd/conf/httpd.conf DocumentRoot "/var/www/html" <Directory "/var/www"> AllowOverride None # Allow open access: Require all granted </Directory> <Directory "/var/www/html"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Selinux
-
If Selinux is Enforcing, the content inside
/var/www/htmlor the directory where Packages and Repodata are kept, should contain selinux context ashttpd_sys_content_t. If selinux context is incorrect, change context with below commands.# semanage fcontext -a -t httpd_sys_content_t "/var/www/html/repo(/.*)?" # restorecon -vR /var/www/html/repo # ls -ldZ /var/www/html/repo dr-xr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 61440 Dec 21 21:02 /var/www/html/repo
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.