When using yum to install or update software packages through “yum install” or “yum update” commands, the following stop error occurred:

Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
Error: Cannot retrieve metalink for repository: epel. Please verify its path and try again

The error is related to inability to connect to external services via HTTPS (443) connection (EPEL repo uses HTTPS connection by default). There are many reasons that can cause this error, thus to resolve the issue, troubleshooting and understanding the underlying issue is important. Here’s several possible solutions for the error above.

One possible possibility is that the CA certificates installed on the system has became outdated, and hence cannot connect directly due to unverifiable certificate errors when getting the updated metalink file for EPEL via HTTPS. In this scenario, update the CA certificates package with the following command:

yum --disablerepo=epel -y update  ca-certificates

Note that you may also need to disable all repos that uses HTTPS protocol and are failing.

If the CA certifications are already latest with no update available, or if you absolutely cannot get through the cannot retrieve the repo path error, it’s possible to force the repository to use HTTP instead of HTTPS. However, do note that this may also indicate that your system is having other problems which you need to find out.

To do so, edit the repository configuration file in /etc/yum.repos.d/, e.g. vi /etc/yum.repos.d/epel.repo, and then comment out the entries that are starting with mirrorlist=, and then uncomment the entries that are starting with baseurl=. For example,

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Tip
You only need to change for the repos that are enabled, i.e. have enabled=1.

An alternative is to change the URL for the mirrorlist to HTTP, from HTTPS. You can do so easily with the following command:

sudo sed -i "s/mirrorlist=https/mirrorlist=http/" /etc/yum.repos.d/epel.repo

Or, edit manually /etc/yum.repos.d/epel.repo, the change the line from:

mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch

To:

mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch

It’s also possible to disable the SSL certificate check by adding following line into appreciate EPEL section of /etc/yum.repos.d/epel.repo:

sslverify=false

For example,

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
sslverify=false

Last but not least, as mentioned above, normally the HTTPS secure connection to retrieve repositories’ databases should work. It it doesn’t, it may hint at a larger problem. The error can also be caused by broken or corrupted packages, or failing yum and rpm functions, such as in the case of mismatched nss-softokn versions. Thus, if issue persisted after updating CA certificates, do check around for possible other issues.