As mentioned, it's entirely intermittent. The playbook action immediately prior to the failing step is to verify that the installed ca-certificates us up-to-date, which it is:
PG Bug reporting form <noreply@postgresql.org> writes: > In our automation we first install the PGDG Yum repo > pgdg-redhat-repo-latest.noarch.rpm and then install the individual > components needed by our applications and servers. Starting about a week > ago, with the expiration of the Let's Encrypt! CA cert, we've been > experiencing intermittent repo failures due to an expired SSL cert on one of > the repo mirrors.
This indicates out-of-date software on your end. We are aware of two possible sources of trouble:
* You might have a very out-of-date system trust store that doesn't list the "ISRG Root X1" root certificate as trusted.
* Versions of OpenSSL up through 1.0.2 or so won't believe that ISRG Root X1 is the cert to check for, as a result of a hack that Let's Encrypt are using to preserve compatibility with equally ancient Android installations. Details and possible workarounds are mentioned at [1].