Issue
Starting with CloudLinux OS 10, the mirror system is moving to a new architecture based on standard HTTPS. The legacy mirror system (custom SSL / XMLRPC) will not work with newer CloudLinux versions.
This article explains what is changing, whether you need to take action, and how to set up a new mirror if needed.
Environment
CloudLinux OS 10
Frequently Asked Questions
What is changing?
CloudLinux is transitioning from the legacy mirror system to a new one:
| Legacy system | New system | |
|---|---|---|
| Transport | XMLRPC with custom SSL certificates | Standard HTTPS with public CA certificates (e.g., Let's Encrypt) |
| Mirrorlist endpoint | cln-mirrors |
cl-mirrors |
| Partial mirrors | Not supported | Supported — mirror only the OS versions you need |
| Mirror management | Required custom SSL setup coordinated with CloudLinux | Customers can fully set up and control their own mirrors |
Why is the old system being replaced?
- License validation is now performed inside CloudLinux OS itself — mirrors no longer need authentication.
- Custom SSL certificates and XMLRPC transport added unnecessary complexity for both customers and CloudLinux.
- The new system uses standard HTTPS and standard
dnf/yummechanics, making mirrors simpler to set up, manage, and troubleshoot.
Do I need to do anything?
-
If you do NOT run your own mirror: No action is required. The transition happens automatically when the
rhn-client-toolsandcloudlinux-releasepackages are updated on your systems. -
If you run your own mirror: Yes. When migrating to CloudLinux OS 10 you will need to:
- Set up a new HTTPS mirror (or replace your legacy mirror endpoint).
- Contact CloudLinux Support to have the new mirror added to the mirror rotation.
In most cases you can reuse your existing storage — you only need to adjust the mirror layout/paths and transport.
Can I keep using my old mirror?
-
Older systems (CloudLinux OS 8, 9) temporarily can continue using the legacy
cln-mirrorsendpoint, however will be also switched to new system. -
CloudLinux OS 10 and newer require the new
cl-mirrorsendpoint. If your mirror only supports the legacy flow, updated clients will stop using it.
Can I use the same domain for both the old and the new mirror?
No. The legacy setup requires a custom SSL certificate bound to your domain, while the new setup requires a standard public CA certificate. These TLS requirements are incompatible on a single endpoint. You must use a separate domain or replace the old mirror entirely.
Do I need to mirror everything?
No. Partial mirrors are supported. You can mirror only the CloudLinux versions you need and provide the scope to CloudLinux Support.
Which CloudLinux versions use the new system?
Currently, only CloudLinux OS 10 uses the new mirror system. Support for older versions will be enabled gradually.
Setting Up a New Mirror
Requirements
Your mirror must meet these requirements to be included in the mirror service:
- HTTPS with a valid certificate from a public CA (e.g., Let's Encrypt)
-
Correct base paths:
https://your-mirror.example.com/swng/for the SWNG repository - No authentication required to download packages
-
Repository metadata accessible (
repodata/repomd.xmlmust be reachable) - Regular sync schedule (via cron or systemd timer)
Quick setup
- Prepare storage — plan for ~500 GB for SWNG.
- Sync from upstream using rsync:
# Mirror all SWNGrsync -avH --delete --numeric-ids --safe-links \ rsync://rsync.upstream.cloudlinux.com/SWNG/ \ /var/www/mirrors/swng/# Or mirror only CloudLinux 10rsync -avH --delete --numeric-ids --safe-links \ rsync://rsync.upstream.cloudlinux.com/SWNG/10/ \ /var/www/mirrors/swng/10/
- Expose via HTTPS — configure your web server with directory browsing and a valid certificate.
- Contact CloudLinux Support with the details listed below.
What to provide to Support
- Mirror URL (HTTPS), e.g.
https://mirror.example.com/swng/ - Public or private (if private: list of egress IPs/CIDRs)
- Geographic location (country/city)
- Available bandwidth/capacity
- Sync method and frequency
- Complete or partial (if partial: list of mirrored versions)
Verifying Your Mirror
Check connectivity to upstream
# DNS resolution
nslookup upstream.cloudlinux.com
# HTTPS connectivity
curl -fsSI https://upstream.cloudlinux.com/ | head
# RSync module listing
rsync rsync://rsync.upstream.cloudlinux.com/
Ensure your firewall allows outbound TCP 873 (rsync) and 443 (HTTPS) to upstream.cloudlinux.com.
Check your mirror is accessible
# Mirror root
curl -fsSI "https://mirror.example.com/swng/" | head
# Repository metadata (example for CL10 x86_64)
curl -fsSI "https://mirror.example.com/swng/10/x86_64/repodata/repomd.xml" | head
Common Issues
| Issue | Solution |
|---|---|
| Firewall blocks rsync/HTTPS | Allow outbound TCP 873 and 443. Allow inbound TCP 443 for clients. |
| DNS does not resolve | Check /etc/resolv.conf. Run nslookup upstream.cloudlinux.com. |
| Mirror returns 403 or 404 | Verify base paths and trailing slashes in your web server config. |
| Insufficient disk space | Run df -h. Consider syncing only the versions you need. |
| Certificate errors | Renew your certificate. Let's Encrypt auto-renewal is recommended. |
| Mirror not appearing in mirrorlist | Confirm mirrored versions match the scope you gave Support. For private mirrors, verify egress IPs. Allow time for propagation. |
Examples
For more examples, ready-to-use Ansible playbooks, and Docker Compose setups, refer to https://github.com/cloudlinux/cloudlinux-mirrors/
Useful Links
- Contact CloudLinux Support if you need assistance setting up your mirror or troubleshooting sync issues.
- For full technical documentation, see Repositories & Mirrors in the CloudLinux documentation.
- CloudLinux Mirror Setup on GitHub: https://github.com/cloudlinux/cloudlinux-mirrors/
Comments
0 comments
Please sign in to leave a comment.