Dnf update fails on ssl certificate problem

Installed the almalinux from DVD1 ISO in KVM hypervisor at home. Installation went fine and the end-result was a functioning Almalinux 8.4 installation.

However: I cannot update any packages, the problem seems to be with TLS/SSL and the mirrorlist.

The error is:

[lieven@localhost ~]$ sudo dnf update
[sudo] password for lieven: 
AlmaLinux 8 - BaseOS                                                                                                                                    0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'baseos':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirror.nl.altushost.com/almalinux/8/BaseOS/x86_64/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

So far I’ve tried the following and combinations of the following:

  • using a fixed mirror (from the website here → see above error) instead of the mirrorlist as it comes with the default dvd iso installation. (mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos)

  • tried http (instead of https)

  • downloaded the letsencrypt ca intermediates in “/etc/pki/ca-trust/source/anchors/” and executed “update-ca-trust”

  • used update-crypto-policies to switch between DEFAULT, FUTURE and FIPS (enabled fips-mode-setup as well + reboot)

  • disabled GPG check (though I don’t really see how that has to do with the shown error :slight_smile: )

  • almost forgot: default install comes with old ca-certificates (ca-certificates-2020.2.41-80.0.el8_2.src.rpm) so I manually put the new one on the server and installed it with “sudo rpm -Uvh /tmp/ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm”

What should I try next?

I had something similar a month or so ago. There is a discussion on the chat page but the upshot was that I had a faulty /etc/hosts.

Eugene Zamriy

8:14 PM

do you have a mirrors.almalinux.org record in your /etc/hosts?


8:15 PM

Yes, just got there. /etc/hosts has yet dig mirrors.almalinux.org yields and

Eugene Zamriy

8:15 PM

remove it please, that will resolve the problem

8:16 PM

you were our new mirror service beta-tester, but now that new service is working on production

1 Like

thanks MartinR but it’s not the solution here, my hosts file contains only the localhost entries. When I open the mirrors url, I come upon a page hosted at amazon. Again, I downloaded both authorities certs to the “/etc/pki/ca-trust/source/anchors/” location followed by “update-ca-trust”.

The error seems to indicate that something is wrong with the CA’s that I have however the above and installation of the ca’s rpm package earlier seem to indicate the problem is elsewhere.

I believe this has todo with the “EE certificate key too weak” message which I thought would be solved using the DEFAULT crypto policies thing which obviously didn’t work either.

This is probably related to this: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs

You should probably try another mirror by setting it manually in your config, until they get this resolved.

1 Like

Hi lielie,
did you manage the problem with CA certificates in the mean time?
I followed all your suggestions but still got stuck …
Any further suggestions welcome …

I just did a complete fresh install off the 8.5 minimal ISO into VMware and get the same thing. Cannot prepare internal mirrorlist…


I think it is caused to hardening configuration. If you select CIS Server Level 2(for example) on installation, crypto policies are set to future:

$ update-crypto-policies --show

Changing it to less restrictive policies will make you use that certificates
# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT

Next you will need a reboot.

Best Regards,

PD: I change to DEFAULT The example policy that also worked, it is not needed to go back to legacy

1 Like

Hi Diego,

This just fixed update after new DVD installation for me. As you said, problem was because I picked security profile CIS Workstation.

Thank you!


You are welcome

Do you remember if it was Cis workstation Level 2 profile?

Best Regards,