you still get the problem when setting update-crypto-policies --set FUTURE
[root@alma8cis ~]# dnf -vvv search geoip
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, repoclosure, repodiff, repograph, repomanage, reposync
DNF version: 4.4.2
cachedir: /var/cache/dnf
AlmaLinux 8 - BaseOS 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository 'baseos':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8/baseos [SSL certificate problem: EE certificate key too weak]
[root@alma8cis ~]# curl -vs https://mirrors.almalinux.org
* Rebuilt URL to: https://mirrors.almalinux.org/
* Trying 136.243.31.169...
* TCP_NODELAY set
* Connected to mirrors.almalinux.org (136.243.31.169) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, bad certificate (554):
* SSL certificate problem: EE certificate key too weak
* Closing connection 0
FIPS mode and DEFAULT work fine.
its not the server cert (that’s 4096-bit rsa) its the letsencrypt intermediate (R3 ISRG Root X1) that is using 2048-bit rsa keys, seems that they’re only just starting to test E1 which is using ecdsa keys, but once they make that generally available it should sort itself next time you refresh your cert: Chains of Trust - Let's Encrypt
note that redhat advise against using FUTURE mode anyway and CIS say anything but LEGACY is fine.
Anyway, back on topic, how do we test this?
First time i tried a dnf search i saw this determining the fastest mirror (8 hosts).. done.
but even if i run dnf clean all
or --refresh
i don’t see that anymore.
browsing to https://mirrors.almalinux.org/isos/x86_64/8.4.html works kinda, like @wimrunner says i get 3 in the uk, then one in the netherlands then another uk one. so its not completely prioritizing the local country - what’s the algorithm, is it ping/hops/geography…?
also mirror.nl.fusioned. net is listed as UK not NL on the page, contrary to:
$ geoiplookup mirror.nl.fusioned.net
GeoIP Country Edition: NL, Netherlands