I have installed Rocky 8.4 on a few machines and am having this issue on one of them. It was working fine for a while. I was developing an Ansible playbook for it, so there was a lot of running Ansible, fix bug, revert to snapshot cycles. Suddenly, I couldn’t install new packages. I get to following error:
Rocky Linux 8 - AppStream 0.0 B/s | 0 B 00:05
Errors during downloading metadata for repository ‘appstream’:
Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [SSL certificate problem: self signed certificate in certificate chain]
Error: Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [SSL certificate problem: self signed certificate in certificate chain]
I have re-installed the OS and the issue now shows up right out of the box. I tried minimal and full DBD ISOs. I checked out the link above, but that doesn’t seem to be the issue. I can install/update using http, but not https. The issue seems to be with the CA certificate.
Any ideas on how to fix this?
You should be able to directly test the URL with curl from the command line. curl -v "https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8"
I just tested this from CentOS 8.4, and I’m not seeing the error.
I tried your suggestion, the curl failed, but I think I found out why. This server is setup in our DMZ and is using different DNS servers. When I changed the IP address and put it in our LAN with different DNS servers, the curl worked. I noticed a difference in the certificate issuer. From the LAN, the issuer is Let’s Encrypt. From the DMZ, the issuer is our firewall. I’m thinking the firewall has a self-signed cert and that’s what is being flagged. I’m not sure how to get around the issue, but with that curl command, I as least can do some more testing.
If you have any suggestions, I would love to hear them.
Thanks for the help.
Usually when a firewall is providing it’s own certificate for the connection, it means that it is decrypting the traffic to scan what is inside a HTTPS connection. You would need to ask your networking guys about this, since they would need to fix that to allow the connection to work. It could be failing because the DMZ doesn’t have rules to allow you to gain access to the internet, so you would need to get them to verify that you can actually make HTTP/HTTPS connections from your DMZ.
Apparently new installations are configured with a crypto policy of FUTURE (from upstream) which requires a stronger encryption. When I changed the setting to DEFAULT I was able to update without any problems.
sudo update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Hopefully the repository certificates will be strengthened soon.
Thankyou! This was a new installation of Rocky from a download to a USB stick and I didn’t remember changing the crypto settings BUT… then I remembered that part of the installation process allows you to select ?conformance? security levels according to industry/governmental standards. I chose one of them as an experiment (don’t remember which one) and it must have changed the crypto setting to FUTURE.
This doesn’t matter to me right now but I can imagine a situation where I wouldn’t be able to use Rocky (or at least the Rocky repositories) for a server that did require conformance.
Same issue in RL 8.5. Tried several way showing in above to solve CA issue. By changing http to https in dnf.conf will work for dnf install/update. But in the other case it might have some problem.
Strange things is, 2 VM installed from same ISO with minimum install. But only 1 VM is facing CA issue. The rest is fine. VMs are running on KVM.