Curl 60 error when updating system

I installed Rocky Linux 8.4 as a VM on a Proxmox host. The issue I’m having post-installation is that I can’t update the Rocky Linux system.

[jcole@rocky ~]$ dnf update
Rocky Linux 8 - AppStream 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository ‘appstream’:

How do I rectify the certificate error?

maybe this can help you : https://forums.rockylinux.org/t/clean-install-dnf-makecache-fails/3727/11

Looks like I traded one Curl error for another. It seems to timeout somewhere with the Rocky mirror. I have an Ubuntu server VM on the same host that doesn’t have this issue.

[jcole@rocky ~]$ sudo dnf update
Rocky Linux 8 - AppStream 4.5 kB/s | 561 kB 02:03
Errors during downloading metadata for repository ‘appstream’:

A timeout from one of the Rackspace mirrors definitely indicates network trouble on your end. Can you replicate the original problem (erroneous SSL certificate when retrieving the mirror list)?

I have installed Rocky 8.4 on a few machines and am having this issue on one of them. It was working fine for a while. I was developing an Ansible playbook for it, so there was a lot of running Ansible, fix bug, revert to snapshot cycles. Suddenly, I couldn’t install new packages. I get to following error:
Rocky Linux 8 - AppStream 0.0 B/s | 0 B 00:05
Errors during downloading metadata for repository ‘appstream’:

  • Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [SSL certificate problem: self signed certificate in certificate chain]
    Error: Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [SSL certificate problem: self signed certificate in certificate chain]
    I have re-installed the OS and the issue now shows up right out of the box. I tried minimal and full DBD ISOs. I checked out the link above, but that doesn’t seem to be the issue. I can install/update using http, but not https. The issue seems to be with the CA certificate.
    Any ideas on how to fix this?
    Thanks.

You should be able to directly test the URL with curl from the command line.
curl -v "https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8"
I just tested this from CentOS 8.4, and I’m not seeing the error.

I tried your suggestion, the curl failed, but I think I found out why. This server is setup in our DMZ and is using different DNS servers. When I changed the IP address and put it in our LAN with different DNS servers, the curl worked. I noticed a difference in the certificate issuer. From the LAN, the issuer is Let’s Encrypt. From the DMZ, the issuer is our firewall. I’m thinking the firewall has a self-signed cert and that’s what is being flagged. I’m not sure how to get around the issue, but with that curl command, I as least can do some more testing.
If you have any suggestions, I would love to hear them.
Thanks for the help.
LeeMan

Usually when a firewall is providing it’s own certificate for the connection, it means that it is decrypting the traffic to scan what is inside a HTTPS connection. You would need to ask your networking guys about this, since they would need to fix that to allow the connection to work. It could be failing because the DMZ doesn’t have rules to allow you to gain access to the internet, so you would need to get them to verify that you can actually make HTTP/HTTPS connections from your DMZ.

1 Like

I had this issue on a RockyLinux fresh install and solved changing from https to http the mirrorlist parameter on theses files:

/etc/yum.repos.d/Rocky-AppStream.repo
/etc/yum.repos.d/Rocky-BaseOS.repo
/etc/yum.repos.d/Rocky-Extras.repo

The update went smooth.

I know, I know… No SSL then… but it works…

1 Like

Apparently new installations are configured with a crypto policy of FUTURE (from upstream) which requires a stronger encryption. When I changed the setting to DEFAULT I was able to update without any problems.

update-crypto-policies --show
FUTURE

sudo update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT

Hopefully the repository certificates will be strengthened soon.

Natassia

1 Like

The default crypto policy is DEFAULT (otherwise it would be quite a misname?)
About the repository certificates in the context of crytpo policies there was a thread not so long ago - here is the link

Thankyou! This was a new installation of Rocky from a download to a USB stick and I didn’t remember changing the crypto settings BUT… then I remembered that part of the installation process allows you to select ?conformance? security levels according to industry/governmental standards. I chose one of them as an experiment (don’t remember which one) and it must have changed the crypto setting to FUTURE.

This doesn’t matter to me right now but I can imagine a situation where I wouldn’t be able to use Rocky (or at least the Rocky repositories) for a server that did require conformance.

Natassia

Perfecto. worked for me.

sudo update-crypto-policies --set DEFAULT

Thanks.

Same issue in RL 8.5. Tried several way showing in above to solve CA issue. By changing http to https in dnf.conf will work for dnf install/update. But in the other case it might have some problem.
Strange things is, 2 VM installed from same ISO with minimum install. But only 1 VM is facing CA issue. The rest is fine. VMs are running on KVM.

Thanks, luis.arao !

In Rocky Linux 9.0, in directory /etc/yum.repos.d/ .
We can to do same on following files: rocky-addons.repo, rocky-devel.repo, rocky-extras.repo, rocky.repo
Use vim and " :%s/https/http/g " for replacing in all lines.

Today I had the same issue today on Rocky 8.6. Curl also fails. After waiting 10 minutes I tried again and it worked. So perhaps the Rocky servers were doing some maintenance just now?

# curl -v https://mirrors.rockylinux.org/
*   Trying 199.232.194.132...
* TCP_NODELAY set
* Connected to mirrors.rockylinux.org (199.232.194.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I had this myself, on mattermost Neil explained it could have been due to Fastly CDN having issues. For me it also works now too.