Dnf issue with OCSP check / TLS cert

Ritov · April 22, 2024, 7:01pm

It seems that the OCSP check does not work reliable? Anyone seeing this?

# LANG=C yum update  --refresh
...
Rocky Linux 9 - BaseOS                                               0.0  B/s |   0  B     00:01    
Errors during downloading metadata for repository 'baseos':
  - Curl error (91): SSL server certificate status verification FAILED for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [No OCSP response received]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (91): SSL server certificate status verification FAILED for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [No OCSP response received]

An Let’s Encrypt infra issue?

Ritov · April 23, 2024, 5:49pm

I found out that our infra has sslverifystatus for all repos enabled. Until now, this never was a problem. I wonder who could address this issue, as OCSP is a common measure. mirrors.rockylinux.org is hosted by Fastly and OCSP status is normaly provided by the TLS terminating server (>Fastly). Any hints?

system · June 22, 2024, 5:49pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.