Dnf issue with OCSP check / TLS cert

Ritov · April 22, 2024, 7:01pm

It seems that the OCSP check does not work reliable? Anyone seeing this?

# LANG=C yum update  --refresh
...
Rocky Linux 9 - BaseOS                                               0.0  B/s |   0  B     00:01    
Errors during downloading metadata for repository 'baseos':
  - Curl error (91): SSL server certificate status verification FAILED for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [No OCSP response received]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (91): SSL server certificate status verification FAILED for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [No OCSP response received]

An Let’s Encrypt infra issue?

Ritov · April 23, 2024, 5:49pm

I found out that our infra has sslverifystatus for all repos enabled. Until now, this never was a problem. I wonder who could address this issue, as OCSP is a common measure. mirrors.rockylinux.org is hosted by Fastly and OCSP status is normaly provided by the TLS terminating server (>Fastly). Any hints?

Topic		Replies	Views
Mirrorlist for baseos-9 Infrastructure	2	1317	August 25, 2023
Rocky 9 yum update Curl error Rocky Linux General	7	8775	August 25, 2023
Mirror Sync failing for BaseOS, AppStream Community	1	487	August 25, 2023
Curl Panics unsafe legacy renegotiation disabled Rocky Linux General	4	13036	August 25, 2023
Http Proxy Help: Errors during downloading metadata for repository 'baseos': Rocky Linux General	4	3591	August 25, 2023

Dnf issue with OCSP check / TLS cert

Related Topics