I’ve problem do update on this rockline.

dnf update

Rocky Linux 8 - AppStream 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository ‘appstream’:

• Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]
  Error: Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]

I’ve done this already…

dnf clean all && rm -r /var/cache/dnf && dnf upgrade -y && dnf update -y

but it didn’t solve the problem. Please help…

cat /etc/rocky-release

Rocky Linux release 8.4 (Green Obsidian)

Hi,

Please try:

dnf reinstall ca-certificates

Thanks Tom.

dnf refused to run…dnf reinstall ca-certificates resulting the same error.

dnf reinstall ca-certificates

Rocky Linux 8 - AppStream 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository ‘appstream’:

• Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]
  Error: Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]

Hi,

Couple of other things you could try:

update-ca-trust
dnf reinstall ca-certificates

Or temporarily disable ssl verify for dnf:

set sslverify=0 into /etc/dnf/dnf.conf
dnf reinstall ca-certificates
set sslverify=1 into /etc/dnf/dnf.conf

Hopefully one of these, will get dnf update working again.

Regards Tom.

Nop!! Tried all your proposed methods. It’s all ended up to the same error message:

set sslverify=0 into /etc/dnf/dnf.conf

dnf reinstall ca-certificates

Rocky Linux 8 - AppStream 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository ‘appstream’:

• Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]
  Error: Failed to download metadata for repo ‘appstream’: Cannot prepare internal mirrorlist: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=AppStream-8 [error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none]

Hi,

Try dnf clean all again and try the reinstall again.

Thanks Tom.

I’ve already done that. No “dnf clean all” doesn’t work…

Error is suggesting the SSL certificate bad (ca-bundle.crt). Is there a way to rebuild the certificate?

HI,

Google search found this:

Which suggests:

curl https://curl.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust

Should work.

Regards Tom.

Sorry to disappoint you…

curl https://curl.se/ca/cacert.pem -o /etc/pki/ca-trust/source/anchors/curl-cacert-updated.pem && update-ca-trust
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none

The OS must be corrupted. Nothing is working. I’m going to rebuild the system from scratch.

I’d be interested to see what your crypto policies are set to. You can check this using

update-crypto-policies --show

If this reports FUTURE, for example, this error would be expected due to the 2048-bit key size of our mirrorlist.

I’ve blew away to system and reloaded Rocky Linus from scratch already. One final thought about this issue is the old installation was a migrated Centos 8 to Rocky 8 and then upgraded to Rocky 8.4 after. This time around it’s a Rocky 8.4 all the way.

I have just install Rocky Linux 8.4 and ran into the same issue… I followed all the steps and get the same errors. I ran "update-crypto-policies --show " and the output was “DEFAULT”

Need help? What to do?

Why 8.4? The 8.5 image is available, isn’t it?
(Only the latest version can be properly supported because that is the only version that can get updates from RHEL sources.)

Try this:

rpm -U -p http://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/Packages/c/ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm
dnf update

The reason I think this will work is that you somehow have a corrupted ca-certificates and this is causing dnf to not be able to fetch new packages from the https mirrorlist or mirrors (because it can’t establish a verified TLS connection). So the above rpm command should update (and fix) ca-certificates from the http mirror (so not requiring a TLS connection) which should hopefully fix the issue allowing the rest of your system to be updated normally after that.

Hi,I meet the same error after I delete /etc/pki/tls/certs accidently,so can anyone transfer the file to me?

Reinstall the ca-certificates like @pajamian did show above.
The package is now http://dl.rockylinux.org/pub/rocky/8/BaseOS/x86_64/os/Packages/c/ca-certificates-2022.2.54-80.2.el8_6.noarch.rpm

But you cannot run dnf remove packagesname,and in fact if you run these commands,the terminal will tell you the package has already been installed.