Rocky Linux 10 UBI - EPEL SSL Connection Failure Investigation

Issue Summary

Rocky Linux 10 UBI cannot download EPEL packages over HTTPS due to:

Curl error (35): SSL connect error
TLS connect error: error:030000EA:digital envelope routines::provider signature failure

Root Cause Found

OpenSSL’s certificate chain validation fails on the intermediate CA certificate:

• Intermediate: DigiCert Global G3 TLS ECC SHA384 2020 CA1

• Error: verify error:num=7:certificate signature failure

• Signature Algorithm: The cert chain uses ecdsa-with-SHA384 which IS in the allowed SignatureAlgorithms list

• Real issue: The certificate signature verification itself fails (error:num=7)

Reproduction Steps

1. Minimal test case showing the problem:

docker build --no-cache --progress=plain - <<'EOF'
FROM rockylinux/rockylinux:10-ubi
# Install OpenSSL
RUN dnf -y install openssl
# Show current crypto policy
RUN echo "=== Crypto Policy ===" && \
update-crypto-policies --show && \
echo "" && \
cat /etc/crypto-policies/back-ends/opensslcnf.config && \
echo ""
# Test EPEL certificate verification
RUN echo "=== Testing EPEL certificate chain ===" && \
timeout 10 openssl s_client -connect dl.fedoraproject.org:443 \
-servername dl.fedoraproject.org 2>&1 | head -40
# Try to install EPEL (will fail)
RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
EOF

2. Extract the exact certificate signature algorithm:

docker run --rm rockylinux/rockylinux:10-ubi sh -c '
dnf -y install openssl &>/dev/null
echo "=== EPEL Certificate Details ==="
echo | openssl s_client -connect dl.fedoraproject.org:443 \
-servername dl.fedoraproject.org 2>/dev/null | \
openssl x509 -noout -text | grep -A2 "Signature Algorithm"
'

3. Show the certificate chain verification error:

docker run --rm rockylinux/rockylinux:10-ubi sh -c '
dnf -y install openssl &>/dev/null
echo "=== Certificate Verification Result ==="
openssl s_client -connect dl.fedoraproject.org:443 \
-servername dl.fedoraproject.org 2>&1 | \
grep -E "(depth=|verify error|verify return|Signature Algorithm)"
'

4. Compare allowed signature algorithms vs certificate:

docker run --rm rockylinux/rockylinux:10-ubi sh -c '
dnf -y install openssl &>/dev/null
echo "=== Allowed Signature Algorithms (from crypto-policies) ==="
grep SignatureAlgorithms /etc/crypto-policies/back-ends/opensslcnf.config
echo ""
echo "=== EPEL Cert Signature Algorithm ==="
echo | openssl s_client -connect dl.fedoraproject.org:443 \
-servername dl.fedoraproject.org 2>/dev/null | \
openssl x509 -noout -text | grep "Signature Algorithm" | head -2
'

Key Findings

From the diagnostic output:

1. Crypto Policy: DEFAULT (not FIPS)

2. Allowed SignatureAlgorithms include:

   • ECDSA+SHA256, ECDSA+SHA384, ECDSA+SHA512

   • RSA+SHA256, RSA+SHA384, RSA+SHA512

   • Missing: RSA+SHA1 (correctly blocked for security)

3. EPEL Certificate Uses: ecdsa-with-SHA384 (this IS allowed!)

4. The Real Problem:

   depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
verify error:num=7:certificate signature failure

   This is error code 7 = “signature verification failed” - meaning OpenSSL cannot cryptographically verify the intermediate CA certificate signature.

Current Workaround

# Option 1: Disable SSL verification (not recommended for production)RUN echo "sslverify=false">> /etc/dnf/dnf.conf && \
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
# Option 2: Comment out crypto-policies in openssl.cnfRUN sed -i 's|^\.include = /etc/crypto-policies/back-ends/opensslcnf.config$|#&|' /etc/pki/tls/openssl.cnf

Questions for Rocky Linux Team

1. Why does OpenSSL 3.5.1 in Rocky Linux 10 UBI fail to verify DigiCert’s intermediate CA certificate with ecdsa-with-SHA384?

2. Is this a provider configuration issue in the UBI image?

3. Are the system CA certificates in Rocky Linux 10 UBI missing the DigiCert Global Root G3?

4. What is the recommended way to enable EPEL downloads without disabling SSL verification?

Environment

• Base Image: rockylinux/rockylinux:10-ubi

• OpenSSL Version: 3.5.1-7.el10_1

• Crypto Policy: DEFAULT

• Platform: linux/amd64

Hi,

The UBI image ships with a stripped-down CA bundle to keep the image small, and the DigiCert Global Root G3 certificate is often missing from it. This is different from a full Rocky Linux install which gets the complete ca-certificates bundle.

Check first whether the root CA is present:

trust list | grep -i “DigiCert Global Root G3”

If that returns nothing, fetch and install it manually:

curl -o /etc/pki/ca-trust/source/anchors/DigiCertGlobalRootG3.crt.pem

https://cacerts.digicert.com/DigiCertGlobalRootG3.crt.pem

update-ca-trust

Then retry your dnf command. The update-ca-trust command regenerates the extracted CA bundle that OpenSSL reads, so you do not need to restart anything.

If you are running this in a Dockerfile or CI pipeline and cannot fetch the cert from outside, another approach is to install or update the ca-certificates package first:

dnf install -y ca-certificates && update-ca-trust

The ca-certificates package in the full EPEL repo includes the DigiCert roots, but getting there requires SSL to work, which is the catch-22. The manual fetch above breaks that cycle.

The workarounds in the thread that disable SSL verification are fine for a quick test but should not go anywhere near production or CI images.

Hope that helps!

Well this is built in Docker and available network.

First and second with ubi, but funny thing, that the same is with full RockyLinux (without ubi) just returned still same result, second method log:

#10 [ 5/14] RUN dnf install -y ca-certificates && update-ca-trust
#10 1.638 Rocky Linux 10 - BaseOS                         9.5 kB/s | 4.3 kB     00:00
#10 2.666 Rocky Linux 10 - AppStream                       10 kB/s | 4.3 kB     00:00
#10 3.453 Rocky Linux 10 - CRB                            741 kB/s | 521 kB     00:00
#10 3.997 Package ca-certificates-2025.2.80_v9.0.305-102.el10.noarch is already installed.
#10 4.114 Dependencies resolved.
#10 4.118 Nothing to do.
#10 4.118 Complete!
#10 DONE 27.7s

#11 [ 6/14] RUN dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm &&     dnf -y install readline readline-devel zlib zlib-devel ncurses ncurses-devel glibc-devel tcl-devel gcc-c++ unzip xz         openssl-devel curl-devel byacc gdbm-devel ruby-devel ruby-libs rubygems rubygems-devel libyaml-devel libffi-devel patch
#11 1.804 Last metadata expiration check: 0:00:26 ago on Sat 04 Apr 2026 10:36:18 PM UTC.
#11 2.197 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#11 2.482 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#11 2.787 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#11 3.079 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#11 3.079 [FAILED] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#11 3.102 Curl error (35): SSL connect error for https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]

Interesting that it hits full Rocky 10.1 as well, not just UBI. That narrows it down – this is likely the FIPS-related OpenSSL provider issue that showed up in RHEL 10 betas. The “provider signature failure” error in the TLS handshake happens when OpenSSL’s FIPS provider rejects the signature algorithm used by the intermediate CA cert during chain validation.

Check your OpenSSL FIPS mode status:

openssl version -a | grep -i fips
cat /proc/sys/crypto/fips_enabled

If FIPS is enabled (either at build or runtime), certain signature algorithms in older CA certs get rejected even though they are perfectly valid outside FIPS mode. The DigiCert G3 intermediate uses ECDSA with P-384, which should be fine under FIPS, but some builds have a mismatch in the default provider loading order.

A workaround that has worked for others: explicitly set the default provider before the FIPS provider in /etc/pki/tls/openssl.cnf:

[provider_sect]
default = default_sect
fips = fips_sect

[default_sect]
activate = 1

Make sure the default provider loads first. Then retry the dnf install. If that fixes it, it confirms the issue is the provider loading order rather than a missing CA cert.

without ubi:

#10 [ 5/15] RUN echo “=== FIPS kernel mode ===” &&     cat /proc/sys/crypto/fips_enabled 2>/dev/null || echo “file not found (not FIPS)” &&     echo “” &&     echo “=== OpenSSL version and FIPS status ===” &&     openssl version -a | grep -i fips || echo “No FIPS in version string” &&     echo “” &&     echo “=== Current provider configuration in openssl.cnf ===” &&     grep -A15 ‘^[provider_sect]’ /etc/pki/tls/openssl.cnf &&     echo “” &&     echo “=== Test BEFORE provider fix: EPEL TLS connection ===” &&     timeout 5 openssl s_client -connect dl.fedoraproject.org:443       -servername dl.fedoraproject.org 2>&1 | grep -E “(depth=|verify error|verify return)” | head -10
#10 0.363 === FIPS kernel mode ===
#10 0.402 file not found (not FIPS)
#10 0.402
#10 0.402 === OpenSSL version and FIPS status ===
#10 0.446 compiler: gcc -fPIC -pthread -m64 -Wa,–noexecstack -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v3 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2    -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Wno-complain-wrong-lang -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v3 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -Wa,–noexecstack -Wa,–generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -D_GNU_SOURCE -DPURIFY -DDEVRANDOM=“\”/dev/urandom\“” -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR=“\“Red Hat Enterprise Linux OpenSSL FIPS Provider\”” -DREDHAT_FIPS_VERSION=“\“3.5.1-3a5bfb0516b7b4de\”” -DSYSTEM_CIPHERS_FILE=“/etc/crypto-policies/back-ends/opensslcnf.config”
#10 0.448
#10 0.448 === Current provider configuration in openssl.cnf ===
#10 0.474 [provider_sect]
#10 0.474 default = default_sect
#10 0.474 ##legacy = legacy_sect
#10 0.474 ##
#10 0.474 [default_sect]
#10 0.474 activate = 1
#10 0.474
#10 0.474 ##[legacy_sect]
#10 0.474 ##activate = 1
#10 0.474
#10 0.474 #Place the third party provider configuration files into this folder
#10 0.474 .include /etc/pki/tls/openssl.d
#10 0.474
#10 0.474
#10 0.474 [ ssl_module ]
#10 0.474
#10 0.475
#10 0.475 === Test BEFORE provider fix: EPEL TLS connection ===
#10 1.147 depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
#10 1.147 verify return:1
#10 1.147 depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
#10 1.147 verify error:num=7:certificate signature failure
#10 1.147 verify return:1
#10 1.147 depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
#10 1.147 verify return:1
#10 1.147 depth=0 C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., CN=*.fedoraproject.org
#10 1.147 verify error:num=7:certificate signature failure
#10 1.147 verify return:1
#10 DONE 1.2s

#11 [ 6/15] RUN echo “=== Applying provider fix: default before fips ===” &&     sed -i ‘/^[provider_sect]/,/^[/ { /^[provider_sect]/!d; }’ /etc/pki/tls/openssl.cnf &&     sed -i ‘/^[provider_sect]/a\default = default_sect\nfips = fips_sect\n\n[default_sect]\nactivate = 1’ /etc/pki/tls/openssl.cnf &&     echo “” &&     echo “=== NEW provider configuration ===” &&     grep -A15 ‘^[provider_sect]’ /etc/pki/tls/openssl.cnf &&     echo “” &&     echo “=== Test AFTER provider fix: EPEL TLS connection ===” &&     timeout 5 openssl s_client -connect dl.fedoraproject.org:443       -servername dl.fedoraproject.org 2>&1 | grep -E “(depth=|verify error|verify return)” | head -10
#11 0.292 === Applying provider fix: default before fips ===
#11 0.370
#11 0.370 === NEW provider configuration ===
#11 0.399 [provider_sect]
#11 0.399 default = default_sect
#11 0.399 fips = fips_sect
#11 0.399
#11 0.399 [default_sect]
#11 0.399 activate = 1
#11 0.399 activate = 1
#11 0.399
#11 0.399 ##[legacy_sect]
#11 0.399 ##activate = 1
#11 0.399
#11 0.399 #Place the third party provider configuration files into this folder
#11 0.399 .include /etc/pki/tls/openssl.d
#11 0.399
#11 0.399
#11 0.399 [ ssl_module ]
#11 0.400
#11 0.400 === Test AFTER provider fix: EPEL TLS connection ===
#11 1.004 depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
#11 1.004 verify return:1
#11 1.004 depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
#11 1.004 verify error:num=7:certificate signature failure
#11 1.004 verify return:1
#11 1.004 depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
#11 1.004 verify return:1
#11 1.004 depth=0 C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc., CN=*.fedoraproject.org
#11 1.004 verify error:num=7:certificate signature failure
#11 1.004 verify return:1
#11 DONE 1.0s

#12 [ 7/15] RUN dnf -y install 
 &&     dnf -y install readline readline-devel zlib zlib-devel ncurses ncurses-devel glibc-devel tcl-devel gcc-c++ unzip xz         openssl-devel curl-devel byacc gdbm-devel ruby-devel ruby-libs rubygems rubygems-devel libyaml-devel libffi-devel patch
#12 1.539 Rocky Linux 10 - BaseOS                         9.3 kB/s | 4.3 kB     00:00
#12 2.111 Rocky Linux 10 - AppStream                       10 kB/s | 4.3 kB     00:00
#12 2.835 Rocky Linux 10 - CRB                            783 kB/s | 521 kB     00:00
#12 3.699 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for 
 [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#12 4.006 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for 
 [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#12 4.297 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for 
 [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#12 4.590 [MIRROR] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for 
 [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]
#12 4.591 [FAILED] epel-release-latest-10.noarch.rpm: Curl error (35): SSL connect error for 
 [TLS connect error: error:030000EA:digital envelope routines::provider signature failure]

The real problem is as used MacOS M1 to build image and how emulation works on Tahoe 26.4.1 (Rockylinux 9 had no problem).

Solution, had to use:

FROM rockylinux/rockylinux:10-ubi

RUN dnf -y update && \
    dnf -y install wget make gcc lsof unzip openssl git tar \
                   ncurses glibc-devel tcl-devel \
                   gcc-c++ openssl-devel bzip2 \
                   ncurses-devel libcurl-devel

RUN dnf -y install glibc-locale-source glibc-langpack-en && \
  localedef -i en_US -f UTF-8 en_US.UTF-8
ENV LANG=en_US.UTF-8

# Enable CRB repository and EPEL.
# Note: sed on openssl.cnf fixes OpenSSL crypto provider failure when building linux/amd64 on ARM Mac.
# epel-release is installed from Rocky Linux 'extras' repo (no external HTTPS needed).
# EPEL repo metalink/baseurl switched from https to http to bypass libcurl TLS issue in this build env.
RUN sed -i 's|^\.include = /etc/crypto-policies/back-ends/opensslcnf.config$|#&|' /etc/pki/tls/openssl.cnf && \
    dnf -y install dnf-plugins-core epel-release && \
    dnf config-manager --set-enabled crb && \
    sed -i 's|^metalink=https://|metalink=http://|g' /etc/yum.repos.d/epel*.repo && \
    sed -i 's|^baseurl=https://|baseurl=http://|g' /etc/yum.repos.d/epel*.repo

RUN dnf -y install readline readline-devel zlib zlib-devel ncurses ncurses-devel glibc-devel tcl-devel gcc-c++ unzip xz \
        openssl-devel curl-devel byacc gdbm-devel ruby-devel ruby-libs rubygems rubygems-devel libyaml-devel libffi-devel patch

Used command:
docker build . -f Dockerfilename --platform=linux/amd64 --no-cache --progress=plain -t SomeImageName