Installed the almalinux from DVD1 ISO in KVM hypervisor at home. Installation went fine and the end-result was a functioning Almalinux 8.4 installation.
However: I cannot update any packages, the problem seems to be with TLS/SSL and the mirrorlist.
The error is:
[lieven@localhost ~]$ sudo dnf update
[sudo] password for lieven:
AlmaLinux 8 - BaseOS 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository 'baseos':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirror.nl.altushost.com/almalinux/8/BaseOS/x86_64/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
So far I’ve tried the following and combinations of the following:
using a fixed mirror (from the website here → see above error) instead of the mirrorlist as it comes with the default dvd iso installation. (mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos)
tried http (instead of https)
downloaded the letsencrypt ca intermediates in “/etc/pki/ca-trust/source/anchors/” and executed “update-ca-trust”
used update-crypto-policies to switch between DEFAULT, FUTURE and FIPS (enabled fips-mode-setup as well + reboot)
disabled GPG check (though I don’t really see how that has to do with the shown error )
almost forgot: default install comes with old ca-certificates (ca-certificates-2020.2.41-80.0.el8_2.src.rpm) so I manually put the new one on the server and installed it with “sudo rpm -Uvh /tmp/ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm”
thanks MartinR but it’s not the solution here, my hosts file contains only the localhost entries. When I open the mirrors url, I come upon a page hosted at amazon. Again, I downloaded both authorities certs to the “/etc/pki/ca-trust/source/anchors/” location followed by “update-ca-trust”.
The error seems to indicate that something is wrong with the CA’s that I have however the above and installation of the ca’s rpm package earlier seem to indicate the problem is elsewhere.
I believe this has todo with the “EE certificate key too weak” message which I thought would be solved using the DEFAULT crypto policies thing which obviously didn’t work either.
Hi lielie,
did you manage the problem with CA certificates in the mean time?
I followed all your suggestions but still got stuck …
Any further suggestions welcome …