Installed the almalinux from DVD1 ISO in KVM hypervisor at home. Installation went fine and the end-result was a functioning Almalinux 8.4 installation.
However: I cannot update any packages, the problem seems to be with TLS/SSL and the mirrorlist.
The error is:
[lieven@localhost ~]$ sudo dnf update
[sudo] password for lieven:
AlmaLinux 8 - BaseOS 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository 'baseos':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirror.nl.altushost.com/almalinux/8/BaseOS/x86_64/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'baseos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
So far I’ve tried the following and combinations of the following:
using a fixed mirror (from the website here → see above error) instead of the mirrorlist as it comes with the default dvd iso installation. (mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos)
tried http (instead of https)
downloaded the letsencrypt ca intermediates in “/etc/pki/ca-trust/source/anchors/” and executed “update-ca-trust”
used update-crypto-policies to switch between DEFAULT, FUTURE and FIPS (enabled fips-mode-setup as well + reboot)
disabled GPG check (though I don’t really see how that has to do with the shown error )
almost forgot: default install comes with old ca-certificates (ca-certificates-2020.2.41-80.0.el8_2.src.rpm) so I manually put the new one on the server and installed it with “sudo rpm -Uvh /tmp/ca-certificates-2021.2.50-80.0.el8_4.noarch.rpm”
What should I try next?
I had something similar a month or so ago. There is a discussion on the chat page but the upshot was that I had a faulty
do you have a mirrors.almalinux.org record in your /etc/hosts?
Yes, just got there. /etc/hosts has 184.108.40.206 yet dig mirrors.almalinux.org yields 220.127.116.11 and 18.104.22.168
remove it please, that will resolve the problem
you were our new mirror service beta-tester, but now that new service is working on production
thanks MartinR but it’s not the solution here, my hosts file contains only the localhost entries. When I open the mirrors url, I come upon a page hosted at amazon. Again, I downloaded both authorities certs to the “/etc/pki/ca-trust/source/anchors/” location followed by “update-ca-trust”.
The error seems to indicate that something is wrong with the CA’s that I have however the above and installation of the ca’s rpm package earlier seem to indicate the problem is elsewhere.
I believe this has todo with the “EE certificate key too weak” message which I thought would be solved using the DEFAULT crypto policies thing which obviously didn’t work either.
This is probably related to this: Let's Encrypt DST Root CA X3 expiry Sept 30th 2021 | Certify The Web Docs)
You should probably try another mirror by setting it manually in your config, until they get this resolved.
did you manage the problem with CA certificates in the mean time?
I followed all your suggestions but still got stuck …
Any further suggestions welcome …
I just did a complete fresh install off the 8.5 minimal ISO into VMware and get the same thing. Cannot prepare internal mirrorlist…
I think it is caused to hardening configuration. If you select CIS Server Level 2(for example) on installation, crypto policies are set to future:
$ update-crypto-policies --show
Changing it to less restrictive policies will make you use that certificates
# update-crypto-policies --set DEFAULT
Setting system policy to DEFAULT
Next you will need a reboot.
PD: I change to DEFAULT The example policy that also worked, it is not needed to go back to legacy
This just fixed update after new DVD installation for me. As you said, problem was because I picked security profile CIS Workstation.
You are welcome
Do you remember if it was Cis workstation Level 2 profile?