Red Hat Enterprise Linux 8 repos are unavilable when crypto policies are FUTURE

Latest response

Hi,

Just wondering if anyone has come across the same issue - And weather this should be considered a bug or not.

It looks like when the crypto policy is to FUTURE we are unable to connect to the redhat repos with the following error:

2019-10-20T04:37:37Z DEBUG repo: downloading from remote: rhel-8-for-x86_64-appstream-rpms
2019-10-20T04:37:38Z DEBUG Cannot download 'https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os': Cannot download repomd.xml: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak].
2019-10-20T04:37:38Z DEBUG repo: downloading from remote: rhel-8-for-x86_64-baseos-rpms
2019-10-20T04:37:39Z DEBUG Cannot download 'https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os': Cannot download repomd.xml: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak].

Does anyone have any suggestions - Should this be a considered a bug?

Thanks

Responses

Hi Matt,

I can't say this will resolve your issue. On a few of my virtual systems at home, they occasionally incur odd such failures, and I restart chronyd (make sure chronyd is properly configured for ntpd, the ntpd service is now replaced by chronyd in RHEL 8).

Additionally see this article https://access.redhat.com/solutions/68657.

Please let us know how this goes,

Regards

RJ

I ended up on this post after deducing that the "future" setting broke the appstream repo with the same "weak security" cert error as above.

For me, only the appstream repo is affected, the base repo still works fine.

changing the crypto policy back to default fixes the issue, but as security hardening demands "future" it leaves us with an issue.

Using RHEL 8.1

Hi,

same problem here with RHEL 8.1.

If you set update-crypto-policies to FUTURE, RSA key size must be >=3072 (man crypto-policies). But cdn.redhat.com delivers a key size of 2048.

yum update -v
Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, uploadprofile
Updating Subscription Management repositories.
DNF version: 4.2.7
cachedir: /var/cache/dnf
repo: downloading from remote: rhel-8-for-x86_64-appstream-rpms
error: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak] (https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os/repodata/repomd.xml).
Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)                                                                                                                           0.0  B/s |   0  B     00:00    
Cannot download 'https://cdn.redhat.com/content/dist/rhel8/8/x86_64/appstream/os': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried.
Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms'
Error: Failed to download metadata for repo 'rhel-8-for-x86_64-appstream-rpms'

So this is not a bug. But it should be fixed as soon as possible.

Kind regards Mario

Hi we are tracking this in the following bugzilla

Hi,

the new certificate has a key size of 4096. It's working properly now.

Kind regards

Mario

Hi,

The new certificate has been activated in production with the 4096-bit RSA key the 21st of January 2020

$ echo '' | openssl s_client -connect cdn.redhat.com:443 2>/dev/null | openssl x509 -text -noout | grep -A 1 "Public Key 

Algorithm"
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

Hi,

What should I do when we have (external) repo with weak certificate, that we need to trust? We want to leave FUTURE crypto policy set system wide. I can not change weak cert on external repo server - I am not managing it.

Can I add some parameter to repo definition similarly to sslverify=0? (eg. allowedciphers=here_go_weak_ciphers_exceptionally or ciphersvalidation=0)

I know this is all about wget and potentially OpenSSL, but does any solution of my problem come to your mind?

Many thanks in advance!

Pawel

Hi Pawel,

this should work for you:

subscription-manager repo-override --repo=YOUR_EXT_REPO --remove=sslverify
subscription-manager repo-override --repo=YOUR_EXT_REPO --add=sslverify:0

Kind regards

Mario

I had the same issue, wouldn't say is a bug but it should be fixed ASAP.

I experienced the same issue. Per the upgrade procedure they request you run 'update-crypto-policies --set FUTURE'. I had to set the policy back to 'DEFAULT' before I was able to get run working again.

Updating Subscription Management repositories.
Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)                                                                                                       0.0  B/s |   0  B     00:00
Errors during downloading metadata for repository 'rhel-8-for-x86_64-baseos-rpms':
  - Curl error (58): Problem with the local SSL certificate for https://cdn.redhat.com/content/dist/rhel8/8/x86_64/baseos/os/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small, (no key found, wrong pass phrase, or wrong file format?)]
Error: Failed to download metadata for repo 'rhel-8-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried