Dnf update issues

Latest response

Hello there,

I was on RHEL 8 for the last two years and decided to upgrade to RHEL 9 yesterday. For a brief moment everything was fine: system has been registered, subscription was attached, I did enable BaseOS, AppStream and CodeReady Builder repos, and even successfully performed a 'dnf update' command once. But unfortunately, few hours later I've started to receive the following message whenever I try to perform 'dnf update':

Errors during downloading metadata for repository 'codeready-builder-for-rhel-9-x86_64-rpms':
- Curl error (91): SSL server certificate status verification FAILED for https://ru-by-exceptions.cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/os/repodata/repomd.xml [No OCSP response received]
Error: Failed to download metadata for repo 'codeready-builder-for-rhel-9-x86_64-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

I was hoping that this is a temporary issue with server's expired certificate, since similar issues did happen on RHEL 8 several times, but 16 hours later the problem is still there and I'm starting to think that probably I should search for the cause on my side. Any suggestions on what could be done?

At this point I did try to:
Set sslverify=0 in /etc/dnf/dnf.conf
dnf clean all
Unregister the system, detach and reattach subscription.
But nothing helped.


Hi Andrei,

Firstly, undo the changes you made in /etc/dnf/dnf.conf - then execute the following commands ... :)

sudo dnf clean all

sudo rm -r /var/cache/dnf

sudo update-crypto-policies --set DEFAULT

sudo reboot

sudo dnf upgrade


Hello Christian,

Thank you for your response. I did what you suggested step-by-step, but unfortunately that didn't resolve the issue.

Hi Andrei,

You may want to check this solution article : How to reset the list of trusted CA certificates
If this also doesn't solve the problem, contact Red Hat Support - or open a support case. :)


I've ran into the same issue with AppStream and BaseOS repos on a fairly new, registered RHEL 9 installation. A workaround I've found for now is to set sslverifystatus = 0 for the offending repos in the /etc/yum.repos.d/redhat.repo, which disables the OCSP stapling.

Thanks Ches, works fine for me :-).

WOW! Great find. This worked for me, too.

doesn't work for me. Probably FIPS mode is the problem for baseos-rpms repo.

I run all my systems with FIPS and do not have this issue. There are some cases where a specific region will have weird CDN issues. Best to put in a ticket with Red Hat, include an SOS report if possible.