Dnf update issues

Latest response

Hello there,

I was on RHEL 8 for the last two years and decided to upgrade to RHEL 9 yesterday. For a brief moment everything was fine: system has been registered, subscription was attached, I did enable BaseOS, AppStream and CodeReady Builder repos, and even successfully performed a 'dnf update' command once. But unfortunately, few hours later I've started to receive the following message whenever I try to perform 'dnf update':

Errors during downloading metadata for repository 'codeready-builder-for-rhel-9-x86_64-rpms':
- Curl error (91): SSL server certificate status verification FAILED for https://ru-by-exceptions.cdn.redhat.com/content/dist/rhel9/9/x86_64/codeready-builder/os/repodata/repomd.xml [No OCSP response received]
Error: Failed to download metadata for repo 'codeready-builder-for-rhel-9-x86_64-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

I was hoping that this is a temporary issue with server's expired certificate, since similar issues did happen on RHEL 8 several times, but 16 hours later the problem is still there and I'm starting to think that probably I should search for the cause on my side. Any suggestions on what could be done?

At this point I did try to:
Set sslverify=0 in /etc/dnf/dnf.conf
dnf clean all
Unregister the system, detach and reattach subscription.
But nothing helped.

AS
Log in to join the conversation

Responses

Christian Labisch's picture Guru 35365 points
24 August 2022 8:44 AM

Hi Andrei,

Firstly, undo the changes you made in /etc/dnf/dnf.conf - then execute the following commands ... :)

sudo dnf clean all

sudo rm -r /var/cache/dnf

sudo update-crypto-policies --set DEFAULT

sudo reboot

sudo dnf upgrade

Regards,
Christian

AS Newbie 14 points
24 August 2022 10:43 AM

Hello Christian,

Thank you for your response. I did what you suggested step-by-step, but unfortunately that didn't resolve the issue.

Christian Labisch's picture Guru 35365 points
24 August 2022 11:55 AM

Hi Andrei,

You may want to check this solution article : How to reset the list of trusted CA certificates
If this also doesn't solve the problem, contact Red Hat Support - or open a support case. :)

Regards,
Christian

CS Newbie 5 points
12 October 2022 4:42 AM

I've ran into the same issue with AppStream and BaseOS repos on a fairly new, registered RHEL 9 installation. A workaround I've found for now is to set sslverifystatus = 0 for the offending repos in the /etc/yum.repos.d/redhat.repo, which disables the OCSP stapling.

OB Newbie 7 points
17 October 2022 2:07 PM

Thanks Ches, works fine for me :-).

BJ Community Member 57 points
29 October 2022 10:01 AM

WOW! Great find. This worked for me, too.

AP Community Member 89 points
19 November 2023 3:03 AM

doesn't work for me. Probably FIPS mode is the problem for baseos-rpms repo.

RJ Hinton's picture Guru 23293 points
19 November 2023 7:15 AM

I run all my systems with FIPS and do not have this issue. There are some cases where a specific region will have weird CDN issues. Best to put in a ticket with Red Hat, include an SOS report if possible.

Regards,
RJ