Azure RHEL 8 Virtual machines are unable to download any rpms from RHEL repos due to "OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0"

Perumal, Sivaprakasam 5 Reputation points
2023-02-25T09:50:53.6866667+00:00

Azure RHEL 8 Virtual machines are unable to download any rpms from RHEL repos due to below error

"OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0"

sudo yum install wget

> Red Hat Enterprise Linux 8 for x86_64 - BaseOS  0.0  B/s |   0  B     00:00
> Errors during downloading metadata for repository 'rhui-rhel-8-for-x86_64-baseos-rhui-rpms':
>   - Curl error (56): Failure when receiving data from the peer for https://rhui-1.microsoft.com/pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml [OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0]
>   - Curl error (56): Failure when receiving data from the peer for https://rhui-3.microsoft.com/pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml [OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0]
>   - Curl error (56): Failure when receiving data from the peer for https://rhui-2.microsoft.com/pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml [OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0]
> Error: Failed to download metadata for repo 'rhui-rhel-8-for-x86_64-baseos-rhui-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
> 
> ```
> 
>
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
4,906 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nerijus Krukauskas 25 Reputation points
    2023-02-28T10:25:01.53+00:00

    It appears the certificate used to auth the client has expired. Here's the line from repo file referencing it:
    sslclientcert=/etc/pki/rhui/product/content-rhel8-eus.crt

    And here's that cert info (note the expiry date):

    openssl x509 -noout -text -in /etc/pki/rhui/product/content-rhel8-eus.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17 (0x11)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Washington, L = Redmond, O = Microsoft, OU = Azure
        Validity
            Not Before: Feb 24 18:41:14 2021 GMT
            Not After : Feb 24 18:41:14 2023 GMT
        Subject: CN = Redhat Update Infrastructure (rhel8-eus-20210224), O = Azure, OU = Azure public

    The fix is to install the repo update package with one time disable/enable of the other repos: dnf update --disablerepo=* --enablerepo='*microsoft*' rhui-azure-rhel8-eus. This will update the client cert and then the updates can be installed in usual way without resorting to hacks like the one above.

    Oh, M$... (facepalm)

    5 people found this answer helpful.
  2. Nathan French 20 Reputation points
    2023-02-28T18:42:10.8033333+00:00

    This fixed it for us:

    yum --disablerepo='*' remove 'rhui-azure-rhel8'
wget https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel8.config
yum --config=rhui-microsoft-azure-rhel8.config install rhui-azure-rhel8
yum update ca-certificates
yum clean all
    4 people found this answer helpful.
  3. JimmySalian-2011 29,741 Reputation points
    2023-02-25T13:04:23.4633333+00:00

    Hi,

    Seems like you have expired Certifcates in the local store, worth checking this article from RedHat with a license subscription https://access.redhat.com/solutions/6962382

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

  4. vipullag-MSFT 17,986 Reputation points Microsoft Employee
    2023-02-27T03:26:34.15+00:00

    Hello Perumal, Sivaprakasam

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Adding to above response from Marshaljs, based on the error details shared the SSL certificate might have expired or is no longer valid, which is causing the error while trying to download rpms.

    You can try the following steps to resolve this issue:

    1. Check if the system date and time are correct. Incorrect system date and time can cause SSL errors. To check the date and time, run the date command.
    2. Update the ca-certificates package by running the command sudo yum update ca-certificates.
    3. Clear the yum cache by running the command sudo yum clean all.
    4. Try to install the required package again by running the command sudo yum install <package-name>.

    If the above steps don't resolve the issue, you can try disabling the SSL verification temporarily by adding sslverify=false in /etc/yum.conf file, but this is not recommended as it can compromise the security of the system.

    Hope the above mentioned troubleshooting steps helps in resolving your issue.

    If you need further help on this, tag me in a comment.

    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

  5. Mani Mahesh Sivakumar 51 Reputation points
    2023-03-06T12:37:33.3433333+00:00

    Hi all,

    This Certificate issue have been resolved by executing below command.

    sudo yum update -y --disablerepo='*' --enablerepo='microsoft'

    Thanks and regards,
    Manimahesh S