Hi everybody; this issue is drivin’ me crazy Any effective help is warmly welcome
I googled dozens of sites without finding definitive solutions. Quick & dirt workarounds like disabling the SSL check are not acceptable to me. I tried all the possible connection types, VPN on and VPN off, inside my home LAN and outside of it, wired, wifi and mobile hotspot: always the same story.
The common error is [SSL certificate problem: certificate has expired], OK, fine: is there a way to get rid of the expired certificates and/or to get valid ones?
Many thanks in advance.
Marco
Here is what happens:
*marco@t420-tovis ~]$>sudo dnf update*
*[sudo] password di marco: *
*Tor for Fedora 35 - x86_64 0.0 B/s | 0 B 00:00 *
*Errors during downloading metadata for repository 'tor':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://rpm.torproject.org/fedora/35/x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'tor': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried*
*Copr repo for PyCharm owned by phracek 0.0 B/s | 0 B 00:01 *
*Errors during downloading metadata for repository 'phracek-PyCharm':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://copr-be.cloud.fedoraproject.org/results/phracek/PyCharm/fedora-35-x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'phracek-PyCharm': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried*
*RPM Fusion for Fedora 35 - Free 0.0 B/s | 0 B 00:02 *
*Errors during downloading metadata for repository 'rpmfusion-free':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-free': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Free - Updates 0.0 B/s | 0 B 00:02 *
*Errors during downloading metadata for repository 'rpmfusion-free-updates':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-free-updates': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree 0.0 B/s | 0 B 00:02 *
*Errors during downloading metadata for repository 'rpmfusion-nonfree':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree - NVIDIA Driver 0.0 B/s | 0 B 00:01 *
*Errors during downloading metadata for repository 'rpmfusion-nonfree-nvidia-driver':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-nvidia-driver-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree-nvidia-driver': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-nvidia-driver-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree - Steam 0.0 B/s | 0 B 00:02 *
*Errors during downloading metadata for repository 'rpmfusion-nonfree-steam':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree-steam': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree - Updates 0.0 B/s | 0 B 00:01 *
*Errors during downloading metadata for repository 'rpmfusion-nonfree-updates':*
* - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree-updates': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Repository ignorati: tor, phracek-PyCharm, rpmfusion-free, rpmfusion-free-updates, rpmfusion-nonfree, rpmfusion-nonfree-nvidia-driver, rpmfusion-nonfree-steam, rpmfusion-nonfree-updates*
*Ultima verifica della scadenza dei metadati: 0:31:50 fa il mar 15 mar 2022, 23:57:42.*
*Dipendenze risolte.*
*Nessuna operazione da compiere.*
*Fatto!*
*[marco@t420-tovis ~]$>*
Many thanks for the quick reaction; unfortunately your suggestion is kinda useless… Even if had worked, and it didn’t, what about all the others?
Looks like it’s a problem of my laptop, not of the repos; in fact, just beside it I got another laptop (F34) which doesn’t have this problem.
But again, thanks for taking care
Hello @markk,
Welcome to ask..org!
Could you try the following on the F35 computer? dnf check-update should show you a list of the pending updates. From there you want to look for the certs related one. Then issue a dnf updateinfo command to give a general info about the updates. Finally, dnf updateinfo list will provide details about each update for dnf and really finally dnf updateinfo info will detail each one. So in your case, the cert’s for the repos are no longer valid and need updating. They will be listed as an RPM package to be installed, and it can be installed prior to doing the full update.
Also, and I know this sounds crazy, SSL libraries will often report ‘certificate has expired’ when in fact the certificate is not yet valid, and this situation can occur when new certs are deployed but the time/date on the computer validating them is wrong by a small number of hours.
RPMFusion is using letsencrypt, so that shouldn’t be the issue in this case. It looks like Marco happened to have tried to update before RPMFusion was able to renew the letsencrypt certs, which happened very shortly after this was filed. It’s not an issue on Marco’s laptop. dnf update should work normally now that the certs have been renewed.
Hello @markk,
Yeah tonnes of output eh?
So it could maybe just have something to do with the rpm database. So try sudo rpm --rebuilddb at the cl then try the update with dnf afterwards. The command (obviously) rebuilds the rpm database so you know there aren’t any issues with it for sure. At least it would provide for assurance the rpmdb is good.
So it updated for you? In the future, there is a way to import the new keys prior to updating dnf, curl https://getfedora.org/static/fedora.gpg | gpg --import. This will get the new keys for you.
I suspect it is similar for the rpmfusion-free repo as well. They also have an updated package for fedora 35 though I have not explicitly searched for that package but I see that this is installed on my fedora 35 system.
I said hooray too early
A few days later something restored the “wrong” certs bundle, so I got to repeat the manual copy of it from F34.
At this point I think I’ll file a bug.
If you like, you can use chmod to set the ‘immutable’ flag on that file; that will stop it from being changed, and also possibly tell you what is trying to change it since that process will now get an error.
We need to figure out what is doing this—are you working with any certificates? Any tools that may be touching these files? It isn’t happening on other users’ systems so at the moment it looks like something specific to your set up.
Can you look at the creation/modification times of these files? Also, what does rpm -Va \*curl\* say?