A lot of [SSL certificate problem: certificate has expired] when running "dnf update"

Hi everybody; this issue is drivin’ me crazy Any effective help is warmly welcome
I googled dozens of sites without finding definitive solutions. Quick & dirt workarounds like disabling the SSL check are not acceptable to me. I tried all the possible connection types, VPN on and VPN off, inside my home LAN and outside of it, wired, wifi and mobile hotspot: always the same story.
The common error is [SSL certificate problem: certificate has expired], OK, fine: is there a way to get rid of the expired certificates and/or to get valid ones?
Many thanks in advance.
Marco

Here is what happens:

*marco@t420-tovis ~]$>sudo dnf update*
*[sudo] password di marco: *
*Tor for Fedora 35 - x86_64                                                                0.0  B/s |   0  B     00:00    *
*Errors during downloading metadata for repository 'tor':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://rpm.torproject.org/fedora/35/x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'tor': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried*
*Copr repo for PyCharm owned by phracek                                                    0.0  B/s |   0  B     00:01    *
*Errors during downloading metadata for repository 'phracek-PyCharm':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://copr-be.cloud.fedoraproject.org/results/phracek/PyCharm/fedora-35-x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'phracek-PyCharm': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried*
*RPM Fusion for Fedora 35 - Free                                                           0.0  B/s |   0  B     00:02    *
*Errors during downloading metadata for repository 'rpmfusion-free':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-free': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Free - Updates                                                 0.0  B/s |   0  B     00:02    *
*Errors during downloading metadata for repository 'rpmfusion-free-updates':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-free-updates': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree                                                        0.0  B/s |   0  B     00:02    *
*Errors during downloading metadata for repository 'rpmfusion-nonfree':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree - NVIDIA Driver                                        0.0  B/s |   0  B     00:01    *
*Errors during downloading metadata for repository 'rpmfusion-nonfree-nvidia-driver':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-nvidia-driver-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree-nvidia-driver': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-nvidia-driver-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree - Steam                                                0.0  B/s |   0  B     00:02    *
*Errors during downloading metadata for repository 'rpmfusion-nonfree-steam':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree-steam': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*RPM Fusion for Fedora 35 - Nonfree - Updates                                              0.0  B/s |   0  B     00:01    *
*Errors during downloading metadata for repository 'rpmfusion-nonfree-updates':*
*  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Error: Failed to download metadata for repo 'rpmfusion-nonfree-updates': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]*
*Repository ignorati: tor, phracek-PyCharm, rpmfusion-free, rpmfusion-free-updates, rpmfusion-nonfree, rpmfusion-nonfree-nvidia-driver, rpmfusion-nonfree-steam, rpmfusion-nonfree-updates*
*Ultima verifica della scadenza dei metadati: 0:31:50 fa il mar 15 mar 2022, 23:57:42.*
*Dipendenze risolte.*
*Nessuna operazione da compiere.*
*Fatto!*
*[marco@t420-tovis ~]$>*

And this is my environment:

*[marco@t420-tovis ~]$>inxi -b*
*System:*
*  Host: t420-tovis Kernel: 5.16.11-200.fc35.x86_64 x86_64 bits: 64*
*    Desktop: GNOME 41.4 Distro: Fedora release 35 (Thirty Five)*
*Machine:*
*  Type: Laptop System: LENOVO product: 4174WMP v: ThinkPad T420s*
*    serial: <superuser required>*
*  Mobo: LENOVO model: 4174WMP serial: <superuser required>*
*    UEFI-[Legacy]: LENOVO v: 8CET58WW (1.38 ) date: 07/18/2013*
*Battery:*
*  ID-1: BAT0 charge: 29.4 Wh (99.0%) condition: 29.7/39.0 Wh (76.2%)*
*CPU:*
*  Info: dual core Intel Core i7-2640M [MT MCP] speed (MHz): avg: 797*
*    min/max: 800/3500*
*Graphics:*
*  Device-1: Intel 2nd Generation Core Processor Family Integrated Graphics*
*    driver: i915 v: kernel*
*  Device-2: NVIDIA GF119M [NVS 4200M] driver: nouveau v: kernel*
*  Device-3: Chicony integrated camera type: USB driver: uvcvideo*
*  Display: x11 server: X.Org v: 1.20.14 driver: X: loaded: modesetting*
*    unloaded: fbdev,vesa gpu: nouveau resolution: 1920x1080~60Hz*
*  OpenGL: renderer: Mesa Intel HD Graphics 3000 (SNB GT2)*
*    v: 3.3 Mesa 21.3.7*
*Network:*
*  Device-1: Intel 82579LM Gigabit Network driver: e1000e*
*  Device-2: Intel Centrino Advanced-N 6205 [Taylor Peak] driver: iwlwifi*
*Drives:*
*  Local Storage: total: 298.09 GiB used: 130.58 GiB (43.8%)*
*Info:*
*  Processes: 304 Uptime: 13d 14h 16m Memory: 7.53 GiB used: 6.57 GiB (87.2%)*
*  Shell: Bash inxi: 3.3.13*

The RPMFusion certs had expired and it looks like they’ve already been renewed. If you try it again now, it should be working.

Many thanks for the quick reaction; unfortunately your suggestion is kinda useless… Even if had worked, and it didn’t, what about all the others?
Looks like it’s a problem of my laptop, not of the repos; in fact, just beside it I got another laptop (F34) which doesn’t have this problem.
But again, thanks for taking care

Hello @markk,
Welcome to ask..org!
Could you try the following on the F35 computer? dnf check-update should show you a list of the pending updates. From there you want to look for the certs related one. Then issue a dnf updateinfo command to give a general info about the updates. Finally, dnf updateinfo list will provide details about each update for dnf and really finally dnf updateinfo info will detail each one. So in your case, the cert’s for the repos are no longer valid and need updating. They will be listed as an RPM package to be installed, and it can be installed prior to doing the full update.

Also, and I know this sounds crazy, SSL libraries will often report ‘certificate has expired’ when in fact the certificate is not yet valid, and this situation can occur when new certs are deployed but the time/date on the computer validating them is wrong by a small number of hours.

RPMFusion is using letsencrypt, so that shouldn’t be the issue in this case. It looks like Marco happened to have tried to update before RPMFusion was able to renew the letsencrypt certs, which happened very shortly after this was filed. It’s not an issue on Marco’s laptop. dnf update should work normally now that the certs have been renewed.

The reported issue wasn’t just for RPMFusion repos though, it included others. Very odd.

Well, I told you I’m going crazy with this, haven’t I?
Thanks to you all.

I checked in the Fedora settings and Date & Time is set to Automatic, if this can help.

@jakfrost: I ran all the commands you suggest, but their output is huge: is there a way for a newbie to attach a text file?

@vwbusguy: I ran again “# dnf update” but nothing changed

It’s good that it is set to Automatic, but is it also correct?

What’s the output of date in terminal?

[marco@t420-tovis ~]$>date
gio 17 mar 2022, 09:43:53, CET
[marco@t420-tovis ~]$>

Hello @markk,
Yeah tonnes of output eh?
So it could maybe just have something to do with the rpm database. So try sudo rpm --rebuilddb at the cl then try the update with dnf afterwards. The command (obviously) rebuilds the rpm database so you know there aren’t any issues with it for sure. At least it would provide for assurance the rpmdb is good.

OK, done:

[marco@t420-tovis ~]$>sudo rpm --rebuilddb -v
[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>sudo dnf update
Tor for Fedora 35 - x86_64                                                                0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'tor':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://rpm.torproject.org/fedora/35/x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'tor': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Copr repo for PyCharm owned by phracek                                                    0.0  B/s |   0  B     00:02    
Errors during downloading metadata for repository 'phracek-PyCharm':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://copr-be.cloud.fedoraproject.org/results/phracek/PyCharm/fedora-35-x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'phracek-PyCharm': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Fedora 35 - x86_64 - Updates                                                               27 kB/s |  17 kB     00:00    
Fedora 35 - x86_64 - Updates                                                              2.8 MB/s |  31 MB     00:11    
Fedora Modular 35 - x86_64 - Updates                                                       24 kB/s |  16 kB     00:00    
Fedora Modular 35 - x86_64 - Updates                                                      742 kB/s | 2.5 MB     00:03    
packages for the GitHub CLI                                                                33 kB/s | 3.0 kB     00:00    
packages for the GitHub CLI                                                               6.2 kB/s | 2.1 kB     00:00    
google-chrome                                                                              15 kB/s | 1.3 kB     00:00    
google-chrome                                                                             8.2 kB/s | 3.6 kB     00:00    
ProtonVPN Fedora Stable repository                                                        988  B/s | 659  B     00:00    
ProtonVPN Fedora Stable repository                                                         40 kB/s |  25 kB     00:00    
RPM Fusion for Fedora 35 - Free                                                           0.0  B/s |   0  B     00:02    
Errors during downloading metadata for repository 'rpmfusion-free':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'rpmfusion-free': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]
RPM Fusion for Fedora 35 - Free - Updates                                                 0.0  B/s |   0  B     00:04    
Errors during downloading metadata for repository 'rpmfusion-free-updates':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'rpmfusion-free-updates': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=free-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]
RPM Fusion for Fedora 35 - Nonfree                                                        0.0  B/s |   0  B     00:04    
Errors during downloading metadata for repository 'rpmfusion-nonfree':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'rpmfusion-nonfree': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-35&arch=x86_64 [SSL certificate problem: certificate has expired]
RPM Fusion for Fedora 35 - Nonfree - NVIDIA Driver                                        0.0  B/s |   0  B     00:03    
Errors during downloading metadata for repository 'rpmfusion-nonfree-nvidia-driver':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-nvidia-driver-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'rpmfusion-nonfree-nvidia-driver': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-nvidia-driver-35&arch=x86_64 [SSL certificate problem: certificate has expired]
RPM Fusion for Fedora 35 - Nonfree - Steam                                                0.0  B/s |   0  B     00:02    
Errors during downloading metadata for repository 'rpmfusion-nonfree-steam':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'rpmfusion-nonfree-steam': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]
RPM Fusion for Fedora 35 - Nonfree - Updates                                              0.0  B/s |   0  B     00:03    
Errors during downloading metadata for repository 'rpmfusion-nonfree-updates':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo 'rpmfusion-nonfree-updates': Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-updates-released-35&arch=x86_64 [SSL certificate problem: certificate has expired]
teams                                                                                     7.0 kB/s | 3.0 kB     00:00    
TeamViewer - x86_64                                                                       1.0 kB/s | 867  B     00:00    
Ignoring repositories: tor, phracek-PyCharm, rpmfusion-free, rpmfusion-free-updates, rpmfusion-nonfree, rpmfusion-nonfree-nvidia-driver, rpmfusion-nonfree-steam, rpmfusion-nonfree-updates
Dependencies resolved.
==========================================================================================================================
 Package                                   Architecture         Version                       Repository             Size
==========================================================================================================================
Upgrading:
 adwaita-qt5                               x86_64               1.4.1-3.fc35                  updates               107 k
 containernetworking-plugins               x86_64               1.1.0-1.fc35                  updates               8.6 M
 distribution-gpg-keys                     noarch               1.67-1.fc35                   updates               356 k
 duplicity                                 x86_64               0.8.22-1.fc35                 updates               608 k
 evince                                    x86_64               41.4-1.fc35                   updates               2.2 M
 evince-djvu                               x86_64               41.4-1.fc35                   updates                30 k
 evince-libs                               x86_64               41.4-1.fc35                   updates               372 k
 evince-nautilus                           x86_64               41.4-1.fc35                   updates                18 k
 evince-previewer                          x86_64               41.4-1.fc35                   updates                26 k
 evince-thumbnailer                        x86_64               41.4-1.fc35                   updates                17 k
 gh                                        x86_64               2.6.0-1                       gh-cli                7.2 M
 libadwaita-qt5                            x86_64               1.4.1-3.fc35                  updates               141 k
Installing group/module packages:
 qgnomeplatform-qt5                        x86_64               0.8.4-5.fc35                  updates               176 k
     replacing  qgnomeplatform.x86_64 0.8.4-4.fc35

Transaction Summary
==========================================================================================================================
Install   1 Package
Upgrade  12 Packages

Total download size: 20 M
Is this ok [y/N]: y
Downloading Packages:
[MIRROR] adwaita-qt5-1.4.1-2.fc35_1.4.1-3.fc35.x86_64.drpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://fedora.mirrorservice.org/fedora/linux/updates/35/Everything/x86_64/drpms/adwaita-qt5-1.4.1-2.fc35_1.4.1-3.fc35.x86_64.drpm [SSL certificate problem: certificate has expired]
[MIRROR] distribution-gpg-keys-1.66-1.fc35_1.67-1.fc35.noarch.drpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://fedora.mirrorservice.org/fedora/linux/updates/35/Everything/x86_64/drpms/distribution-gpg-keys-1.66-1.fc35_1.67-1.fc35.noarch.drpm [SSL certificate problem: certificate has expired]
[MIRROR] duplicity-0.8.21-1.fc35_0.8.22-1.fc35.x86_64.drpm: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://fedora.mirrorservice.org/fedora/linux/updates/35/Everything/x86_64/drpms/duplicity-0.8.21-1.fc35_0.8.22-1.fc35.x86_64.drpm [SSL certificate problem: certificate has expired]
(1/13): adwaita-qt5-1.4.1-2.fc35_1.4.1-3.fc35.x86_64.drpm                                  28 kB/s |  24 kB     00:00    
(2/13): distribution-gpg-keys-1.66-1.fc35_1.67-1.fc35.noarch.drpm                          63 kB/s |  60 kB     00:00    
(3/13): duplicity-0.8.21-1.fc35_0.8.22-1.fc35.x86_64.drpm                                  95 kB/s | 106 kB     00:01    
(4/13): evince-djvu-41.3-1.fc35_41.4-1.fc35.x86_64.drpm                                    38 kB/s | 9.1 kB     00:00    
(5/13): evince-libs-41.3-1.fc35_41.4-1.fc35.x86_64.drpm                                    97 kB/s |  31 kB     00:00    
[DRPM 1/8] adwaita-qt5-1.4.1-2.fc35_1.4.1-3.fc35.x86_64.drpm: done                                                       
[DRPM 2/8] evince-djvu-41.3-1.fc35_41.4-1.fc35.x86_64.drpm: done                                                         
(6/13): evince-nautilus-41.3-1.fc35_41.4-1.fc35.x86_64.drpm                               9.6 kB/s | 8.2 kB     00:00    
(7/13): evince-41.3-1.fc35_41.4-1.fc35.x86_64.drpm                                        427 kB/s | 608 kB     00:01    
[DRPM 3/8] evince-nautilus-41.3-1.fc35_41.4-1.fc35.x86_64.drpm: done                                                     
(8/13): libadwaita-qt5-1.4.1-2.fc35_1.4.1-3.fc35.x86_64.drpm                               36 kB/s |  22 kB     00:00    
(9/13): qgnomeplatform-qt5-0.8.4-5.fc35.x86_64.rpm                                        279 kB/s | 176 kB     00:00    
(10/13): evince-previewer-41.4-1.fc35.x86_64.rpm                                           70 kB/s |  26 kB     00:00    
(11/13): evince-thumbnailer-41.4-1.fc35.x86_64.rpm                                         45 kB/s |  17 kB     00:00    
(12/13): containernetworking-plugins-1.1.0-1.fc35.x86_64.rpm                              3.9 MB/s | 8.6 MB     00:02    
(13/13): gh_2.6.0_linux_amd64.rpm                                                         2.2 MB/s | 7.2 MB     00:03    
[DRPM 4/8] distribution-gpg-keys-1.66-1.fc35_1.67-1.fc35.noarch.drpm: done                                               
[DRPM 5/8] duplicity-0.8.21-1.fc35_0.8.22-1.fc35.x86_64.drpm: done                                                       
[DRPM 6/8] evince-libs-41.3-1.fc35_41.4-1.fc35.x86_64.drpm: done                                                         
[DRPM 7/8] libadwaita-qt5-1.4.1-2.fc35_1.4.1-3.fc35.x86_64.drpm: done                                                    
[DRPM 8/8] evince-41.3-1.fc35_41.4-1.fc35.x86_64.drpm: done                                                              
--------------------------------------------------------------------------------------------------------------------------
Total                                                                                     1.7 MB/s |  17 MB     00:10     
Delta RPMs reduced 19.8 MB of updates to 16.9 MB (14.7% saved)
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                  1/1 
  Upgrading        : libadwaita-qt5-1.4.1-3.fc35.x86_64                                                              1/26 
  Upgrading        : adwaita-qt5-1.4.1-3.fc35.x86_64                                                                 2/26 
  Upgrading        : evince-libs-41.4-1.fc35.x86_64                                                                  3/26 
  Upgrading        : evince-djvu-41.4-1.fc35.x86_64                                                                  4/26 
  Upgrading        : evince-previewer-41.4-1.fc35.x86_64                                                             5/26 
  Upgrading        : evince-thumbnailer-41.4-1.fc35.x86_64                                                           6/26 
  Upgrading        : evince-41.4-1.fc35.x86_64                                                                       7/26 
  Upgrading        : evince-nautilus-41.4-1.fc35.x86_64                                                              8/26 
  Installing       : qgnomeplatform-qt5-0.8.4-5.fc35.x86_64                                                          9/26 
  Upgrading        : gh-2.6.0-1.x86_64                                                                              10/26 
  Upgrading        : duplicity-0.8.22-1.fc35.x86_64                                                                 11/26 
  Upgrading        : distribution-gpg-keys-1.67-1.fc35.noarch                                                       12/26 
  Upgrading        : containernetworking-plugins-1.1.0-1.fc35.x86_64                                                13/26 
  Cleanup          : evince-nautilus-41.3-1.fc35.x86_64                                                             14/26 
  Cleanup          : evince-41.3-1.fc35.x86_64                                                                      15/26 
  Cleanup          : evince-previewer-41.3-1.fc35.x86_64                                                            16/26 
  Cleanup          : evince-thumbnailer-41.3-1.fc35.x86_64                                                          17/26 
  Cleanup          : evince-djvu-41.3-1.fc35.x86_64                                                                 18/26 
  Obsoleting       : qgnomeplatform-0.8.4-4.fc35.x86_64                                                             19/26 
  Cleanup          : distribution-gpg-keys-1.66-1.fc35.noarch                                                       20/26 
  Cleanup          : adwaita-qt5-1.4.1-2.fc35.x86_64                                                                21/26 
  Cleanup          : libadwaita-qt5-1.4.1-2.fc35.x86_64                                                             22/26 
  Cleanup          : evince-libs-41.3-1.fc35.x86_64                                                                 23/26 
  Cleanup          : gh-2.5.2-1.fc35.x86_64                                                                         24/26 
  Cleanup          : duplicity-0.8.21-1.fc35.x86_64                                                                 25/26 
  Cleanup          : containernetworking-plugins-1.0.1-4.fc35.x86_64                                                26/26 
  Running scriptlet: containernetworking-plugins-1.0.1-4.fc35.x86_64                                                26/26 
  Verifying        : qgnomeplatform-qt5-0.8.4-5.fc35.x86_64                                                          1/26 
  Verifying        : qgnomeplatform-0.8.4-4.fc35.x86_64                                                              2/26 
  Verifying        : adwaita-qt5-1.4.1-3.fc35.x86_64                                                                 3/26 
  Verifying        : adwaita-qt5-1.4.1-2.fc35.x86_64                                                                 4/26 
  Verifying        : containernetworking-plugins-1.1.0-1.fc35.x86_64                                                 5/26 
  Verifying        : containernetworking-plugins-1.0.1-4.fc35.x86_64                                                 6/26 
  Verifying        : distribution-gpg-keys-1.67-1.fc35.noarch                                                        7/26 
  Verifying        : distribution-gpg-keys-1.66-1.fc35.noarch                                                        8/26 
  Verifying        : duplicity-0.8.22-1.fc35.x86_64                                                                  9/26 
  Verifying        : duplicity-0.8.21-1.fc35.x86_64                                                                 10/26 
  Verifying        : evince-41.4-1.fc35.x86_64                                                                      11/26 
  Verifying        : evince-41.3-1.fc35.x86_64                                                                      12/26 
  Verifying        : evince-djvu-41.4-1.fc35.x86_64                                                                 13/26 
  Verifying        : evince-djvu-41.3-1.fc35.x86_64                                                                 14/26 
  Verifying        : evince-libs-41.4-1.fc35.x86_64                                                                 15/26 
  Verifying        : evince-libs-41.3-1.fc35.x86_64                                                                 16/26 
  Verifying        : evince-nautilus-41.4-1.fc35.x86_64                                                             17/26 
  Verifying        : evince-nautilus-41.3-1.fc35.x86_64                                                             18/26 
  Verifying        : evince-previewer-41.4-1.fc35.x86_64                                                            19/26 
  Verifying        : evince-previewer-41.3-1.fc35.x86_64                                                            20/26 
  Verifying        : evince-thumbnailer-41.4-1.fc35.x86_64                                                          21/26 
  Verifying        : evince-thumbnailer-41.3-1.fc35.x86_64                                                          22/26 
  Verifying        : libadwaita-qt5-1.4.1-3.fc35.x86_64                                                             23/26 
  Verifying        : libadwaita-qt5-1.4.1-2.fc35.x86_64                                                             24/26 
  Verifying        : gh-2.6.0-1.x86_64                                                                              25/26 
  Verifying        : gh-2.5.2-1.fc35.x86_64                                                                         26/26 

Upgraded:
  adwaita-qt5-1.4.1-3.fc35.x86_64                          containernetworking-plugins-1.1.0-1.fc35.x86_64                
  distribution-gpg-keys-1.67-1.fc35.noarch                 duplicity-0.8.22-1.fc35.x86_64                                 
  evince-41.4-1.fc35.x86_64                                evince-djvu-41.4-1.fc35.x86_64                                 
  evince-libs-41.4-1.fc35.x86_64                           evince-nautilus-41.4-1.fc35.x86_64                             
  evince-previewer-41.4-1.fc35.x86_64                      evince-thumbnailer-41.4-1.fc35.x86_64                          
  gh-2.6.0-1.x86_64                                        libadwaita-qt5-1.4.1-3.fc35.x86_64                             
Installed:
  qgnomeplatform-qt5-0.8.4-5.fc35.x86_64                                                                                  

Complete!
[marco@t420-tovis ~]$>

So it updated for you? In the future, there is a way to import the new keys prior to updating dnf, curl https://getfedora.org/static/fedora.gpg | gpg --import. This will get the new keys for you.

Mmmmhhhh… not sure to fully understand you: something got updated, but there are still a lot of errors.

[root@t420-tovis ~]$>curl https://getfedora.org/static/fedora.gpg | gpg --import
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14221  100 14221    0     0  70752      0 --:--:-- --:--:-- --:--:-- 71105
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key F55AD3FB5323552A: public key "Fedora (37) <fedora-37-primary@fedoraproject.org>" imported
gpg: key 999F7CBF38AB71F4: public key "Fedora (36) <fedora-36-primary@fedoraproject.org>" imported
gpg: key DB4639719867C58F: public key "Fedora (35) <fedora-35-primary@fedoraproject.org>" imported
gpg: key 1161AE6945719A39: public key "Fedora (34) <fedora-34-primary@fedoraproject.org>" imported
gpg: key 49FD77499570FF31: public key "Fedora (33) <fedora-33-primary@fedoraproject.org>" imported
gpg: key 7BB90722DBBDCF7C: public key "Fedora (iot 2019) <fedora-iot-2019@fedoraproject.org>" imported
gpg: key 8A3872BF3228467C: public key "Fedora (epel9) <epel@fedoraproject.org>" imported
gpg: key 21EA45AB2F86D6A1: public key "Fedora EPEL (8) <epel@fedoraproject.org>" imported
gpg: key 6A2FAEA2352C64E5: public key "Fedora EPEL (7) <epel@fedoraproject.org>" imported
gpg: Total number processed: 9
gpg:               imported: 9

This ran properly, thanks, now I’m wondering where to find the appropriate gpgs for the other repos…

This shows how to do it for the rpmfusion-nonfree repo, and I found that with a quick search.

https://fedora.pkgs.org/34/rpmfusion-nonfree-aarch64/rpmfusion-nonfree-release-34-1.noarch.rpm.html

I suspect it is similar for the rpmfusion-free repo as well. They also have an updated package for fedora 35 though I have not explicitly searched for that package but I see that this is installed on my fedora 35 system.

# dnf list installed rpmfusion*
Installed Packages
rpmfusion-free-appstream-data.noarch                                35-2.fc35                             @rpmfusion-free-updates   
rpmfusion-free-release.noarch                                       35-1                                  @rpmfusion-free           
rpmfusion-free-release-tainted.noarch                               35-1                                  @rpmfusion-free           
rpmfusion-nonfree-appstream-data.noarch                             35-2.fc35                             @rpmfusion-nonfree-updates
rpmfusion-nonfree-release.noarch                                    35-1                                  @rpmfusion-nonfree        
rpmfusion-nonfree-release-tainted.noarch                            35-1                                  @rpmfusion-nonfree        

And those packages came directly from the rpmfusion repos.

Guys I made it!
I found out that the certs bundle used by curl:

[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>curl-config --ca
/etc/pki/tls/certs/ca-bundle.crt
[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>ls -l /etc/pki/tls/certs/ca-bundle.crt
lrwxrwxrwx. 1 root root 49 13 dic 18.55 /etc/pki/tls/certs/ca-bundle.crt 

-> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

was corrupt, not updated, or something…
I simply replaced it with the one in use on my F34 laptop and no errors anymore!

[marco@t420-tovis ~]$>
[marco@t420-tovis ~]$>sudo dnf update tor
Tor for Fedora 35 - x86_64                                                                   25 kB/s | 3.0 kB     00:00    
Copr repo for PyCharm owned by phracek                                                      3.1 kB/s | 3.3 kB     00:01    
Copr repo for PyCharm owned by phracek                                                       34 kB/s |  50 kB     00:01    
determining the fastest mirror (9 hosts).. done.                        ===               ] ---  B/s |   0  B     --:-- ETA
RPM Fusion for Fedora 35 - Free                                                             4.3 kB/s | 3.8 kB     00:00    
RPM Fusion for Fedora 35 - Free - Updates                                                    35 kB/s | 4.2 kB     00:00    
RPM Fusion for Fedora 35 - Free - Updates                                                   404 kB/s | 392 kB     00:00    
RPM Fusion for Fedora 35 - Nonfree                                                           20 kB/s | 4.2 kB     00:00    
RPM Fusion for Fedora 35 - Nonfree - NVIDIA Driver                                           19 kB/s | 4.1 kB     00:00    
RPM Fusion for Fedora 35 - Nonfree - NVIDIA Driver                                           32 kB/s |  14 kB     00:00    
RPM Fusion for Fedora 35 - Nonfree - Steam                                                  8.5 kB/s | 3.9 kB     00:00    
RPM Fusion for Fedora 35 - Nonfree - Updates                                                 31 kB/s | 4.5 kB     00:00    
RPM Fusion for Fedora 35 - Nonfree - Updates                                                112 kB/s |  84 kB     00:00    
Dependencies resolved.
Nothing to do.
Complete!
[marco@t420-tovis ~]$>

Many, many thanks to you all for the time spent around this issue.

I said hooray too early
A few days later something restored the “wrong” certs bundle, so I got to repeat the manual copy of it from F34.
At this point I think I’ll file a bug.

If you like, you can use chmod to set the ‘immutable’ flag on that file; that will stop it from being changed, and also possibly tell you what is trying to change it since that process will now get an error.

We need to figure out what is doing this—are you working with any certificates? Any tools that may be touching these files? It isn’t happening on other users’ systems so at the moment it looks like something specific to your set up.

Can you look at the creation/modification times of these files? Also, what does rpm -Va \*curl\* say?