We’re just trying to see if these files are different from what the Fedora package provides given that you’ve noted that they’ve been changed/corrupted. If they are, we need to see what is modifying them.
In that case these files are as they should be, at least at this point in time but I guess that is expected if you’ve fixed your issue recently. It’ll be good to run these checks again when you think they’ve been changed so we can try to figure out what’s changing them.
Other checks:
that this package is from the Fedora repos and that no third party repo is providing it and thus overwriting files on an update:
sudo dnf list \*ca-certificates\*
Installed Packages
ca-certificates.noarch 2021.2.52-3.fc36 @fedora
It should only return a package from Fedora for you too
that there isn’t another package (not ca-certificates) that is also providing these files. On my F36 where I’m not seeing these issues, these are the only packages that touch the files in the folder:
OK; so I guess the “immutable” flag must be removed (see @kpfleming posts).
These are the checks results:
[marco@t420-tovis ~]$>sudo dnf list \*ca-certificates\*
Last metadata expiration check: 1:05:34 ago on ven 25 mar 2022, 09:57:28.
Installed Packages
ca-certificates.noarch 2021.2.52-1.0.fc35 @updates
Hi everybody. Here we go again…
Something happened (during a “dnf update”, I assume) that corrupted this file:
-r–r–r–. 1 root root 218254 20 ago 22.36 tls-ca-bundle.pem
causing the next “dnf update” run into the curl errors:
Errors during downloading metadata for repository ‘tor’:
Curl error (60): SSL peer certificate or SSH remote key was not OK for https://rpm.torproject.org/fedora/35/x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo ‘tor’: Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Copr repo for PyCharm owned by phracek 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository ‘phracek-PyCharm’:
Curl error (60): SSL peer certificate or SSH remote key was not OK for https://copr-be.cloud.fedoraproject.org/results/phracek/PyCharm/fedora-35-x86_64/repodata/repomd.xml [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo ‘phracek-PyCharm’: Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
RPM Fusion for Fedora 35 - Free - Updates 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository ‘rpmfusion-free-updates’:
Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]
Error: Failed to download metadata for repo ‘rpmfusion-nonfree-steam’: Cannot prepare internal mirrorlist: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://mirrors.rpmfusion.org/metalink?repo=nonfree-fedora-steam-35&arch=x86_64 [SSL certificate problem: certificate has expired]
RPM Fusion for Fedora 35 - Nonfree - Updates 0.0 B/s | 0 B 00:02
Errors during downloading metadata for repository ‘rpmfusion-nonfree-updates’:
It sounds like you might have some duplicate packages installed. This can happen if a system update is interrupted before it finishes and can leave your system in a weird state. You might want to run package-cleanup with the clean-dupes option to remove duplicate older versions of packages.
[marco@t420 ~]$>sudo package-cleanup --cleandupes Last metadata expiration check: 0:00:47 ago on lun 22 ago 2022, 17:01:42. Error: No duplicated packages found for removal. [marco@t420 ~]$>
So, I don’t see any bugs about this, and the only karma that the update received for the latest version (2022.2.54-1.2) was also positive. On my F36, this version is also running just fine without any issues. This indicates that this is somehow limited to your system (at least for the moment until we get more users noting that they’re running into the same issue).
Can you recall exactly when this began? Was it immediately after an update? What other packages were updated?
The package update will install the new files for the updated version. As I note, this works fine for us. So we need to see if the version of the file that was installed on your system by the update is:
the correct file
modified by something (which you note as “corrupted”)
Well, I opened this discussion on March, 16th, but I was struggling with this issue since weeks before. Of course it must have been a consequence of an update, but to say exactly when is not possible.
Since then, from time to time, not every time, running a dnf update throws all those curl errors, meaning that something happened after the previous update. What I’m currently doing is running updates each and every day, in order to narrow the time frame to be investigated when the problem will occur next time.
That implies that the files from the package are as they should be—they have not been modified by anything else. Could you please run this periodically to keep checking that nothing is modifying the files in any way?
No. Because I don’t have a previous version of Fedora available. clean-dups is not installed and package-cleanup is not installed and nothing new can be installed through dnf because of the certificate errors.
Could you open a new issue please? We haven’t quite reached the root of the issue here so even though you’re both seeing the same error, it’s hard to say if it’s caused by the same underlying issue—sure “using in old ca-certificate package” seems to work around it, here but since so many of us are not experiencing this issue, I don’t think the issue is with the ca-certificate package. So I think we need to debug the issue more to figure out what is causing it.
In the meantime, you can manually download the package from the build system and install it using dnf to see if this workaround also works for you: