No valid mirrors were found

When running rpm-ostree update I’m getting an error

error: While pulling fedora/34/x86_64/silverblue: No valid mirrors were found in mirrorlist 'https://ostree.fedoraproject.org/mirrorlist'

https://ostree.fedoraproject.org/mirrorlist

When going to that page, it’s weird, there’s a single link that doesn’t look like anything.

This is tracked at Issue #10114: Prod ostree repo missing content - releng - Pagure.io.

1 Like

I was running into this yesterday but it looks like it was fixed

1 Like

In case somebody stumbles here in 2023.
I have similar issue with my Fedora IoT installation.

TL&DR: It seems the cause is that I have Cryptographic policy to FUTURE

The rpm-ostree upgrade returns “No valid mirrors were found in mirrorlist”.
It tried to dig in more and the mirror exists and it’s fine, it is just that the End-Entity Certificate is not secure enough to be trusted. It is probably caused by me having set the “Cryptographic policies” to FUTURE. :man_facepalming:

Currently I have no solution, other than reverting the policy to a lower one.
I will dig into it more though. Maybe find a mirror with better crypto?

Shell dump…

$ sudo rpm-ostree upgrade --check
error: While pulling fedora/stable/aarch64/iot: No valid mirrors were found in mirrorlist 'https://ostree.fedoraproject.org/iot/mirrorlist'

$ curl https://ostree.fedoraproject.org/iot/mirrorlist
https://d2ju0wfl996cmc.cloudfront.net/

$ curl https://d2ju0wfl996cmc.cloudfront.net/fedora/stable/aarch64/iot
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.se/docs/sslcerts.html

$ sudo update-crypto-policies --show
FUTURE

P.S.
You may not have the update-crypto-policies script installed (by default it is not).

This is a different issue. Could you file it in the Silverblue issue tracker or in the Fedora infra issue tracker so that it is considered? Thanks

This is a different issue, I know. The root cause is different, but to an average user it will look the same (Error message is the same). This is likely the place they will end up after googling the problem.

I’ve created a ticket, as you suggested.
https://pagure.io/fedora-infrastructure/issue/11588