Unable to open TLS connection to mirros.fedoraproject.org

I cannot update DNF’s local cache or upgrade packages from the main Fedora repositories (i.e., sudo dnf update, sudo dnf install openssl). Updating RPM Fusion repositories works as normal (i.e., sudo dnf update --repoid=rpmfusion-free).

When attempting to update the updates repository (i.e., sudo dnf update --repoid=updates --verbose), DNF shows the following error 12 times before exiting.

error: Curl error (35):
  SSL connect error for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f37&arch=x86_64
    [error:0A000126:SSL routines::unexpected eof while reading]

With more testing, I have found that I cannot open any TLS connection to mirrors.fedoraproject.org at all.

  • Firefox fails with PR_END_OF_FILE_ERROR.
  • Chromium fails with ERR_CONNECTION_CLOSED.
  • cURL fails with:
    curl: (35) error:0A000126:SSL routines::unexpected eof while reading
  • wget fails with:
    GnuTLS: The TLS connection was non-properly terminated.
    Unable to establish SSL connection.
  • OpenSSL (i.e., openssl s_client -connect -servername mirrors.fedoraproject.org) fails with:
    C0839BE58E7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:321:
    no peer certificate available
    No client certificate CA names sent
    SSL handshake has read 0 bytes and written 336 bytes
    Verification: OK
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)

This host can be connected to from other hosts on the LAN. Enabling or disabling a proxy VPN has no effect. Changing DNS configuration from Cloudflare DNS to ISP DNS for the current connection in Settings has no effect, even after disabling and re-enabling Wi-Fi.

nslookup and dig both resolve mirrors.fedoraproject.org to IP

This issue has persisted for about a week. Any ideas?

It was DNS.

I was using dig wrong, forgetting to include @ before the resolver IP. Running dig @ mirrors.fedoraproject.org yields a proper DNS response, notably not including I had investigated this IP before and had mistakenly figured it was valid since it is in Red Hat’s AS. I assume this IP was used by mirrors.- and wildcard.fedoraproject.org until recently, but has been decommissioned.

Clearing DNS cache with sudo resolvectl flush-caches did not resolve the issue.

Finally, I checked /etc/hosts, and found two lines I did not recognise: mirrors.fedoraproject.org mirrors.xtom.de

These lines appear to have been added by some program running on this machine, but I did not add them myself. Removing these lines and saving /etc/hosts fixed the issue.

1 Like