Issue

What were you trying to do that didn't work? When trying to install RHEL content within a misconfigured container, dnf reports a cryptic SSL error downloading metadata for enabled by default repositories (baseos and appstream). WARNING:dnf:Errors during downloading metadata for repository 'rhel-9-for-aarch64-appstream-rpms': - Curl error (58): Problem with the local SSL certificate for https://cdn.redhat.com/content/dist/rhel9/9/aarch64/appstream/os/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:80000002:system library::No such file or directory, (no key found, wrong pass phrase, or wrong file format?)] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load ret = self._repo.load() File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load return _repo.Repo_load(self) libdnf._error.Error: Failed to download metadata for repo 'rhel-9-for-aarch64-appstream-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried This can happen at times when developers switch from running a command within an activated/subscribed container, to running dnf-related commands on hosts that have not been subscribed. See KFLUXSPRT-2257. What is the impact of this issue to you? Low impact Please provide the package NVR for which the bug is seen: # dnf --version 4.14.0 Installed: dnf-0:4.14.0-17.el9.noarch at Mon Mar 17 18:46:31 2025 Built : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Tue Aug 6 11:11:05 2024 Installed: rpm-0:4.16.1.3-29.el9.x86_64 at Wed Sep 18 12:12:58 2024 Built : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Wed Dec 13 11:41:48 2023 How reproducible is this bug?: Always Steps to reproduce Create an Activation Key to use for testing purposes (ex: "my-test-activation-key". From a Fedora host, start a UBI9 container, mounting in an empty local directory: podman run --rm -it -v $(pwd):/source:Z registry.access.redhat.com/ubi9 In the container, use subscription-manager to register the "system" with an activation key: subscription-manager register --activationkey="$KEY_NAME" --org="$ORG_ID" Check which repositories are enabled with dnf: dnf repolist --enabled Copy /etc/yum.repos.d/redhat.repo to the mounted filesystem: cp /etc/yum.repos.d/redhat.repo /source/redhat.repo Deactivate the container and exit subscription-manager unregister; exit; Start a new UBI container, mount in the (invalid) redhat.repo file, and attempt to use it to install RHEL Packages: $ podman run --rm -it -v $(pwd):/source:Z registry.access.redhat.com/ubi9 [root]# cp /source/redhat.repo /etc/yum.repos.d/ [root]# dnf install -y python3 python3-pyyaml Expected results dnf (or other tool in the toolchain) provides a user-friendly error message, indicating their system is misconfigured or entitlement keys are missing. Actual results Users see a very cryptic curl error message, and do not know how to address the issue. WARNING:dnf:Errors during downloading metadata for repository 'rhel-9-for-aarch64-appstream-rpms': - Curl error (58): Problem with the local SSL certificate for https://cdn.redhat.com/content/dist/rhel9/9/aarch64/appstream/os/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:80000002:system library::No such file or directory, (no key found, wrong pass phrase, or wrong file format?)] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load ret = self._repo.load() File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load return _repo.Repo_load(self) libdnf._error.Error: Failed to download metadata for repo 'rhel-9-for-aarch64-appstream-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Release Notes

No. of Comments

Resolution

Unresolved