Azure RHEL 8 Virtual machines are unable to download any rpms from RHEL repos due to below error

"OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0"

sudo yum install wget

> Red Hat Enterprise Linux 8 for x86_64 - BaseOS  0.0  B/s |   0  B     00:00
> Errors during downloading metadata for repository 'rhui-rhel-8-for-x86_64-baseos-rhui-rpms':
>   - Curl error (56): Failure when receiving data from the peer for https://rhui-1.microsoft.com/pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml [OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0]
>   - Curl error (56): Failure when receiving data from the peer for https://rhui-3.microsoft.com/pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml [OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0]
>   - Curl error (56): Failure when receiving data from the peer for https://rhui-2.microsoft.com/pulp/repos/content/dist/rhel8/rhui/8/x86_64/baseos/os/repodata/repomd.xml [OpenSSL SSL_read: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired, errno 0]
> Error: Failed to download metadata for repo 'rhui-rhel-8-for-x86_64-baseos-rhui-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
						

It appears the certificate used to auth the client has expired. Here's the line from repo file referencing it:
sslclientcert=/etc/pki/rhui/product/content-rhel8-eus.crt

And here's that cert info (note the expiry date):

openssl x509 -noout -text -in /etc/pki/rhui/product/content-rhel8-eus.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17 (0x11)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Washington, L = Redmond, O = Microsoft, OU = Azure
        Validity
            Not Before: Feb 24 18:41:14 2021 GMT
            Not After : Feb 24 18:41:14 2023 GMT
        Subject: CN = Redhat Update Infrastructure (rhel8-eus-20210224), O = Azure, OU = Azure public

The fix is to install the repo update package with one time disable/enable of the other repos: dnf update --disablerepo=* --enablerepo='*microsoft*' rhui-azure-rhel8-eus. This will update the client cert and then the updates can be installed in usual way without resorting to hacks like the one above.

Oh, M$... (facepalm)

This fixed it for us:

yum --disablerepo='*' remove 'rhui-azure-rhel8'
wget https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel8.config
yum --config=rhui-microsoft-azure-rhel8.config install rhui-azure-rhel8
yum update ca-certificates
yum clean all

Seems like you have expired Certifcates in the local store, worth checking this article from RedHat with a license subscription https://access.redhat.com/solutions/6962382

Hope this helps.

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Hello Perumal, Sivaprakasam

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Adding to above response from Marshaljs, based on the error details shared the SSL certificate might have expired or is no longer valid, which is causing the error while trying to download rpms.

You can try the following steps to resolve this issue:

  • Check if the system date and time are correct. Incorrect system date and time can cause SSL errors. To check the date and time, run the date command.
  • Update the ca-certificates package by running the command sudo yum update ca-certificates.
  • Clear the yum cache by running the command sudo yum clean all.
  • Try to install the required package again by running the command sudo yum install <package-name>.
  • If the above steps don't resolve the issue, you can try disabling the SSL verification temporarily by adding sslverify=false in /etc/yum.conf file, but this is not recommended as it can compromise the security of the system.

    Hope the above mentioned troubleshooting steps helps in resolving your issue.

    If you need further help on this, tag me in a comment.

    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    Hello,

    I'm facing the same issue as Mani Mahesh Sivakumar. I already tried all mentioned steps, but no result.

    Please help

    Hi all,

    This Certificate issue have been resolved by executing below command.

    sudo yum update -y --disablerepo='*' --enablerepo='microsoft'

    Thanks and regards,
    Manimahesh S