Normal What were you trying to do that didn't work?
When trying to install RHEL content within a misconfigured container, dnf reports a cryptic SSL error downloading metadata for enabled by default repositories (baseos and appstream).
WARNING:dnf:Errors during downloading metadata for repository 'rhel-9-for-aarch64-appstream-rpms': - Curl error (58): Problem with the local SSL certificate for https://cdn.redhat.com/content/dist/rhel9/9/aarch64/appstream/os/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:80000002:system library::No such file or directory, (no key found, wrong pass phrase, or wrong file format?)] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load ret = self._repo.load() File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load return _repo.Repo_load(self) libdnf._error.Error: Failed to download metadata for repo 'rhel-9-for-aarch64-appstream-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
This can happen at times when developers switch from running a command within an activated/subscribed container, to running dnf-related commands on hosts that have not been subscribed. See KFLUXSPRT-2257.
What is the impact of this issue to you?
Low impact
Please provide the package NVR for which the bug is seen:
# dnf --version 4.14.0 Installed: dnf-0:4.14.0-17.el9.noarch at Mon Mar 17 18:46:31 2025 Built : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Tue Aug 6 11:11:05 2024 Installed: rpm-0:4.16.1.3-29.el9.x86_64 at Wed Sep 18 12:12:58 2024 Built : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> at Wed Dec 13 11:41:48 2023
How reproducible is this bug?:
Always
Steps to reproduce
- Create an Activation Key to use for testing purposes (ex: "my-test-activation-key".
- From a Fedora host, start a UBI9 container, mounting in an empty local directory:
podman run --rm -it -v $(pwd):/source:Z registry.access.redhat.com/ubi9
- In the container, use subscription-manager to register the "system" with an activation key:
subscription-manager register --activationkey="$KEY_NAME" --org="$ORG_ID"
- Check which repositories are enabled with dnf:
dnf repolist --enabled
- Copy /etc/yum.repos.d/redhat.repo to the mounted filesystem:
cp /etc/yum.repos.d/redhat.repo /source/redhat.repo
- Deactivate the container and exit
subscription-manager unregister; exit;
- Start a new UBI container, mount in the (invalid) redhat.repo file, and attempt to use it to install RHEL Packages:
$ podman run --rm -it -v $(pwd):/source:Z registry.access.redhat.com/ubi9 [root]# cp /source/redhat.repo /etc/yum.repos.d/ [root]# dnf install -y python3 python3-pyyaml
Expected results
dnf (or other tool in the toolchain) provides a user-friendly error message, indicating their system is misconfigured or entitlement keys are missing.
Actual results
Users see a very cryptic curl error message, and do not know how to address the issue.
WARNING:dnf:Errors during downloading metadata for repository 'rhel-9-for-aarch64-appstream-rpms': - Curl error (58): Problem with the local SSL certificate for https://cdn.redhat.com/content/dist/rhel9/9/aarch64/appstream/os/repodata/repomd.xml [could not load PEM client certificate, OpenSSL error error:80000002:system library::No such file or directory, (no key found, wrong pass phrase, or wrong file format?)] Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/dnf/repo.py", line 574, in load ret = self._repo.load() File "/usr/lib64/python3.9/site-packages/libdnf/repo.py", line 331, in load return _repo.Repo_load(self) libdnf._error.Error: Failed to download metadata for repo 'rhel-9-for-aarch64-appstream-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
