0

RHEL 9 VM Exported from Internal Network Cannot Verify SSL Certificates for Updates

I'm running into a major issue with a Red Hat Enterprise Linux 9 VM that was originally exported from my company's internal infrastructure. I'm now using this VM on a standard public internet connection, and I'm unable to perform basic operations like dnf update due to SSL certificate verification errors.

Problem

Running dnf update results in the following:

Updating Subscription Management repositories. This system is registered with an entitlement server, but is not receiving updates. Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms': - Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error setting certificate file: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem] Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?)

Trying to run subscription-manager identity shows:

Unable to verify server's identity: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1147)

What I’ve Tried

  1. Checked System Time

    • Verified with date and timedatectl. Time seems off, which may be contributing to the SSL issue.
    • Tried enabling NTP with: 
      systemctl enable chronyd --now
      But it fails, saying: 
      Failed to enable unit: Unit file chronyd.service does not exist.
    • I cannot install chrony because dnf is broken due to the SSL certificate issue.

  2. Checked CA Certificate Files

    • Ran: 
      find /etc/pki -type f \( -name "*.crt" -o -name "*.cert" \)
      No certificate files were found.

  3. Compared to Fresh RHEL 9 Install

    • A clean RHEL 9 VM (registered with the same Red Hat account) works fine and has many cert files in /etc/pki/ca-trust/.

  4. Reinstall CA Certificates

    • Ran: 
      sudo dnf reinstall ca-certificates sudo update-ca-trust extract
      But no certs appeared, and the issue remains.

  5. Checked Proxy Config

    • No proxies in /etc/environment, /etc/profile, shell dotfiles, or subscription-manager: 
      subscription-manager config --remove=server.proxy_hostname subscription-manager config --remove=server.proxy_port

Context

This VM was managed internally and likely used internal CAs or custom proxy settings. Now that it’s on a public network, it appears unable to verify standard SSL certificates, and it’s missing all cert files in /etc/pki.

Question

What could explain the complete absence of certificate files in /etc/pki, and how can I restore them without access to dnf or a working package manager?

Is there a manual way to recover basic system certificates or sync time so that SSL works again? Or is this VM likely too locked into internal infrastructure to be recovered for public use?

Any help would be greatly appreciated! (I really need to fix this issue they blame me)

Improve this question
3
  • Have you try to reregister the system with subscription manager? Commented Apr 18 at 19:52
  • @RomeoNinov I did, and at first it showed some cert error so I've disabled the cert verifitication, then when I tired to dnf update I got the same error as above again, nothing seems to work, ive even replaced each line in redhat.repo that contains sslcacert=%(ca_cert_dir)sredhat-uep.pem with the actual path(i transfered the file from another vm) and i still got same error Commented Apr 22 at 13:25
  • Did you reregister with --force key? Commented Apr 22 at 14:02

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.