🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10.0 RHEL 10.1

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Package installation and security updates fail because DNF cannot verify mirror TLS certificates.

Environment & Reproduction

Observed on RHEL 10 hosts using custom mirrors or middleboxes that re-sign TLS traffic.

dnf makecache -v
openssl s_client -connect mirror.example:443 -servername mirror.example < /dev/null | head -n 40

Root Cause Analysis

System trust store lacks required CA chain, or repo definitions point to stale mirror endpoints.

Quick Triage

Check trust, subscription reachability, and relevant logs.

rpm -q ca-certificates
systemctl status rhsmcertd
firewall-cmd --list-all
getenforce
journalctl -u rhsmcertd -n 50 --no-pager

Step-by-Step Diagnosis

Validate certificate chain and compare against active trusted anchors.

trust list | head -n 80
openssl s_client -connect cdn.redhat.com:443 -servername cdn.redhat.com < /dev/null | sed -n '1,80p'
dnf -v repolist
Illustrative mockup for rhel-10 — terminal_dnf_ssl_error
DNF SSL verification failure details — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Install or update trust anchors and refresh repository metadata.

Still having issues? Our Managed IT Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo cp corp-ca.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
sudo subscription-manager refresh
sudo dnf clean all
sudo dnf makecache
sudo systemctl restart rhsmcertd
Illustrative mockup for rhel-10 — dnf_ssl_fix_success
Trusted CA and mirror configuration corrected — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Temporarily pin a known-good mirror in controlled maintenance windows.

sudo sed -i 's|^metalink=|#metalink=|g' /etc/yum.repos.d/redhat.repo
sudo sed -i 's|^#baseurl=|baseurl=|g' /etc/yum.repos.d/redhat.repo

Verification & Acceptance Criteria

DNF operations must succeed with no SSL errors and valid repository metadata.

dnf repolist
dnf updateinfo list
journalctl -n 40 --no-pager | grep -i -E 'ssl|certificate|dnf'

Rollback Plan

Remove newly added anchors and restore previous repo definition if needed.

sudo rm -f /etc/pki/ca-trust/source/anchors/corp-ca.pem
sudo update-ca-trust
sudo cp /root/backup/redhat.repo /etc/yum.repos.d/redhat.repo

Prevention & Hardening

Track CA rotations and validate mirrors in pre-production before broad rollout.

Automate patch management and compliance across your fleet with our DevOps services.

subscription-manager status
dnf -q makecache

Related to clock drift, incomplete intermediate certificates, and transparent proxy misconfiguration.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Red Hat certificate trust management and DNF repository security guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.