Question: Hi, I was trying to install python-pip via yum. However, the command ended up with a ‘CURL error: SSL certificate problem: CA certificate key too weak’. Following is the complete error message. Can someone help me out with this? – Yashikha.
# yum install python-pip Extra Packages for Enterprise Linux 8 - x86_64 0.0 B/s | 0 B 00:07 Errors during downloading metadata for repository 'epel': - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=x86_64&infra=genclo&content=centos [SSL certificate problem: CA certificate key too weak] Error: Failed to download metadata for repo 'epel': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=x86_64&infra=genclo&content=centos [SSL certificate problem: CA certificate key too weak]
Solution: How to fix cURL Error: SSL certificate problem: CA certificate key too weak
Before we start discussing the problem, you may want to read this article that covers the system-wide cryptographic policies in CentOS.
Getting back to the error, it seems like the operating system has the cryptographic subsystems set to FUTURE which is expected to deny access to websites that use weak certificates. Hence, the cURL command failed to authenticate the peer certificates of the repo URLs.
Well, the workaround is to set the system-wide crypto policies to DEFAULT or find another repo that complies with the strong security policies.
Find the current crypto policy in CentOS
# update-crypto-policies --show FUTURE
You can update the crypto policy as shown below:
# update-crypto-policies --set DEFAULT Setting system policy to DEFAULT Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
You will have to restart the system for the change of policy to take place. Now, go ahead and install the package, and hopefully, it should work.
