Yum in RHEL 7 Azure VMs: SSL peer rejected your certificate as expired

Affected Products:

  • All ProComputers RHEL 7 images in Azure that includes rhui-azure-rhel7 package version 2.2-222 and earlier.

Opened: 2023-02-27

Severity: Severity 4 (Low)

Starting with February 24th 2023, 18:41:11 GMT, in all affected RHEL 7 VM images, the Azure RHUI (Red Hat Update Infrastructure) is not reachable anymore, and the yum command fails with error “SSL peer rejected your certificate as expired.”.

[root@test-rhel7-vm ~]$ sudo yum update
Loaded plugins: search-disabled-repos
openlogic | 2.9 kB 00:00:00
rhui-microsoft-azure-rhel7 | 2.1 kB 00:00:00
https://rhui-1.microsoft.com/pulp/repos//content/dist/rhel/rhui/server/7/7Server/x86_64/dotnet/1/os/repodata/repomd.xml: [Errno 14] curl#58 - “SSL peer rejected your certificate as expired.”

This is due to the fact that the Azure RHUI certificate in the rhui-azure-rhel7-2.2-222.noarch package has expired. You can see the certificate expiration date with the command below:

[root@test-rhel7-vm ~]$ sudo openssl x509 -in /etc/pki/rhui/product/content.crt -startdate -enddate -noout
notBefore=Feb 24 18:41:11 2021 GMT
notAfter=Feb 24 18:41:11 2023 GMT

To go around this issue, you need to manually update the rhui-azure-rhel7 package using the commands below:

  1. Remove the existing rhui-azure-rhel7 package

[root@test-rhel7-vm ~]$ sudo yum remove rhui-azure-rhel7

  1. Install the new rhui-azure-rhel7 package

[root@test-rhel7-vm ~]$ sudo yum --config=https://rhelimage.blob.core.windows.net/repositories/rhui-microsoft-azure-rhel7.config install rhui-azure-rhel7

  1. Check the version of the new installed rhui-azure-rhel7 package

[root@test-rhel7-vm ~]$ sudo rpm -qa | grep rhui

  1. Check the expiration date of the certificate in the new installed rhui-azure-rhel7 package

[root@test-rhel7-vm ~]$ sudo openssl x509 -in /etc/pki/rhui/product/content.crt -startdate -enddate -noout
notBefore=Feb 14 06:54:16 2023 GMT
notAfter=Feb 13 06:54:16 2025 GMT

The new installed rhui-azure-rhel7-2.2-441.noarch package contains a new certificate that expires on February 13 2025, 06:54:16 GMT.

If you still face the same issue, please contact ProComputers Support as instructed in this article.