Bug 2386223

Summary: DNF fails to update Slack repo due to now no longer existing CA file
Product: [Fedora] Fedora Reporter: Sebastian Keller <sebastian-keller>
Component: dnf5Assignee: rpm-software-management
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: 43CC: egoode, jonathan, pkratoch, ppisar, rpm-software-management
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-08-07 20:53:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2360110    

Description Sebastian Keller 2025-08-03 22:21:08 UTC
The changes from https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile seem to be indirectly affecting DNF and cause it to fail to update repositories that include something like "sslcacert=/etc/pki/tls/certs/ca-bundle.crt".

Slack, when installed from the RPM available on their website creates "/etc/yum.repos.d/slack.repo" which includes "sslcacert=/etc/pki/tls/certs/ca-bundle.crt". This file however does no longer exist on F43.

Reproducible: Always

Steps to Reproduce:
1. Download and install Slack RPM package from https://slack.com/downloads/linux
2. Run "sudo dnf update --refresh"
Actual Results:
DNF fails to update the "slack" repo with this error message:

Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://packagecloud.io/slacktechnologies/slack/fedora/21/x86_64/repodata/repomd.xml [error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt] - https://packagecloud.io/slacktechnologies/slack/fedora/21/x86_64/repodata/repomd.xml

Expected Results:
Updating the repo

Additional Information:
After commenting out the line "sslcacert" line from the "slack.repo" updating the repo works again.

Unfortunately this error means that even if Slack change their package to no longer include that path, users would not receive that update.

Maybe a DNF (or curl?) need to ignore certain cert paths?

Comment 1 Evan Goode 2025-08-07 20:53:38 UTC
I don't think there is anything DNF should do here, unfortunately. Slack needs to update their repo file and not hardcode the path to this CA bundle. The `sslcacert` option should not have been set in the first place, IMO.

I filed a similar bug report on Grafana [1] since their repo file also has this error, and I commented on the discussion thread for Changes/dropingOfCertPemFile [2]

Looking at Slack specifically, I did not see a repo file in the latest Slack RPM package: `rpm -qlp ./slack-4.45.64-0.1.el8.x86_64.rpm | grep repo` yields no matches. And after installing the RPM, there is no `/etc/yum.repos.d/slack.repo`. Are you sure the repo file is provided by the RPM?

[1] https://github.com/grafana/grafana/issues/109365
[2] https://discussion.fedoraproject.org/t/f42-change-proposal-dropping-of-cert-pem-file-system-wide/135119/35

Comment 2 Sebastian Keller 2025-08-07 22:23:36 UTC
The repo file is generated by "/etc/cron.daily/slack" which is part of the rpm package. I think this way of adding repos is commonly found in chrome/electron based applications that ship their own rpm packages.

Comment 3 Evan Goode 2025-08-15 17:27:19 UTC
Ah, I see, thanks. I sent a bug report via https://redhat-internal.slack.com/help/requests/new.