2386223 – DNF fails to update Slack repo due to now no longer existing CA file

Bug 2386223 - DNF fails to update Slack repo due to now no longer existing CA file

Summary: DNF fails to update Slack repo due to now no longer existing CA file

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dnf5
Sub Component:
Version:	43
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	rpm-software-management
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2360110
TreeView+	depends on / blocked

Reported:	2025-08-03 22:21 UTC by Sebastian Keller
Modified:	2025-08-15 17:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-08-07 20:53:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sebastian Keller 2025-08-03 22:21:08 UTC

The changes from https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile seem to be indirectly affecting DNF and cause it to fail to update repositories that include something like "sslcacert=/etc/pki/tls/certs/ca-bundle.crt".

Slack, when installed from the RPM available on their website creates "/etc/yum.repos.d/slack.repo" which includes "sslcacert=/etc/pki/tls/certs/ca-bundle.crt". This file however does no longer exist on F43.

Reproducible: Always

Steps to Reproduce:
1. Download and install Slack RPM package from https://slack.com/downloads/linux
2. Run "sudo dnf update --refresh"
Actual Results:
DNF fails to update the "slack" repo with this error message:

Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://packagecloud.io/slacktechnologies/slack/fedora/21/x86_64/repodata/repomd.xml [error setting certificate file: /etc/pki/tls/certs/ca-bundle.crt] - https://packagecloud.io/slacktechnologies/slack/fedora/21/x86_64/repodata/repomd.xml

Expected Results:
Updating the repo

Additional Information:
After commenting out the line "sslcacert" line from the "slack.repo" updating the repo works again.

Unfortunately this error means that even if Slack change their package to no longer include that path, users would not receive that update.

Maybe a DNF (or curl?) need to ignore certain cert paths?

Comment 1 Evan Goode 2025-08-07 20:53:38 UTC

I don't think there is anything DNF should do here, unfortunately. Slack needs to update their repo file and not hardcode the path to this CA bundle. The `sslcacert` option should not have been set in the first place, IMO.

I filed a similar bug report on Grafana [1] since their repo file also has this error, and I commented on the discussion thread for Changes/dropingOfCertPemFile [2]

Looking at Slack specifically, I did not see a repo file in the latest Slack RPM package: `rpm -qlp ./slack-4.45.64-0.1.el8.x86_64.rpm | grep repo` yields no matches. And after installing the RPM, there is no `/etc/yum.repos.d/slack.repo`. Are you sure the repo file is provided by the RPM?

[1] https://github.com/grafana/grafana/issues/109365
[2] https://discussion.fedoraproject.org/t/f42-change-proposal-dropping-of-cert-pem-file-system-wide/135119/35

Comment 2 Sebastian Keller 2025-08-07 22:23:36 UTC

The repo file is generated by "/etc/cron.daily/slack" which is part of the rpm package. I think this way of adding repos is commonly found in chrome/electron based applications that ship their own rpm packages.

Comment 3 Evan Goode 2025-08-15 17:27:19 UTC

Ah, I see, thanks. I sent a bug report via https://redhat-internal.slack.com/help/requests/new.

Note You need to log in before you can comment on or make changes to this bug.