Leapp upgrade fails with error message "sslv3 alert handshake failure" while fetching CDN repos.

Solution Verified - Updated 8 Aug 2024

Environment

Red Hat Enterprise Linux
Red Hat Subscription Manager(RHSM)

Issue

Leapp Upgrade is getting failed with below error messages:

 ============================================================
                       REPORT OVERVIEW                       
 ============================================================
 
 Following errors occurred and the upgrade cannot continue:
     1. Actor: dnf_package_download
        Message: DNF execution failed with non zero exit code.
 
 HIGH and MEDIUM severity reports:
     1. Packages available in excluded repositories will not be installed
     2. GRUB2 core will be automatically updated during the upgrade
     3. System-wide crypto policy is set to non-DEFAULT policy
 
 ============================================================
                    END OF REPORT OVERVIEW                   
 ============================================================
 
   	     [MIRROR] memstrack-0.2.4-1.el9.x86_64.rpm: Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9.4/x86_64/appstream/os/Packages/m/memstrack-0.2.4-1.el9.x86_64.rpm [error:0A000410:SSL routines::sslv3 alert handshake failure]
             [MIRROR] scap-security-guide-0.1.72-1.el9_3.noarch.rpm: Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9.4/x86_64/appstream/os/Packages/s/scap-security-guide-0.1.72-1.el9_3.noarch.rpm [error:0A000410:SSL routines::sslv3 alert handshake failure]
             [MIRROR] python3-unbound-1.16.2-3.el9_3.5.x86_64.rpm: Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9.4/x86_64/appstream/os/Packages/p/python3-unbound-1.16.2-3.el9_3.5.x86_64.rpm [error:0A000410:SSL routines::sslv3 alert handshake failure]
             [MIRROR] memstrack-0.2.4-1.el9.x86_64.rpm: Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9.4/x86_64/appstream/os/Packages/m/memstrack-0.2.4-1.el9.x86_64.rpm [error:0A000410:SSL routines::sslv3 alert handshake failure]

Resolution

Set the crypto policy as DEFAULT on the system:-
```
 # update-crypto-policies --set DEFAULT
```
Reboot the system to make the crypto-policy settings effective for all running services and applications. Confirm after the reboot that the crypto-policy is effective. This should show DEFAULT.
```
 # update-crypto-policies --show
 DEFAULT
```
Perform the leapp upgrade.

Root Cause

The system-wide crypto policy was set to non-DEFAULT policy. Customizing system-wide cryptographic policies was configured on the system which was causing issues in connecting the Red Hat CDN repo.

Diagnostic Steps

Check the system-wide cryptographic policies:-
```
 # update-crypto-policies --show
 NOCBC
```

SBR

Product(s)

Red Hat Enterprise Linux for x86_64

Components

leapp

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.