## Problem Description
I'm experiencing repository access issues when trying to install/update Zabbix on RHEL9 and derivates systems that have the crypto-policies set to `FUTURE`. The error occurs when dnf/yum tries to access the official Zabbix repository:
```
Updating Subscription Management repositories.
Zabbix Official Repository - x86_64 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository 'zabbix':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://repo.zabbix.com/zabbix/6.0/r...ata/repomd.xml [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'zabbix': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
```
## Root Cause
After investigating the SSL certificates, I found that:
- **repo.zabbix.com** uses an RSA 2048-bit certificate
- The FUTURE crypto policy requires RSA keys of 3072 bits or higher
- Other repositories work fine because they use RSA 4096-bit certificates
**Could the Zabbix team please upgrade the SSL certificate for repo.zabbix.com to use RSA 3072-bit (or higher) keys?**
This would resolve the compatibility issue with: RHEL and Rocky systems using FUTURE crypto policy
## Environment Details
- **OS:** Red Hat Enterprise Linux 9
- **Crypto Policy:** FUTURE (`update-crypto-policies --set FUTURE`)
- **Repository:** https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/
- **Issue:** RSA 2048-bit certificate rejected by FUTURE policy (requires 3072+ bits)
Thanks for considering this enhancement!
I'm experiencing repository access issues when trying to install/update Zabbix on RHEL9 and derivates systems that have the crypto-policies set to `FUTURE`. The error occurs when dnf/yum tries to access the official Zabbix repository:
```
Updating Subscription Management repositories.
Zabbix Official Repository - x86_64 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository 'zabbix':
- Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://repo.zabbix.com/zabbix/6.0/r...ata/repomd.xml [SSL certificate problem: EE certificate key too weak]
Error: Failed to download metadata for repo 'zabbix': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
```
## Root Cause
After investigating the SSL certificates, I found that:
- **repo.zabbix.com** uses an RSA 2048-bit certificate
- The FUTURE crypto policy requires RSA keys of 3072 bits or higher
- Other repositories work fine because they use RSA 4096-bit certificates
**Could the Zabbix team please upgrade the SSL certificate for repo.zabbix.com to use RSA 3072-bit (or higher) keys?**
This would resolve the compatibility issue with: RHEL and Rocky systems using FUTURE crypto policy
## Environment Details
- **OS:** Red Hat Enterprise Linux 9
- **Crypto Policy:** FUTURE (`update-crypto-policies --set FUTURE`)
- **Repository:** https://repo.zabbix.com/zabbix/6.0/rhel/8/x86_64/
- **Issue:** RSA 2048-bit certificate rejected by FUTURE policy (requires 3072+ bits)
Thanks for considering this enhancement!
Comment