SSL peer certificate or SSH remote key was not OK (2026-05)

[xkszltl]

We are getting random SSL error today in our CI docker build with azurelinux 3.0 as base docker.
The command failed with a simple tdnf makecache -y.
See log for the tag/sha of docker.

##[error]#4 [**** 1/4] FROM mcr.microsoft.com/azurelinux/base/python:3.12.9-1-azl3.0.20250311@sha256:9570d45deea929dd61c39b9b651448472074ccbe74c3cf593d8f4354dface8f6
##[error]#4 extracting sha256:49ca207ddf19850a4d972f303a72bb1ff815dbe6eaed250cf98384746ea3fd15
##[error]#4 extracting sha256:49ca207ddf19850a4d972f303a72bb1ff815dbe6eaed250cf98384746ea3fd15 0.7s done
##[error]#4 DONE 1.7s
##[error]
##[error]#4 [**** 1/4] FROM mcr.microsoft.com/azurelinux/base/python:3.12.9-1-azl3.0.20250311@sha256:9570d45deea929dd61c39b9b651448472074ccbe74c3cf593d8f4354dface8f6
##[error]#4 extracting sha256:427a5e77b952225bc575cc569ceae49622427a1734d2764317311bba675b0fc2 0.0s done
##[error]#4 DONE 1.8s
##[error]
##[error]#6 [**** 2/4] RUN set -ex;     tdnf makecache -y;     tdnf install -y sudo;     sudo tdnf clean -y all;     truncate -s0 ~/.bash_history;
##[error]#6 0.296 + tdnf makecache -y
##[error]#6 0.305 Loaded plugin: tdnfrepogpgcheck
##[error]#6 0.323 Refreshing metadata for: 'Azure Linux Official Microsoft Open-Source 3.0 x86_64'
##[error]#6 0.494 retrying 1/10
##[error]#6 0.519 retrying 2/10
##[error]#6 0.557 retrying 3/10
##[error]#6 0.582 retrying 4/10
##[error]#6 0.609 retrying 5/10
##[error]#6 0.634 retrying 6/10
##[error]#6 0.662 retrying 7/10
##[error]#6 1.016 retrying 8/10
##[error]#6 1.042 retrying 9/10
##[error]#6 1.073 retrying 10/10
##[error]#6 1.102 Error(1261) : SSL peer certificate or SSH remote key was not OK
##[error]#6 1.102 Error: Failed to synchronize cache for repo 'Azure Linux Official Microsoft Open-Source 3.0 x86_64'
##[error]#6 1.102 Disabling Repo: 'Azure Linux Official Microsoft Open-Source 3.0 x86_64'
##[error]#6 1.102 Refreshing metadata for: 'Azure Linux Official Microsoft Non-Open-Source 3.0 x86_64'
##[error]#6 1.131 retrying 1/10
##[error]#6 1.159 retrying 2/10
##[error]#6 1.190 retrying 3/10
##[error]#6 1.215 retrying 4/10
##[error]#6 1.253 retrying 5/10
##[error]#6 1.282 retrying 6/10
##[error]#6 1.310 retrying 7/10
##[error]#6 1.334 retrying 8/10
##[error]#6 1.366 retrying 9/10
##[error]#6 1.401 retrying 10/10
##[error]#6 1.437 Error(1261) : SSL peer certificate or SSH remote key was not OK
##[error]#6 1.437 Error: Failed to synchronize cache for repo 'Azure Linux Official Microsoft Non-Open-Source 3.0 x86_64'
##[error]#6 1.437 Disabling Repo: 'Azure Linux Official Microsoft Non-Open-Source 3.0 x86_64'
##[error]#6 1.437 Refreshing metadata for: 'Azure Linux Official Base 3.0 x86_64'
##[error]#6 1.466 retrying 1/10
##[error]#6 1.497 retrying 2/10
##[error]#6 1.524 retrying 3/10
##[error]#6 1.554 retrying 4/10
##[error]#6 1.801 retrying 5/10
##[error]#6 2.171 retrying 6/10
##[error]#6 2.198 retrying 7/10
##[error]#6 2.235 retrying 8/10
##[error]#6 2.263 retrying 9/10
##[error]#6 2.294 retrying 10/10
##[error]#6 2.319 Error(1261) : SSL peer certificate or SSH remote key was not OK
##[error]#6 2.319 Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'
##[error]#6 2.319 Disabling Repo: 'Azure Linux Official Base 3.0 x86_64'
##[error]#6 2.319 Metadata cache created.
##[error]#6 2.321 + tdnf install -y sudo
##[error]#6 2.329 Loaded plugin: tdnfrepogpgcheck
##[error]#6 2.343 Refreshing metadata for: 'Azure Linux Official Microsoft Open-Source 3.0 x86_64'
##[error]#6 2.377 retrying 1/10
##[error]#6 2.394 retrying 2/10
##[error]#6 2.411 retrying 3/10
##[error]#6 2.426 retrying 4/10
##[error]#6 2.452 retrying 5/10
##[error]#6 2.464 retrying 6/10
##[error]#6 2.588 retrying 7/10
##[error]#6 2.605 retrying 8/10
##[error]#6 2.621 retrying 9/10
##[error]#6 2.635 retrying 10/10
##[error]#6 2.647 Error(1261) : SSL peer certificate or SSH remote key was not OK
##[error]#6 2.647 Error: Failed to synchronize cache for repo 'Azure Linux Official Microsoft Open-Source 3.0 x86_64'
##[error]#6 2.647 Disabling Repo: 'Azure Linux Official Microsoft Open-Source 3.0 x86_64'
##[error]#6 2.647 Refreshing metadata for: 'Azure Linux Official Microsoft Non-Open-Source 3.0 x86_64'
##[error]#6 2.662 retrying 1/10
##[error]#6 2.673 retrying 2/10
##[error]#6 2.727 retrying 3/10
##[error]#6 2.739 retrying 4/10
##[error]#6 2.752 retrying 5/10
##[error]#6 2.764 retrying 6/10
##[error]#6 2.777 retrying 7/10
##[error]#6 2.788 retrying 8/10
##[error]#6 2.803 retrying 9/10
##[error]#6 2.815 retrying 10/10
##[error]#6 2.827 Error(1261) : SSL peer certificate or SSH remote key was not OK
##[error]#6 2.828 Error: Failed to synchronize cache for repo 'Azure Linux Official Microsoft Non-Open-Source 3.0 x86_64'
##[error]#6 2.828 Disabling Repo: 'Azure Linux Official Microsoft Non-Open-Source 3.0 x86_64'
##[error]#6 2.828 Refreshing metadata for: 'Azure Linux Official Base 3.0 x86_64'
##[error]#6 2.846 retrying 1/10
##[error]#6 2.859 retrying 2/10
##[error]#6 2.871 retrying 3/10
##[error]#6 2.883 retrying 4/10
##[error]#6 2.894 retrying 5/10
##[error]#6 2.910 retrying 6/10
##[error]#6 2.926 retrying 7/10
##[error]#6 2.945 retrying 8/10
##[error]#6 2.964 retrying 9/10
##[error]#6 2.982 retrying 10/10
##[error]#6 2.992 Error(1261) : SSL peer certificate or SSH remote key was not OK
##[error]#6 2.993 Error: Failed to synchronize cache for repo 'Azure Linux Official Base 3.0 x86_64'
##[error]#6 2.993 Disabling Repo: 'Azure Linux Official Base 3.0 x86_64'
##[error]#6 2.993 sudo package not found or not installed
##[error]#6 2.993 Error(1011) : No matching packages
##[error]#6 ERROR: process "/bin/sh -c set -ex;     tdnf makecache -y;     tdnf install -y sudo;     sudo tdnf clean -y all;     truncate -s0 ~/.bash_history;" did not complete successfully: exit code: 243

[xkszltl]

Besides, the error does not trigger a non-zero exit code for tdnf makecache and the failed to stop the execution.

[jperrin]

This appears to be an issue related to packages.microsoft.com availability, not an azure linux issue. Are you still seeing this behavior?

[xkszltl]

It is not a website issue (although we do get a 429 in our CI as well).We found the latest timestamped docker works, so it may be an expired CA cert in the earlier version?

[eric-desrochers]

• Can you provide the output of rpm -qa | grep -Ei "ssh|cert"
• Also you seems to be pinned to an older version from Mar-2025 (20250311@sha256:9570d45deea929dd61c39b9b651448472074ccbe74c3cf593d8f4354dface8f6) Any particular reason ? [0]
• Do you observe the same behaviour with our most recent image docker pull mcr.microsoft.com/azurelinux/base/python:3 ?

[xkszltl]

# docker run --rm -it mcr.microsoft.com/azurelinux/base/python:3.12.9-1-azl3.0.20250311 rpm -qa | grep -i -e{cert,ssh}
libssh2-1.11.0-1.azl3.x86_64
ca-certificates-tools-3.0.0-8.azl3.noarch
ca-certificates-shared-3.0.0-8.azl3.noarch
ca-certificates-base-3.0.0-8.azl3.noarch

# docker run --rm -it mcr.microsoft.com/azurelinux/base/python:3.12 rpm -qa | grep -i -e{cert,ssh} 
libssh2-1.11.1-1.azl3.x86_64
ca-certificates-tools-3.0.0-14.azl3.noarch
ca-certificates-shared-3.0.0-14.azl3.noarch
ca-certificates-base-3.0.0-14.azl3.noarch

So there're CA cert update.

Also you seems to be pinned to an older version from Mar-2025 ...

Yes.
Team is asking for the pinning to avoid surprises.
Any suggestion/guidance on version-pinning?

Do you observe the same behaviour with our most recent image

No.
It is an expired cert blocking the update to even fetch new cert chain.