[Bug]: Certificate error when running "curl https://mirrors.almalinux.org" in AlmaLinux 10 container with --arch=x86_64 on apple silicon

[mbalmer]

I have done the following

• I have searched the existing issues
• If possible, I've reproduced the issue using the 'main' branch of this project

Steps to reproduce

On a apple silicon mac, run a AlmaLinux 10 container with --arch=x86_64:

$ container run -it --rm --arch=x86_64 almalinux:10 /bin/bash

In the container, verify its x86_64:

[root@1335f26e-d125-48b1-a60b-43b839f4971d /]# uname -m
x86_64

Now run curl:

[root@1335f26e-d125-48b1-a60b-43b839f4971d /]# curl -v https://mirrors.almalinux.org
* Host mirrors.almalinux.org:443 was resolved.
* IPv6: 2600:1f10:4a78:1403:1592:cd7e:6f03:160e, 2600:1f10:4a78:1400:b870:64db:2f13:c01, 2600:1f10:4a78:1402:cdb:253:2545:a59d, 2600:1f10:4a78:1405:4376:ef8a:a707:eb05, 2600:1f10:4a78:1401:545f:bb16:701e:f84b, 2600:1f10:4a78:1404:18f0:640a:8697:5911
* IPv4: 34.232.243.153, 100.26.171.159, 44.194.43.115, 52.70.149.118, 3.213.188.98, 100.51.47.231
*   Trying [2600:1f10:4a78:1403:1592:cd7e:6f03:160e]:443...
* Immediate connect fail for 2600:1f10:4a78:1403:1592:cd7e:6f03:160e: Network is unreachable
*   Trying [2600:1f10:4a78:1400:b870:64db:2f13:c01]:443...
* Immediate connect fail for 2600:1f10:4a78:1400:b870:64db:2f13:c01: Network is unreachable
*   Trying [2600:1f10:4a78:1402:cdb:253:2545:a59d]:443...
* Immediate connect fail for 2600:1f10:4a78:1402:cdb:253:2545:a59d: Network is unreachable
*   Trying [2600:1f10:4a78:1405:4376:ef8a:a707:eb05]:443...
* Immediate connect fail for 2600:1f10:4a78:1405:4376:ef8a:a707:eb05: Network is unreachable
*   Trying [2600:1f10:4a78:1401:545f:bb16:701e:f84b]:443...
* Immediate connect fail for 2600:1f10:4a78:1401:545f:bb16:701e:f84b: Network is unreachable
*   Trying [2600:1f10:4a78:1404:18f0:640a:8697:5911]:443...
* Immediate connect fail for 2600:1f10:4a78:1404:18f0:640a:8697:5911: Network is unreachable
*   Trying 34.232.243.153:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, decrypt error (563):
* TLS connect error: error:030000EA:digital envelope routines::provider signature failure
* closing connection #0
curl: (35) TLS connect error: error:030000EA:digital envelope routines::provider signature failure
[root@1335f26e-d125-48b1-a60b-43b839f4971d /]# 

This means you can not install additonal packages or update them using dnf, as the first thing dnf does, is to download the mirrorlist.

Current behavior

curl connection to https://mirrors.almalinux.org fails, , in consequence dnf upgrade -y --refresh fails

Expected behavior

The curl connection succeds and the mirrorlist can be downloaded, dnf upgrade -y --refresh works

Environment

- OS: macOS 26.2
- Xcode: Latest, but not involved in this case
- Container: CLI version 0.9.0

Relevant log output

[root@1335f26e-d125-48b1-a60b-43b839f4971d /]# curl -v https://mirrors.almalinux.org
* Host mirrors.almalinux.org:443 was resolved.
* IPv6: 2600:1f10:4a78:1403:1592:cd7e:6f03:160e, 2600:1f10:4a78:1400:b870:64db:2f13:c01, 2600:1f10:4a78:1402:cdb:253:2545:a59d, 2600:1f10:4a78:1405:4376:ef8a:a707:eb05, 2600:1f10:4a78:1401:545f:bb16:701e:f84b, 2600:1f10:4a78:1404:18f0:640a:8697:5911
* IPv4: 34.232.243.153, 100.26.171.159, 44.194.43.115, 52.70.149.118, 3.213.188.98, 100.51.47.231
*   Trying [2600:1f10:4a78:1403:1592:cd7e:6f03:160e]:443...
* Immediate connect fail for 2600:1f10:4a78:1403:1592:cd7e:6f03:160e: Network is unreachable
*   Trying [2600:1f10:4a78:1400:b870:64db:2f13:c01]:443...
* Immediate connect fail for 2600:1f10:4a78:1400:b870:64db:2f13:c01: Network is unreachable
*   Trying [2600:1f10:4a78:1402:cdb:253:2545:a59d]:443...
* Immediate connect fail for 2600:1f10:4a78:1402:cdb:253:2545:a59d: Network is unreachable
*   Trying [2600:1f10:4a78:1405:4376:ef8a:a707:eb05]:443...
* Immediate connect fail for 2600:1f10:4a78:1405:4376:ef8a:a707:eb05: Network is unreachable
*   Trying [2600:1f10:4a78:1401:545f:bb16:701e:f84b]:443...
* Immediate connect fail for 2600:1f10:4a78:1401:545f:bb16:701e:f84b: Network is unreachable
*   Trying [2600:1f10:4a78:1404:18f0:640a:8697:5911]:443...
* Immediate connect fail for 2600:1f10:4a78:1404:18f0:640a:8697:5911: Network is unreachable
*   Trying 34.232.243.153:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, decrypt error (563):
* TLS connect error: error:030000EA:digital envelope routines::provider signature failure
* closing connection #0
curl: (35) TLS connect error: error:030000EA:digital envelope routines::provider signature failure

Code of Conduct

• I agree to follow this project's Code of Conduct

[Ronitsabhaya75]

@mbalmer This is a Rosetta 2 compatibility issue with OpenSSL 3.x's cryptographic providers.

Currently what is happening here:

• TLS handshake succeeds until certificate signature verification
• then OpenSSL's crypto provider fails: error:030000EA:digital envelope routines::provider signature failure
• x86_64 crypto operations (AES-NI, AVX assembly) don't work correctly under Rosetta 2 emulation
• Impact: Breaks all HTTPS connections → dnf can't download packages

Root cause: AlmaLinux 10 uses OpenSSL 3.x with CPU-optimized crypto routines that are incompatible with cross-architecture emulation on Apple Silicon.

lemme know if this make sense to you.

[mbalmer]

@mbalmer <https://github.com/mbalmer> This is a Rosetta 2 compatibility issue with OpenSSL 3.x's cryptographic providers. Currently what is happening here: TLS handshake succeeds until certificate signature verification then OpenSSL's crypto provider fails: error:030000EA:digital envelope routines::provider signature failure x86_64 crypto operations (AES-NI, AVX assembly) don't work correctly under Rosetta 2 emulation Impact: Breaks all HTTPS connections → dnf can't download packages Root cause: AlmaLinux 10 uses OpenSSL 3.x with CPU-optimized crypto routines that are incompatible with cross-architecture emulation on Apple Silicon. lemme know if this make sense to you.

Yes, this make sense. As I use containers to build Linux distribution packages, I will now switch to an Intel machine for Intel packages and use docker or podman to build the package builder containers. FWIW, not all https connections are non-functional, some work, some don’t. I guess it has something to do with the signature algorithm being used.

[Ronitsabhaya75]

@mbalmer I've opened a PR that injects OPENSSL_ia32cap=~0x200000200000000 when Rosetta is detected. This disables the problematic CPU-optimized crypto routines, allowing all HTTPS connections to work in x86_64 containers on Apple Silicon.

This should eliminate the need to switch to Intel machines for building packages.

[mbalmer]

Am 12.02.2026 um 15:09 schrieb Ronit Sabhaya ***@***.***>:Ronitsabhaya75 left a comment (apple/container#1194) @mbalmer I've opened a PR that injects OPENSSL_ia32cap=~0x200000200000000 when Rosetta is detected. This disables the problematic CPU-optimized crypto routines, allowing all HTTPS connections to work in x86_64 containers on Apple Silicon. This should eliminate the need to switch to Intel machines for building packages.That is nice, than you. But will Rosetta2 not be deprecated and removed eventually? Or ist here to stay? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>