If you've encountered the error curl: (60) SSL certificate problem: CA certificate key too weak or curl: (60) SSL certificate problem: EE certificate key too weak from curl, or an error from yum/dnf similar to Curl error (60): Peer certificate cannot be authenticated with given CA certificates [SSL certificate problem: CA certificate key too weak]. It might be due to some overzealous tuning of the crypto policy on your OS.

tldr; try sudo update-crypto-policies --set DEFAULT

I was running into this error with cURL saying that most sites were using weak CA certificate keys, so I went to check and they were a plain jane 2048-bit key. Which is pretty industry-standard, if not extravagant. Nothing (as of this writing...) has shown us that 2048-bit RSA keys are vulnerable to any known attack with our current level of compute power, so it's been a fine default. The extra paranoid, or folks provisioning CAs with 5+ year lifespans might do larger keys, but for some reason cURL was not happy.

Some Googling lead me to this article¹ exposing some of the overhaul of the security system in RHEL 8, which happily explained that all of the crypto policies have been rolled into one setting. In summary, the system crypto policy could be one of LEGACY, DEFAULT, FUTURE, or FIPS. By running update-crypto-policies --show you can see what setting your system is on.

Mine was set to FUTURE which mandates that RSA keys be 3072-bits or greater to be trusted. It was set by putting the RHEL Security Policy to CIS level-2. This is not a reasonable requirement for the system I was using as it needed access to EPEL and ZFS and the sites hosting those repositories (reasonably) are using 2048-bit RSA keys for their TLS certs. So, to put it to default, one merely needs to run: