Wbm-server-manager: Policy rejects E8DD3FA0A0BDBCF9: Policy rejected asymmetric algorithm

Virtualmin
1
SYSTEM INFORMATION
OS type and version RL10
Webmin version REQUIRED
Virtualmin version REQUIRED
Webserver version REQUIRED
Related packages SUGGESTED 
Downloading Packages:
(1/4): wbm-jailkit-1.1-1.noarch.rpm                                    64 kB/s |  31 kB     00:00
(2/4): wbm-server-manager-9.8.kvm-1.noarch.rpm                        7.1 MB/s | 4.6 MB     00:00
(3/4): wbm-php-pear-1.6-1.noarch.rpm                                   93 kB/s |  62 kB     00:00
(4/4): wbm-ruby-gems-1.9-1.noarch.rpm                                 280 kB/s |  68 kB     00:00
------------------------------------------------------------------------------------------------------
Total                                                                 6.5 MB/s | 4.8 MB     00:00
Cloudmin Distribution Neutral                                         1.6 MB/s | 1.7 kB     00:00
Importing GPG key 0xA0BDBCF9:
 Userid     : ""
 Fingerprint: 31D2 B188 72EA F68E FB81 F81D E8DD 3FA0 A0BD BCF9
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
error: Certificate E8DD3FA0A0BDBCF9:
  Policy rejects E8DD3FA0A0BDBCF9: Policy rejected asymmetric algorithm
Key import failed (code 2). Failing package is: wbm-server-manager-9.8.kvm-1.noarch
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
rl@ns1:~$

AI answer/solution (for Virtualmin Staff)

The error message "Policy rejects E8DD3FA0A0BDBCF9: Policy rejected asymmetric algorithm" indicates that a cryptographic operation has been blocked due to the use of an insecure or deprecated asymmetric algorithm, such as RSA with a key size considered too small (e.g., RSA1024) or an outdated signature scheme like SHA-1.
 This is consistent with modern security policies that reject weak algorithms to prevent vulnerabilities.

In systems like Fedora 38 and later, the RPM database enforces strict cryptographic policies, rejecting packages signed with older algorithms such as DSA/SHA1 or RSA/SHA1.
 Similarly, OpenSSH 8.8 and newer versions disable RSA signatures using the SHA-1 hash by default, leading to issues with legacy SSH keys.
 The same principle applies to package managers like APT and DNF, which now reject signatures from keys using insecure algorithms like RSA1024, which has been considered insecure since February 1, 2014.

To resolve this, users should ensure that all keys and packages are signed with modern, secure algorithms such as RSA with SHA-256 or SHA-512, or preferably ECDSA or EdDSA (e.g., ED25519).
 For example, in the case of Launchpad PPAs, the keys were re-signed with stronger 4096-bit RSA keys, requiring users to remove and re-add the PPA to refresh the key.
 Similarly, VirtualBox updated its signing key to oracle_vbox_2016.asc to support SHA-256 signatures, resolving import issues on Fedora 38.

If the key in question (E8DD3FA0A0BDBCF9) is outdated or uses a weak algorithm, it must be replaced with a newer, secure key. Users should contact the package maintainer or repository administrator to obtain the updated signing key and update their system's keyring accordingly.

Update 01 :-: Additionally, cloudmin installation fails

rl@ns1:~$ sudo ./cloudmin-kvm-redhat-install.sh
*******************************************************************************
*         Welcome to the Cloudmin GPL for KVM installer, version 1.1         *
*******************************************************************************
.
.
.

Error: Unable to find a match: kvm kvm-qemu-img kvm-tools
2
3

I agree, that is a solution, and have used it in the past. I am a little scared to apply this systemwide as SHA1 uses a weaker algorithm.

4

Current policy

rl@ns1:~$ update-crypto-policies --show
LEGACY
rl@ns1:~$

is already set to legacy, but

2.3 

The default system-wide cryptographic policy in Red Hat Enterprise Linux 10 does not allow communication using older, insecure protocols
5

@Jamie, have a look at this please.

6 
rl@ns1:~$ sudo dnf -y update --allowerasing --skip-broken
Last metadata expiration check: 0:28:30 ago on Tue 13 Jan 2026 08:03:35 AM CST.
Dependencies resolved.
=====================================================================================================================
 Package                                   Architecture Version                       Repository                Size
=====================================================================================================================
Upgrading:
 brave-browser                             x86_64       1.85.120-1                    brave-browser            123 M
 cockpit                                   x86_64       344-1.el10.rocky.0.1          baseos                    41 k
 cockpit-bridge                            noarch       344-1.el10.rocky.0.1          baseos                   696 k
 cockpit-packagekit                        noarch       344-1.el10.rocky.0.1          appstream                920 k
 cockpit-storaged                          noarch       344-1.el10.rocky.0.1          appstream                859 k
 cockpit-system                            noarch       344-1.el10.rocky.0.1          baseos                   5.3 M
 cockpit-ws                                x86_64       344-1.el10.rocky.0.1          baseos                   1.1 M
 cockpit-ws-selinux                        x86_64       344-1.el10.rocky.0.1          baseos                    44 k
 libpng                                    x86_64       2:1.6.40-8.el10_1.1           baseos                   119 k
 libpq                                     x86_64       16.11-3.el10_1                baseos                   257 k
 mariadb                                   x86_64       3:10.11.15-1.el10_1           appstream                1.6 M
 mariadb-backup                            x86_64       3:10.11.15-1.el10_1           appstream                6.5 M
 mariadb-client-utils                      x86_64       3:10.11.15-1.el10_1           appstream                 39 k
 mariadb-common                            noarch       3:10.11.15-1.el10_1           appstream                 35 k
 mariadb-errmsg                            noarch       3:10.11.15-1.el10_1           appstream                262 k
 mariadb-gssapi-server                     x86_64       3:10.11.15-1.el10_1           appstream                 17 k
 mariadb-server                            x86_64       3:10.11.15-1.el10_1           appstream                 10 M
 mariadb-server-utils                      x86_64       3:10.11.15-1.el10_1           appstream                261 k
 open-vm-tools                             x86_64       13.0.0-1.el10_1.2             appstream                853 k
 open-vm-tools-desktop                     x86_64       13.0.0-1.el10_1.2             appstream                1.9 M
 osbuild-composer                          x86_64       149-1.el10.rocky.0.8          appstream                 25 k
 osbuild-composer-core                     x86_64       149-1.el10.rocky.0.8          appstream                 14 M
 osbuild-composer-worker                   x86_64       149-1.el10.rocky.0.8          appstream                 23 M
 perl-XS-Parse-Sublike                     x86_64       0.41-1.el10_1                 epel                      63 k
 perl-XS-Parse-Sublike-Builder             x86_64       0.41-1.el10_1                 epel                      16 k
 perl-XS-Parse-Sublike-tests               x86_64       0.41-1.el10_1                 epel                      48 k
 poppler                                   x86_64       24.02.0-7.el10_1              appstream                1.2 M
 poppler-glib                              x86_64       24.02.0-7.el10_1              appstream                191 k
 python-unversioned-command                noarch       3.12.12-2.el10_1              appstream                 11 k
 python3                                   x86_64       3.12.12-2.el10_1              baseos                    28 k
 python3-libs                              x86_64       3.12.12-2.el10_1              baseos                   9.4 M
 rocky-gpg-keys                            noarch       10.1-1.4.el10                 baseos                    12 k
 rocky-release                             noarch       10.1-1.4.el10                 baseos                    31 k
 rocky-repos                               noarch       10.1-1.4.el10                 baseos                    13 k
 sos                                       noarch       4.10.1-2.el10                 baseos                   1.4 M
 webmin                                    noarch       2.620-1                       cloudmin-universal        32 M
Removing dependent packages:
 wbm-virtualmin-awstats                    noarch       2:6.1-1                       @virtualmin-noarch       409 k
 wbm-virtualmin-dav                        noarch       2:3.13-1                      @virtualmin-noarch       287 k
 wbm-virtualmin-disable                    noarch       1.7-1                         @virtualmin-noarch        70 k
 wbm-virtualmin-git                        noarch       1.15-1                        @virtualmin-noarch       579 k
 wbm-virtualmin-google-analytics           noarch       2.12-1                        @virtualmin-noarch       415 k
 wbm-virtualmin-htpasswd                   noarch       2:3.5-1                       @virtualmin-noarch       328 k
 wbm-virtualmin-iframe                     noarch       1.5-1                         @virtualmin-noarch        37 k
 wbm-virtualmin-init                       noarch       2:2.10-1                      @virtualmin-noarch       341 k
 wbm-virtualmin-mailman                    noarch       2:6.11-1                      @virtualmin-noarch       569 k
 wbm-virtualmin-mailrelay                  noarch       2:2.5-1                       @virtualmin-noarch       281 k
 wbm-virtualmin-messageoftheday            noarch       1.4-1                         @virtualmin-noarch       2.0 k
 wbm-virtualmin-multi-login                noarch       1.7-1                         @virtualmin-noarch        70 k
 wbm-virtualmin-nginx                      noarch       2.36-1                        @virtualmin-noarch       1.4 M
 wbm-virtualmin-nginx-ssl                  noarch       1.20-1                        @virtualmin-noarch       113 k
 wbm-virtualmin-notes                      noarch       2:1.7-1                       @virtualmin-noarch        48 k
 wbm-virtualmin-oracle                     noarch       2:1.14-1                      @virtualmin-noarch       492 k
 wbm-virtualmin-powerdns                   noarch       2:1.13-1                      @virtualmin-noarch       127 k
 wbm-virtualmin-registrar                  noarch       2:3.0-1                       @virtualmin-noarch       1.7 M
 wbm-virtualmin-signup                     noarch       2:1.8-1                       @virtualmin-noarch       179 k
 wbm-virtualmin-slavedns                   noarch       2:1.13-1                      @virtualmin-noarch        64 k
 wbm-virtualmin-sqlite                     noarch       1.8-1                         @virtualmin-noarch        95 k
 wbm-virtualmin-styles-openwebdesign       noarch       1.1-1                         @virtualmin-noarch        13 M
 wbm-virtualmin-styles-oswd                noarch       1.0-1                         @virtualmin-noarch       5.2 M
 wbm-virtualmin-support                    noarch       2:4.0-1                       @virtualmin-noarch       167 k
 wbm-virtualmin-svn                        noarch       2:5.1-1                       @virtualmin-noarch       121 k
 wbm-virtualmin-vsftpd                     noarch       2:1.11-1                      @virtualmin-noarch       123 k

Transaction Summary
=====================================================================================================================
Upgrade  36 Packages
Remove   26 Packages

Total size: 235 M
Downloading Packages:
[SKIPPED] brave-browser-1.85.120-1.x86_64.rpm: Already downloaded
[SKIPPED] webmin-2.620-1.noarch.rpm: Already downloaded
[SKIPPED] perl-XS-Parse-Sublike-0.41-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] perl-XS-Parse-Sublike-Builder-0.41-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] perl-XS-Parse-Sublike-tests-0.41-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] cockpit-344-1.el10.rocky.0.1.x86_64.rpm: Already downloaded
[SKIPPED] cockpit-bridge-344-1.el10.rocky.0.1.noarch.rpm: Already downloaded
[SKIPPED] cockpit-system-344-1.el10.rocky.0.1.noarch.rpm: Already downloaded
[SKIPPED] cockpit-ws-344-1.el10.rocky.0.1.x86_64.rpm: Already downloaded
[SKIPPED] cockpit-ws-selinux-344-1.el10.rocky.0.1.x86_64.rpm: Already downloaded
[SKIPPED] libpng-1.6.40-8.el10_1.1.x86_64.rpm: Already downloaded
[SKIPPED] libpq-16.11-3.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] python3-3.12.12-2.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] python3-libs-3.12.12-2.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] rocky-gpg-keys-10.1-1.4.el10.noarch.rpm: Already downloaded
[SKIPPED] rocky-release-10.1-1.4.el10.noarch.rpm: Already downloaded
[SKIPPED] rocky-repos-10.1-1.4.el10.noarch.rpm: Already downloaded
[SKIPPED] sos-4.10.1-2.el10.noarch.rpm: Already downloaded
[SKIPPED] cockpit-packagekit-344-1.el10.rocky.0.1.noarch.rpm: Already downloaded
[SKIPPED] cockpit-storaged-344-1.el10.rocky.0.1.noarch.rpm: Already downloaded
[SKIPPED] mariadb-10.11.15-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] mariadb-backup-10.11.15-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] mariadb-client-utils-10.11.15-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] mariadb-common-10.11.15-1.el10_1.noarch.rpm: Already downloaded
[SKIPPED] mariadb-errmsg-10.11.15-1.el10_1.noarch.rpm: Already downloaded
[SKIPPED] mariadb-gssapi-server-10.11.15-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] mariadb-server-10.11.15-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] mariadb-server-utils-10.11.15-1.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] open-vm-tools-13.0.0-1.el10_1.2.x86_64.rpm: Already downloaded
[SKIPPED] open-vm-tools-desktop-13.0.0-1.el10_1.2.x86_64.rpm: Already downloaded
[SKIPPED] osbuild-composer-149-1.el10.rocky.0.8.x86_64.rpm: Already downloaded
[SKIPPED] osbuild-composer-core-149-1.el10.rocky.0.8.x86_64.rpm: Already downloaded
[SKIPPED] osbuild-composer-worker-149-1.el10.rocky.0.8.x86_64.rpm: Already downloaded
[SKIPPED] poppler-24.02.0-7.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] poppler-glib-24.02.0-7.el10_1.x86_64.rpm: Already downloaded
[SKIPPED] python-unversioned-command-3.12.12-2.el10_1.noarch.rpm: Already downloaded
error: Verifying a signature, but no certificate was provided:
  Signature 1cf2 created at Thu Jan  8 21:44:49 2026 invalid: signature relies on legacy cryptography
      because: Policy rejected non-revocation signature (Binary) requiring collision resistance
      because: SHA1 is not considered secure
error: Verifying a signature, but no certificate was provided:
  Signature e4f2 created at Thu Jan  8 21:44:49 2026 invalid: signature relies on legacy cryptography
      because: Policy rejected non-revocation signature (Binary) requiring collision resistance
      because: SHA1 is not considered secure
Cloudmin Distribution Neutral                                                        1.6 MB/s | 1.7 kB     00:00
Importing GPG key 0xA0BDBCF9:
 Userid     : ""
 Fingerprint: 31D2 B188 72EA F68E FB81 F81D E8DD 3FA0 A0BD BCF9
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
error: Certificate E8DD3FA0A0BDBCF9:
  Policy rejects E8DD3FA0A0BDBCF9: No binding signature at time 2026-01-13T14:32:08Z
Key import failed (code 2). Failing package is: webmin-2.620-1.noarch
 GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
rl@ns1:~$