In CentOS (by default), repositories use a metalink rather than a direct baseurl. The metalink is an endpoint that returns a list of geographic mirrors tailored to your server.
While the metalink URL itself is usually secure (starting with https://), the parameters at the end of the URL explicitly tell the CentOS mirror infrastructure which protocols (http or https) your machine is willing to accept. If your network team enforces a strict “Deny All” outbound policy for port 80, your server will no longer mysteriously hang or fail when dnf attempts to route traffic through an HTTP mirror.
If you take a look at your .repo files, you might spot “http” in our CentOS repository configurations, such as metalink=https://mirrors.centos.org/metalink?repo=centos-crb-source-$stream&arch=source&protocol=https,http Notice the trailing query parameter: protocol=https,http.
To ensure that your package manager exclusively uses secure connections, we need to strip the ,http fallback from the protocol parameter across all repository files.
You can do this quickly and safely using a single sed command, followed by clearing the local cache so dnf fetches a fresh, HTTPS-only mirror list.
Run the following commands as root (or with sudo):
# 1. Remove the HTTP fallback from all repo files
sudo sed -i 's/protocol=https,http/protocol=https/g' /etc/yum.repos.d/*.repo
# 2. Clear out the old DNF cache containing the insecure mirrors
sudo dnf clean all
# 3. Rebuild the cache with the new HTTPS-only rules
sudo dnf makecache
Now you can connect and use the https repository.