The security team at work recently switched where we get our SSL certificates from. Unfortunately, this led to some things breaking with our Red Hat Satellite (aka RH-branded The Foreman) instance. Namely, several of our hosts started reporting SSL errors while running dnf update (some parts redacted for security):

Errors during downloading metadata for repository 'InfluxDB':
  - Curl error (60): SSL peer certificate or SSH remote key was not OK for https://capsule.example.com/pulp/content/Org/Prod/RHEL9/custom/InfluxDB/InfluxDB/repodata/repomd.xml [SSL certificate problem: self-signed certificate in certificate chain]

Turns out that Satellite is really temperamental about changing your CA and there is no way to go about it without running some kind of script or command on every host in your fleet. Red Hat's suggested course of action is to use a script on the Satellite server designed to update the CA. You can run it on Satellite-managed hosts easily by creating a job within Satellite (category: "Command", job template: "Download and run a script") with the URL https://satellite.example.com/unattended/public/foreman_ca_refresh.

Unfortunately, this script only exists on Satellite and not on any of the capsules. That means it won't work for hosts on segmented networks. And the next-best course of action according to Red Hat is, even more unfortunately, to un-register and re-register each host. I'm sure that's a fine idea if you only have a few hosts. But one of the orgs in our instance has several hundred.

Thus, I recommend the following command (which can also be run via Satellite jobs, same category template: "Run Command - Script Default"):

sudo rpm --force -Uvh https://$(grep -oP '[0-9a-zA-Z\-]+.example.com' /etc/rhsm/rhsm.conf | head -n 1)/pub/katello-ca-consumer-latest.noarch.rpm

Of course, update the domain to match what you're using. The one-liner will search your Subscription Manager config for the first instance of something looking like a hostname - which should be the one it's configured to use for dnf repos - and reach out to it to get the katello-ca-consumer package that contains the CA certificates. Be warned: this file is deprecated, but not removed, in newer versions of Satellite. So your experience using this command may change as time goes on.