diff --git a/site/profiles/manifests/defaults.pp b/site/profiles/manifests/defaults.pp
index be4ec87..d86b76a 100644
--- a/site/profiles/manifests/defaults.pp
+++ b/site/profiles/manifests/defaults.pp
@@ -9,8 +9,9 @@ class profiles::defaults {
 
   Package {
     ensure  => present,
-    require => Class['profiles::base::repos']
-
+    require => [
+      Class['profiles::base::repos'],
+    ]
   }
 
   File {
@@ -34,7 +35,10 @@ class profiles::defaults {
     ensure     => 'present',
     enabled    => 1,
     gpgcheck   => 1,
-    require    => Class['profiles::pki::vaultca'],
+    require    => [
+      Class['profiles::pki::vaultca'],
+      Class['crypto_policies'],
+    ],
     notify     => Exec['dnf_makecache'],
   }
 }
diff --git a/site/profiles/manifests/yum/global.pp b/site/profiles/manifests/yum/global.pp
index ed36d63..58695c4 100644
--- a/site/profiles/manifests/yum/global.pp
+++ b/site/profiles/manifests/yum/global.pp
@@ -16,12 +16,15 @@ class profiles::yum::global (
     purge => $purge,
   }
 
-  #exec {'purge_almalinux_default_repos':
-  #  command => 'rm -f /etc/yum.repos.d/almalinux*.repo',
-  #  path    => ['/bin', '/usr/bin'],
-  #  onlyif  => 'find /etc/yum.repos.d/ -type f -name *almalinux* | grep .',
-  #  before  => Resources['yumrepo'],
-  #}
+  # el9 needs to rpmdb rebuild after crypto-policies
+  if $facts['os']['release']['major'] == '9' {
+    exec { 'rebuild_rpmdb':
+      command => '/usr/bin/rpmdb --rebuilddb && /usr/bin/touch /root/almalinux9_upgrade_rebuilddb_flag',
+      unless  => '/usr/bin/test -f /root/almalinux9_upgrade_rebuilddb_flag',
+      timeout => 180,
+      require => Class['crypto_policies'],
+    }
+  }
 
   # download all gpg keys if a repo defines it
   $repos.each |$name, $repo| {