Two-three weeks ago I started to see this message in my daily logwatch report:
**Unmatched Entries** 1 Mar 5 07:38:54 rpi postfix/smtp[9344]: cannot load Certification Authority data, CAfile="/etc/pki/tls/certs/ca-bundle.crt", CApath="/etc/pki/tls/certs": disabling TLS supportI'm running a 512 MB RPi 2B with Postfix installed as its MTA using Raspbian Buster.
Can anybody suggest what package I need to install to get the certificates installed and so get rid of its complaints.
-- Martin | martin at Gregorie | gregorie dot org
Not got a running "Buster" raspberry PiOS, but a Debian based system search gives
ca-certificates - Common CA certificates ca-certificates-java - Common CA certificates (JKS keystore)
HTH
I don't see anything like pki in this package
In Debian it is under /etc/ssl/certs/ca-certificates.crt
See here:
This file is created by the update-ca-certificates script which is called by the post install script of the ca-certificates package. That script generates the bundle file from the certificates stored in both /usr/share/ca-certificates and /usr/local/share/ca-certificates. Installing the ca-certificates package should cause the file Postfix is looking for to be generated.
--Matt
-- Matthew Ernisse
I have postfix installed, but no such file and postfix does not complain also this
seems to be wrong - have you tried it?
regards
The ca-certificates package is installed but the file /etc/pki/tls/certs/ca-bundle.crt does not exist and nor does the directory /etc/pki
Removing and reinstalling the ca_certificates package did not fix the problem, so it looks like the RPi Foundation's bugzilla needs to be told about it. Thanks to all for confirming that.
-- Martin | martin at Gregorie | gregorie dot org
No idea why you come up with this issue. Do you have some customizations or alien packages?
In the Ubuntu link they suggest you create a symlink
Nope - non nonstandard stuff installed and it suddenly appeared for no apparent reason: I've been running Postfix on this RPi since I first got it (Jessie) and the onset of complaints about no TLS certs is not coincident with anything else I've done: I upgraded to Buster last year and its been a month or three since I moved the system from a 8GB to a
16GB SD card.As I said, since nobody of here seems to have hit this problem, and since removing&reinstalling the ca_certificates package didn't help, and nor did a reboot after that.
This is just a niggle for me, because mail sent via my RPi's copy of Postfix stays inside my local network (its typically just logwatch and rkhunter reports), but my next move is to raise a bug since it may have more serious consequences for others.
-- Martin | martin at Gregorie | gregorie dot org
Does this help?
-- Chris Elvidge England
not-found
Yes, it does - many thanks. I just updated /etc/postfix/main.cf and restarted postfix. All looks good ATM.
-- Martin | martin at Gregorie | gregorie dot org
In examining my debian boxen, the one running unstable has a /etc/pki/ courtesy of the package fwupd (firmware update), the mailserver running testing doesn't have that directory. postconf on the mail server shows
smtpd_tls_cert_file = /etc/ssl/certs/mycert.cer
and on my desktop
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
I can't see where /etc/pki is coming from.
-- Consulting Minister for Consultants, DNRC I can please only one person per day. Today is not your day. Tomorrow isn't looking good, either. I am BOFH. Resistance is futile. Your network will be assimilated.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.