--- title: "Fedora CA Bundle Missing Symlink — TLS Breaks Fleet-Wide" description: Hetzner-provisioned Fedora images may be missing the /etc/pki/tls/certs/ca-bundle.crt symlink, silently breaking Postfix TLS relay, curl, and dnf tags: - fedora - tls - postfix - ca-certificates - hetzner - troubleshooting status: published created: 2026-05-11 updated: 2026-05-11 --- # Fedora CA Bundle Missing Symlink On Fedora, many TLS clients (Postfix, curl, dnf) look for the CA bundle at `/etc/pki/tls/certs/ca-bundle.crt`. This path is normally a symlink to `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`, shipped by the `ca-certificates` package. On Hetzner Cloud Fedora images (observed on Fedora 44, May 2026), this symlink can be missing despite `ca-certificates` being installed. The extracted bundle exists, but the consumer-facing symlink does not. ## Symptoms Postfix relay to a TLS-required upstream fails: ``` postfix/smtp: cannot load Certification Authority data, CAfile="/etc/pki/tls/certs/ca-bundle.crt", CApath="/etc/pki/tls/certs": disabling TLS support ``` If your relay requires TLS (port 465 with `smtp_tls_wrappermode = yes`, or `smtp_tls_security_level = encrypt`), mail silently queues as deferred. No bounce, no alert — just silence. Other symptoms on the same box: ```bash # curl fails curl https://example.com # error: Problem with the SSL CA cert (path? access rights?) # dnf fails dnf list --installed # Curl error (77): Problem with the SSL CA cert ``` ## Diagnosis ```bash # Check the symlink ls -la /etc/pki/tls/certs/ca-bundle.crt # Expected: symlink -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Broken: "No such file or directory" # Verify the extracted bundle exists ls -la /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Should exist (~220 KB, ~140-150 certs) # Confirm the package is installed rpm -q ca-certificates # Should return a version string ``` If the extracted bundle exists but the symlink at `/etc/pki/tls/certs/ca-bundle.crt` is missing, that's the problem. ## Fix ```bash sudo ln -sf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ /etc/pki/tls/certs/ca-bundle.crt sudo systemctl restart postfix sudo postqueue -f # flush any deferred mail ``` Verify: ```bash # Symlink exists ls -la /etc/pki/tls/certs/ca-bundle.crt # Postfix can relay echo "Subject: TLS test" | sendmail -v marcus@majorshouse.com # curl works curl -sI https://example.com | head -1 ``` ## Fleet Audit If one Hetzner-provisioned Fedora host has this issue, check the others: ```bash for host in majordiscord majorlab majorhome majormail; do echo "$host: $(ssh root@$host 'ls /etc/pki/tls/certs/ca-bundle.crt 2>&1' | tail -1)" done ``` Hosts returning "No such file or directory" are silently broken for all TLS operations. ## Why This Happens `update-ca-trust extract` regenerates the files under `/etc/pki/ca-trust/extracted/` but does not create the legacy consumer-path symlink at `/etc/pki/tls/certs/ca-bundle.crt`. That symlink is shipped by the `ca-certificates` RPM. On cloud images built from minimal installs or snapshot-based provisioning, the symlink can be lost during image creation or a partial upgrade. ## Prevention Add to your provisioning checklist (see [VPS Migration Baseline Checklist](../../02-selfhosting/cloud/vps-migration-baseline-checklist.md)): ```bash # Fedora provisioning — verify CA bundle symlink ls /etc/pki/tls/certs/ca-bundle.crt || \ ln -sf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt ``` ## Related - [Logwatch Fleet Setup](../../02-selfhosting/monitoring/logwatch-fleet-setup.md) — logwatch depends on a working Postfix relay, which depends on TLS, which depends on this symlink - [VPS Migration Baseline Checklist](../../02-selfhosting/cloud/vps-migration-baseline-checklist.md) — includes CA bundle verification step