majorwiki/05-troubleshooting/security/fedora-ca-bundle-missing-symlink.md

---
title: "Fedora CA Bundle Missing Symlink — TLS Breaks Fleet-Wide"
description: Hetzner-provisioned Fedora images may be missing the /etc/pki/tls/certs/ca-bundle.crt symlink, silently breaking Postfix TLS relay, curl, and dnf
tags:
  - fedora
  - tls
  - postfix
  - ca-certificates
  - hetzner
  - troubleshooting
status: published
created: 2026-05-11
updated: 2026-05-11
---

# Fedora CA Bundle Missing Symlink

On Fedora, many TLS clients (Postfix, curl, dnf) look for the CA bundle at `/etc/pki/tls/certs/ca-bundle.crt`. This path is normally a symlink to `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`, shipped by the `ca-certificates` package.

On Hetzner Cloud Fedora images (observed on Fedora 44, May 2026), this symlink can be missing despite `ca-certificates` being installed. The extracted bundle exists, but the consumer-facing symlink does not.

## Symptoms

Postfix relay to a TLS-required upstream fails:

```
postfix/smtp: cannot load Certification Authority data,
  CAfile="/etc/pki/tls/certs/ca-bundle.crt",
  CApath="/etc/pki/tls/certs": disabling TLS support
```

If your relay requires TLS (port 465 with `smtp_tls_wrappermode = yes`, or `smtp_tls_security_level = encrypt`), mail silently queues as deferred. No bounce, no alert — just silence.

Other symptoms on the same box:

```bash
# curl fails
curl https://example.com
# error: Problem with the SSL CA cert (path? access rights?)

# dnf fails
dnf list --installed
# Curl error (77): Problem with the SSL CA cert
```

## Diagnosis

```bash
# Check the symlink
ls -la /etc/pki/tls/certs/ca-bundle.crt
# Expected: symlink -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Broken: "No such file or directory"

# Verify the extracted bundle exists
ls -la /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Should exist (~220 KB, ~140-150 certs)

# Confirm the package is installed
rpm -q ca-certificates
# Should return a version string
```

If the extracted bundle exists but the symlink at `/etc/pki/tls/certs/ca-bundle.crt` is missing, that's the problem.

## Fix

```bash
sudo ln -sf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
            /etc/pki/tls/certs/ca-bundle.crt
sudo systemctl restart postfix
sudo postqueue -f   # flush any deferred mail
```

Verify:

```bash
# Symlink exists
ls -la /etc/pki/tls/certs/ca-bundle.crt

# Postfix can relay
echo "Subject: TLS test" | sendmail -v marcus@majorshouse.com

# curl works
curl -sI https://example.com | head -1
```

## Fleet Audit

If one Hetzner-provisioned Fedora host has this issue, check the others:

```bash
for host in majordiscord majorlab majorhome majormail; do
  echo "$host: $(ssh root@$host 'ls /etc/pki/tls/certs/ca-bundle.crt 2>&1' | tail -1)"
done
```

Hosts returning "No such file or directory" are silently broken for all TLS operations.

## Why This Happens

`update-ca-trust extract` regenerates the files under `/etc/pki/ca-trust/extracted/` but does not create the legacy consumer-path symlink at `/etc/pki/tls/certs/ca-bundle.crt`. That symlink is shipped by the `ca-certificates` RPM. On cloud images built from minimal installs or snapshot-based provisioning, the symlink can be lost during image creation or a partial upgrade.

## Prevention

Add to your provisioning checklist (see [VPS Migration Baseline Checklist](../../02-selfhosting/cloud/vps-migration-baseline-checklist.md)):

```bash
# Fedora provisioning — verify CA bundle symlink
ls /etc/pki/tls/certs/ca-bundle.crt || \
  ln -sf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
```

## Related

- [Logwatch Fleet Setup](../../02-selfhosting/monitoring/logwatch-fleet-setup.md) — logwatch depends on a working Postfix relay, which depends on TLS, which depends on this symlink
- [VPS Migration Baseline Checklist](../../02-selfhosting/cloud/vps-migration-baseline-checklist.md) — includes CA bundle verification step