majorlinux
de9b661b9d
New article documenting missing /etc/pki/tls/certs/ca-bundle.crt symlink on Hetzner Fedora images breaking Postfix TLS, curl, and dnf. Updated VPS migration baseline checklist with timezone, CA bundle, and crond verification steps. Updated logwatch fleet setup with crond check. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.8 KiB
| title | description | tags | status | created | updated | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Fedora CA Bundle Missing Symlink — TLS Breaks Fleet-Wide | Hetzner-provisioned Fedora images may be missing the /etc/pki/tls/certs/ca-bundle.crt symlink, silently breaking Postfix TLS relay, curl, and dnf |
|
published | 2026-05-11 | 2026-05-11 |
Fedora CA Bundle Missing Symlink
On Fedora, many TLS clients (Postfix, curl, dnf) look for the CA bundle at /etc/pki/tls/certs/ca-bundle.crt. This path is normally a symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, shipped by the ca-certificates package.
On Hetzner Cloud Fedora images (observed on Fedora 44, May 2026), this symlink can be missing despite ca-certificates being installed. The extracted bundle exists, but the consumer-facing symlink does not.
Symptoms
Postfix relay to a TLS-required upstream fails:
postfix/smtp: cannot load Certification Authority data,
CAfile="/etc/pki/tls/certs/ca-bundle.crt",
CApath="/etc/pki/tls/certs": disabling TLS support
If your relay requires TLS (port 465 with smtp_tls_wrappermode = yes, or smtp_tls_security_level = encrypt), mail silently queues as deferred. No bounce, no alert — just silence.
Other symptoms on the same box:
# curl fails
curl https://example.com
# error: Problem with the SSL CA cert (path? access rights?)
# dnf fails
dnf list --installed
# Curl error (77): Problem with the SSL CA cert
Diagnosis
# Check the symlink
ls -la /etc/pki/tls/certs/ca-bundle.crt
# Expected: symlink -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Broken: "No such file or directory"
# Verify the extracted bundle exists
ls -la /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Should exist (~220 KB, ~140-150 certs)
# Confirm the package is installed
rpm -q ca-certificates
# Should return a version string
If the extracted bundle exists but the symlink at /etc/pki/tls/certs/ca-bundle.crt is missing, that's the problem.
Fix
sudo ln -sf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
/etc/pki/tls/certs/ca-bundle.crt
sudo systemctl restart postfix
sudo postqueue -f # flush any deferred mail
Verify:
# Symlink exists
ls -la /etc/pki/tls/certs/ca-bundle.crt
# Postfix can relay
echo "Subject: TLS test" | sendmail -v marcus@majorshouse.com
# curl works
curl -sI https://example.com | head -1
Fleet Audit
If one Hetzner-provisioned Fedora host has this issue, check the others:
for host in majordiscord majorlab majorhome majormail; do
echo "$host: $(ssh root@$host 'ls /etc/pki/tls/certs/ca-bundle.crt 2>&1' | tail -1)"
done
Hosts returning "No such file or directory" are silently broken for all TLS operations.
Why This Happens
update-ca-trust extract regenerates the files under /etc/pki/ca-trust/extracted/ but does not create the legacy consumer-path symlink at /etc/pki/tls/certs/ca-bundle.crt. That symlink is shipped by the ca-certificates RPM. On cloud images built from minimal installs or snapshot-based provisioning, the symlink can be lost during image creation or a partial upgrade.
Prevention
Add to your provisioning checklist (see VPS Migration Baseline Checklist):
# Fedora provisioning — verify CA bundle symlink
ls /etc/pki/tls/certs/ca-bundle.crt || \
ln -sf /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
Related
- Logwatch Fleet Setup — logwatch depends on a working Postfix relay, which depends on TLS, which depends on this symlink
- VPS Migration Baseline Checklist — includes CA bundle verification step