1. Forum
  2. FidoNet Areas
  3. RBERRYPI

  • TLS ceretificates for Raspbian

    From Martin Gregorie@3:770/3 to All on Sat Mar 6 21:12:32 2021
    Two-three weeks ago I started to see this message in my daily logwatch
    report:

    **Unmatched Entries**
    1 Mar 5 07:38:54 rpi postfix/smtp[9344]: cannot load
    Certification Authority data, CAfile="/etc/pki/tls/certs/ca-bundle.crt", CApath="/etc/pki/tls/certs": disabling TLS support

    I'm running a 512 MB RPi 2B with Postfix installed as its MTA using
    Raspbian Buster.

    Can anybody suggest what package I need to install to get the
    certificates installed and so get rid of its complaints.


    --
    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Jim Jackson@3:770/3 to Martin Gregorie on Sat Mar 6 21:21:49 2021
    On 2021-03-06, Martin Gregorie <martin@mydomain.invalid> wrote:
    Two-three weeks ago I started to see this message in my daily logwatch report:

    **Unmatched Entries**
    1 Mar 5 07:38:54 rpi postfix/smtp[9344]: cannot load
    Certification Authority data, CAfile="/etc/pki/tls/certs/ca-bundle.crt", CApath="/etc/pki/tls/certs": disabling TLS support

    I'm running a 512 MB RPi 2B with Postfix installed as its MTA using
    Raspbian Buster.

    Can anybody suggest what package I need to install to get the
    certificates installed and so get rid of its complaints.


    Not got a running "Buster" raspberry PiOS, but a Debian based system search gives

    ca-certificates - Common CA certificates
    ca-certificates-java - Common CA certificates (JKS keystore)

    HTH

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Deloptes@3:770/3 to Jim Jackson on Sat Mar 6 23:54:23 2021
    Jim Jackson wrote:

    Not got a running "Buster" raspberry PiOS, but a Debian based system
    search gives

    ca-certificates - Common CA certificates

    I don't see anything like pki in this package

    In Debian it is under /etc/ssl/certs/ca-certificates.crt

    See here: https://askubuntu.com/questions/342484/etc-pki-tls-certs-ca-bundle-crt-not-found

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Matt Ernisse@3:770/3 to Deloptes on Sun Mar 7 01:40:53 2021
    On 2021-03-06, Deloptes <deloptes@gmail.com> wrote:
    Jim Jackson wrote:

    Not got a running "Buster" raspberry PiOS, but a Debian based system
    search gives

    ca-certificates - Common CA certificates

    I don't see anything like pki in this package

    In Debian it is under /etc/ssl/certs/ca-certificates.crt

    This file is created by the update-ca-certificates script which is called
    by the post install script of the ca-certificates package. That script generates the bundle file from the certificates stored in both /usr/share/ca-certificates and /usr/local/share/ca-certificates. Installing the ca-certificates package should cause the file Postfix is looking for
    to be generated.

    --Matt

    --
    Matthew Ernisse <matt@going-flying.com>

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Deloptes@3:770/3 to Matt Ernisse on Sun Mar 7 08:35:57 2021
    Matt Ernisse wrote:

    This file is created by the update-ca-certificates script which is called
    by the post install script of the ca-certificates package.  That script generates the bundle file from the certificates stored in both /usr/share/ca-certificates and /usr/local/share/ca-certificates.

    I have postfix installed, but no such file and postfix does not complain
    also this

    Installing the ca-certificates package should cause the file Postfix is looking for to be generated.

    seems to be wrong - have you tried it?

    regards

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Martin Gregorie@3:770/3 to Deloptes on Sun Mar 7 13:22:43 2021
    On Sun, 07 Mar 2021 08:35:57 +0100, Deloptes wrote:

    Matt Ernisse wrote:

    This file is created by the update-ca-certificates script which is
    called by the post install script of the ca-certificates package.  That
    script generates the bundle file from the certificates stored in both
    /usr/share/ca-certificates and /usr/local/share/ca-certificates.

    I have postfix installed, but no such file and postfix does not complain
    also this

    Installing the ca-certificates package should cause the file Postfix is
    looking for to be generated.

    seems to be wrong - have you tried it?

    regards

    The ca-certificates package is installed but the file /etc/pki/tls/certs/ca-bundle.crt does not exist and nor does the
    directory /etc/pki

    Removing and reinstalling the ca_certificates package did not fix the
    problem, so it looks like the RPi Foundation's bugzilla needs to be told
    about it. Thanks to all for confirming that.


    --
    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Deloptes@3:770/3 to Martin Gregorie on Sun Mar 7 15:21:45 2021
    Martin Gregorie wrote:

    Removing and reinstalling the ca_certificates package did not fix the problem, so it looks like the RPi Foundation's bugzilla needs to be told about it. Thanks to all for confirming that.

    No idea why you come up with this issue. Do you have some customizations or alien packages?

    In the Ubuntu link they suggest you create a symlink

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Martin Gregorie@3:770/3 to Deloptes on Sun Mar 7 15:09:48 2021
    On Sun, 07 Mar 2021 15:21:45 +0100, Deloptes wrote:

    Martin Gregorie wrote:

    Removing and reinstalling the ca_certificates package did not fix the
    problem, so it looks like the RPi Foundation's bugzilla needs to be
    told about it. Thanks to all for confirming that.

    No idea why you come up with this issue. Do you have some customizations
    or alien packages?

    Nope - non nonstandard stuff installed and it suddenly appeared for no
    apparent reason: I've been running Postfix on this RPi since I first got
    it (Jessie) and the onset of complaints about no TLS certs is not
    coincident with anything else I've done: I upgraded to Buster last year
    and its been a month or three since I moved the system from a 8GB to a
    16GB SD card.

    In the Ubuntu link they suggest you create a symlink

    As I said, since nobody of here seems to have hit this problem, and since removing&reinstalling the ca_certificates package didn't help, and nor
    did a reboot after that.

    This is just a niggle for me, because mail sent via my RPi's copy of
    Postfix stays inside my local network (its typically just logwatch and
    rkhunter reports), but my next move is to raise a bug since it may have
    more serious consequences for others.


    --
    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Chris Elvidge@3:770/3 to Martin Gregorie on Sun Mar 7 17:04:09 2021
    On 06/03/2021 09:12 pm, Martin Gregorie wrote:
    Two-three weeks ago I started to see this message in my daily logwatch report:

    **Unmatched Entries**
    1 Mar 5 07:38:54 rpi postfix/smtp[9344]: cannot load Certification Authority data, CAfile="/etc/pki/tls/certs/ca-bundle.crt", CApath="/etc/pki/tls/certs": disabling TLS support

    I'm running a 512 MB RPi 2B with Postfix installed as its MTA using
    Raspbian Buster.

    Can anybody suggest what package I need to install to get the
    certificates installed and so get rid of its complaints.


    Does this help?

    https://askubuntu.com/questions/342484/etc-pki-tls-certs-ca-bundle-crt-not-found

    --
    Chris Elvidge
    England

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Martin Gregorie@3:770/3 to Chris Elvidge on Sun Mar 7 21:07:31 2021
    On Sun, 07 Mar 2021 17:04:09 +0000, Chris Elvidge wrote:

    On 06/03/2021 09:12 pm, Martin Gregorie wrote:
    Two-three weeks ago I started to see this message in my daily logwatch
    report:

    **Unmatched Entries**
    1 Mar 5 07:38:54 rpi postfix/smtp[9344]: cannot load
    Certification Authority data,
    CAfile="/etc/pki/tls/certs/ca-bundle.crt",
    CApath="/etc/pki/tls/certs": disabling TLS support

    I'm running a 512 MB RPi 2B with Postfix installed as its MTA using
    Raspbian Buster.

    Can anybody suggest what package I need to install to get the
    certificates installed and so get rid of its complaints.


    Does this help?

    https://askubuntu.com/questions/342484/etc-pki-tls-certs-ca-bundle-crt-
    not-found

    Yes, it does - many thanks. I just updated /etc/postfix/main.cf and
    restarted postfix. All looks good ATM.





    --
    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)