Quantcast

Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

LunarZone
I have another problem with a plesk server using postfix in which I am
seeing the following error in the logs:

Sep 2 17:56:41 boaz postfix/smtp[4234]: warning: TLS library problem: 4234:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/etc/ssl/certs/ca-certificates.crt','r'):

I see the reference to /etc/ssl/certs/ca-certificates.crt in main.cf
main.cf > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

But the file does not exist, the only files in /etc/ssl/certs/ are:
ca-bundle.crt
ca-bundle.trust.crt
localhost.crt
Makefile
Equifax_Secure_CA.pem
Thawte_Premium_Server_CA.pem

Previously I was getting errors while connecting to AOL and Gmail, but someone
resolved that with the Equifax and Thawte files. Other than this error, postfix
seems to be functioning fine.

I am pretty much a Rookie, I can edit files such as main.cf but I do not know what
to put or what to do to resolve this, so if you have an answer please be EXPLICIT.
Any useful assistance is appreciated, thank you.

Free English, Spanish, & Portuguese Ecards for Birthdays, Christmas, Navidad, Valentines, & Love

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

Viktor Dukhovni
On Mon, Sep 02, 2013 at 08:04:23PM -0700, FliedRice wrote:

> Sep 2 17:56:41 boaz postfix/smtp[4234]: warning: TLS library problem:
> 4234:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:126:fopen('/etc/ssl/certs/ca-certificates.crt','r'):

The file is missing as reported by Postfix on behalf of the OpenSSL library.

> I see the reference to /etc/ssl/certs/ca-certificates.crt in main.cf
>
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
>
> But the file does not exist,

And also by you.

> Other than this error, Postfix seems to be functioning fine.

You are not using TLS to send mail, so it goes out over an unecrypted
connection even when the destination supports TLS.

> I do not know what to put or what to do to resolve this, so if you have
> an answer please be EXPLICIT.

explicit:

    main.cf:
        smtp_tls_security_level = may
        #
        # None of the below need non-empty values for opportunistic
        # unauthenticated TLS.  The empty values are in fact default settings
        # for Postfix, but some O/S distributions populate these with large
        # lists of CAs I'd never trust and/or default "snake-oil" client
        # certificates that serve no purpose.
        #
        # Either remove these entirely from main.cf, or set them explicitly
        # to empty values.
        #
        smtp_tls_CAfile =
        smtp_tls_CApath =
        smtp_tls_cert_file =
        smtp_tls_key_file =

At high traffic volumes I would add:

        # Reuse TLS sessions
        #
        scache = btree:${data_directory}/
        smtp_tls_session_cache_database = ${scache}smtp_scache

Read:

        http://www.postfix.org/TLS_README.html#client_tls_may
        http://www.postfix.org/TLS_README.html#client_cert_key
        http://www.postfix.org/TLS_README.html#client_tls_cache

Ralf Hildebrandt and Patrick Koetter wrote a reasonably friendly book
about Postfix, consider obtaining a copy.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

LunarZone
I do not know if this is just a strange coincidence or what, but now the google error has returned:
Sep  3 10:22:03 boaz postfix/smtp[19614]: certificate verification failed for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

In looking around it seems to have something to do with this:
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
It has a cert file and a key file, but it's not the one/s in:  /etc/ssl/certs/

Free English, Spanish, & Portuguese Ecards for Birthdays, Christmas, Navidad, Valentines, & Love

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

Viktor Dukhovni
On Tue, Sep 03, 2013 at 11:39:28AM -0700, FliedRice wrote:

> I do not know if this is just a strange coincidence or what, but now the
> google error has returned:
> Sep  3 10:22:03 boaz postfix/smtp[19614]: certificate verification failed
> for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

This is not an error.  It is just informational.  You don't trust
any CAs, so no certificates are verified.

If I recall correctly, sufficiently recent versions of Postfix (I
believe 2.9 or later) don't log this message when TLS is opportunistic
and the smtp_tls_loglevel is 1 or less (the recommended log level
is 1).  If you find this log message annoying, upgrade to Postfix
2.9.7 or 2.10.2.

When remote certificate authenticity is not enforced, there is no
point complaining about it.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

LunarZone
Thanks Victor, but I believe it does have something to do with my servers ability
to deliver email to Gmail, does it not?
http://productforums.google.com/forum/#!topic/gmail/7QWAO_aunhc

This server has a newsletter program which sends a lot of email to Gmail,
it is important to comply with any needs that Gmail might have in order to
get the email thru.

Free English, Spanish, & Portuguese Ecards for Birthdays, Christmas, Navidad, Valentines, & Love

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

Viktor Dukhovni
On Tue, Sep 03, 2013 at 12:24:30PM -0700, FliedRice wrote:

> Thanks Victor, but I believe it does have something to do with my servers
> ability to deliver email to Gmail, does it not?

No, certificate verification is irrelevant.  Gmail can't know
whether you verified their certificate or not.

> http://productforums.google.com/forum/#!topic/gmail/7QWAO_aunhc
>
> This server has a newsletter program which sends a lot of email to Gmail,
> it is important to comply with any needs that Gmail might have in order to
> get the email thru.

To get legitimate bulk mail delivered to Gmail, outsource your
mailings to a professional bulk email shop.  If you're sending
unsolicited email, you're mostly out of luck.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

LunarZone
It looks like gmail knows plenty to me....
Sep  4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I have been sending emails from a server for about 10 years in relationship
to my ecard sites. Unfortunately, I had to move to another server due to
network issues and cost factors. I do not need another service to do what
I have been doing for 10 years. I simply need to resolve the existing issues.

Free English, Spanish, & Portuguese Ecards for Birthdays, Christmas, Navidad, Valentines, & Love

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

Noel Jones-2
On 9/4/2013 3:27 AM, FliedRice wrote:
> It looks like gmail knows plenty to me....
> Sep  4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed
> for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Unless you're configuring a "secure" TLS channel, this isn't really
an error, doesn't affect delivery, and can be safely ignored. Newer
postfix versions automatically suppress this entry on opportunistic
TLS connections.

Are you having other issues still?


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

LuKreme
In reply to this post by LunarZone

On 04 Sep 2013, at 02:27 , FliedRice <[hidden email]> wrote:

> It looks like gmail knows plenty to me....
> Sep  4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed
> for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

You are misinterpreting that message. It says

"Hey, I tried to verify the cert that google presented and I can't because I don't trust the CA" and it is NOT saying "Hey, google doesn't trust me."

That is, the 'failure' is on your side. As has been pointed out upthread, this is not really an error or a failure, but more an informational message (which is why it is suppressed in later versions of postfix).

--
Love is like oxygen / You get too much / you get too high / Not enough
and you're gonna die

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

LunarZone
Thanks for the clarification Noel & LuKreme because there is an AOL one as well...
Sep  3 12:44:24 boaz postfix/smtp[22753]: certificate verification failed for mailin-01.mx.aol.com[205.188.159.42]:25: untrusted issuer /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1

Other than those "messages" postfix seems to be working fine. The thing that gets
me is that this is a newer version of Plesk, the server is only like 3 months old, so
when you say it's suppressed in later versions of postfix, it really makes me wonder
why Plesk does not offer a more updated version initially.

Does anyone know how I can go about suppressing these messages?
I know the one for Google is Equifax & the one for AOL is Thawte.

Free English, Spanish, & Portuguese Ecards for Birthdays, Christmas, Navidad, Valentines, & Love

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

Noel Jones-2
On 9/4/2013 12:53 PM, FliedRice wrote:

> Thanks for the clarification Noel & LuKreme because there is an AOL one as
> well...
> Sep  3 12:44:24 boaz postfix/smtp[22753]: certificate verification failed
> for mailin-01.mx.aol.com[205.188.159.42]:25: untrusted issuer
> /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
>
> Other than those "messages" postfix seems to be working fine. The thing that
> gets
> me is that this is a newer version of Plesk, the server is only like 3
> months old, so
> when you say it's suppressed in later versions of postfix, it really makes
> me wonder
> why Plesk does not offer a more updated version initially.

Open a support ticket with Plesk.

>
> Does anyone know how I can go about suppressing these messages?
> I know the one for Google is Equifax & the one for AOL is Thawte.

Most folks just ignore those messages, since they have no importance.

Theoretically you can track down the public root certs and add them
to a file, then point smtp_tls_CAfile to it.

Some distributions offer a root certificate bundle, intended to be
used with web browsers, that can be used as smtp_tls_CAfile. That
bundle may or may not contain the roots for these particular certs.
And many folks intentionally do NOT use the bundle with SMTP, since
it's hard to know exactly what roots are trusted by the system bundle.


  -- Noel Jones
Loading...