Loading ...
Sorry, an error occurred while loading the content.

Log Error, File Nonexistent: /etc/ssl/certs/ca-certificates.crt

Expand Messages
  • FliedRice
    I have another problem with a plesk server using postfix in which I am seeing the following error in the logs: Sep 2 17:56:41 boaz postfix/smtp[4234]: warning:
    Message 1 of 11 , Sep 2, 2013
    • 0 Attachment
      I have another problem with a plesk server using postfix in which I am
      seeing the following error in the logs:

      Sep 2 17:56:41 boaz postfix/smtp[4234]: warning: TLS library problem:
      4234:error:02001002:system library:fopen:No such file or
      directory:bss_file.c:126:fopen('/etc/ssl/certs/ca-certificates.crt','r'):

      I see the reference to /etc/ssl/certs/ca-certificates.crt in main.cf
      main.cf > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

      But the file does not exist, the only files in /etc/ssl/certs/ are:
      ca-bundle.crt
      ca-bundle.trust.crt
      localhost.crt
      Makefile
      Equifax_Secure_CA.pem
      Thawte_Premium_Server_CA.pem

      Previously I was getting errors while connecting to AOL and Gmail, but
      someone
      resolved that with the Equifax and Thawte files. Other than this error,
      postfix
      seems to be functioning fine.

      I am pretty much a Rookie, I can edit files such as main.cf but I do not
      know what
      to put or what to do to resolve this, so if you have an answer please be
      EXPLICIT.
      Any useful assistance is appreciated, thank you.




      -----
      Free English
      & Spanish
      Ecards for Birthdays, Christmas, holidays, love, & just because!
      --
      View this message in context: http://postfix.1071664.n5.nabble.com/Log-Error-File-Nonexistent-etc-ssl-certs-ca-certificates-crt-tp61073.html
      Sent from the Postfix Users mailing list archive at Nabble.com.
    • Viktor Dukhovni
      ... The file is missing as reported by Postfix on behalf of the OpenSSL library. ... And also by you. ... You are not using TLS to send mail, so it goes out
      Message 2 of 11 , Sep 2, 2013
      • 0 Attachment
        On Mon, Sep 02, 2013 at 08:04:23PM -0700, FliedRice wrote:

        > Sep 2 17:56:41 boaz postfix/smtp[4234]: warning: TLS library problem:
        > 4234:error:02001002:system library:fopen:No such file or
        > directory:bss_file.c:126:fopen('/etc/ssl/certs/ca-certificates.crt','r'):

        The file is missing as reported by Postfix on behalf of the OpenSSL library.

        > I see the reference to /etc/ssl/certs/ca-certificates.crt in main.cf
        >
        > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
        >
        > But the file does not exist,

        And also by you.

        > Other than this error, Postfix seems to be functioning fine.

        You are not using TLS to send mail, so it goes out over an unecrypted
        connection even when the destination supports TLS.

        > I do not know what to put or what to do to resolve this, so if you have
        > an answer please be EXPLICIT.

        explicit:

        main.cf:
        smtp_tls_security_level = may
        #
        # None of the below need non-empty values for opportunistic
        # unauthenticated TLS. The empty values are in fact default settings
        # for Postfix, but some O/S distributions populate these with large
        # lists of CAs I'd never trust and/or default "snake-oil" client
        # certificates that serve no purpose.
        #
        # Either remove these entirely from main.cf, or set them explicitly
        # to empty values.
        #
        smtp_tls_CAfile =
        smtp_tls_CApath =
        smtp_tls_cert_file =
        smtp_tls_key_file =

        At high traffic volumes I would add:

        # Reuse TLS sessions
        #
        scache = btree:${data_directory}/
        smtp_tls_session_cache_database = ${scache}smtp_scache

        Read:

        http://www.postfix.org/TLS_README.html#client_tls_may
        http://www.postfix.org/TLS_README.html#client_cert_key
        http://www.postfix.org/TLS_README.html#client_tls_cache

        Ralf Hildebrandt and Patrick Koetter wrote a reasonably friendly book
        about Postfix, consider obtaining a copy.

        --
        Viktor.
      • FliedRice
        I do not know if this is just a strange coincidence or what, but now the google error has returned: Sep 3 10:22:03 boaz postfix/smtp[19614]: certificate
        Message 3 of 11 , Sep 3, 2013
        • 0 Attachment
          I do not know if this is just a strange coincidence or what, but now the
          google error has returned:
          Sep 3 10:22:03 boaz postfix/smtp[19614]: certificate verification failed
          for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
          /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

          In looking around it seems to have something to do with this:
          smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
          It has a cert file and a key file, but it's not the one/s in:
          /etc/ssl/certs/



          -----
          Free English
          & Spanish
          Ecards for Birthdays, Christmas, holidays, love, & just because!
          --
          View this message in context: http://postfix.1071664.n5.nabble.com/Log-Error-File-Nonexistent-etc-ssl-certs-ca-certificates-crt-tp61073p61094.html
          Sent from the Postfix Users mailing list archive at Nabble.com.
        • Viktor Dukhovni
          ... This is not an error. It is just informational. You don t trust any CAs, so no certificates are verified. If I recall correctly, sufficiently recent
          Message 4 of 11 , Sep 3, 2013
          • 0 Attachment
            On Tue, Sep 03, 2013 at 11:39:28AM -0700, FliedRice wrote:

            > I do not know if this is just a strange coincidence or what, but now the
            > google error has returned:
            > Sep 3 10:22:03 boaz postfix/smtp[19614]: certificate verification failed
            > for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
            > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

            This is not an error. It is just informational. You don't trust
            any CAs, so no certificates are verified.

            If I recall correctly, sufficiently recent versions of Postfix (I
            believe 2.9 or later) don't log this message when TLS is opportunistic
            and the smtp_tls_loglevel is 1 or less (the recommended log level
            is 1). If you find this log message annoying, upgrade to Postfix
            2.9.7 or 2.10.2.

            When remote certificate authenticity is not enforced, there is no
            point complaining about it.

            --
            Viktor.
          • FliedRice
            Thanks Victor, but I believe it does have something to do with my servers ability to deliver email to Gmail, does it not?
            Message 5 of 11 , Sep 3, 2013
            • 0 Attachment
              Thanks Victor, but I believe it does have something to do with my servers
              ability
              to deliver email to Gmail, does it not?
              http://productforums.google.com/forum/#!topic/gmail/7QWAO_aunhc

              This server has a newsletter program which sends a lot of email to Gmail,
              it is important to comply with any needs that Gmail might have in order to
              get the email thru.



              -----
              Free English
              & Spanish
              Ecards for Birthdays, Christmas, holidays, love, & just because!
              --
              View this message in context: http://postfix.1071664.n5.nabble.com/Log-Error-File-Nonexistent-etc-ssl-certs-ca-certificates-crt-tp61073p61096.html
              Sent from the Postfix Users mailing list archive at Nabble.com.
            • Viktor Dukhovni
              ... No, certificate verification is irrelevant. Gmail can t know whether you verified their certificate or not. ... To get legitimate bulk mail delivered to
              Message 6 of 11 , Sep 3, 2013
              • 0 Attachment
                On Tue, Sep 03, 2013 at 12:24:30PM -0700, FliedRice wrote:

                > Thanks Victor, but I believe it does have something to do with my servers
                > ability to deliver email to Gmail, does it not?

                No, certificate verification is irrelevant. Gmail can't know
                whether you verified their certificate or not.

                > http://productforums.google.com/forum/#!topic/gmail/7QWAO_aunhc
                >
                > This server has a newsletter program which sends a lot of email to Gmail,
                > it is important to comply with any needs that Gmail might have in order to
                > get the email thru.

                To get legitimate bulk mail delivered to Gmail, outsource your
                mailings to a professional bulk email shop. If you're sending
                unsolicited email, you're mostly out of luck.

                --
                Viktor.
              • FliedRice
                It looks like gmail knows plenty to me.... Sep 4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed for
                Message 7 of 11 , Sep 4, 2013
                • 0 Attachment
                  It looks like gmail knows plenty to me....
                  Sep 4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed
                  for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
                  /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

                  I have been sending emails from a server for about 10 years in relationship
                  to my ecard sites. Unfortunately, I had to move to another server due to
                  network issues and cost factors. I do not need another service to do what
                  I have been doing for 10 years. I simply need to resolve the existing
                  issues.



                  -----
                  Free English
                  & Spanish
                  Ecards for Birthdays, Christmas, holidays, love, & just because!
                  --
                  View this message in context: http://postfix.1071664.n5.nabble.com/Log-Error-File-Nonexistent-etc-ssl-certs-ca-certificates-crt-tp61073p61101.html
                  Sent from the Postfix Users mailing list archive at Nabble.com.
                • Noel Jones
                  ... Unless you re configuring a secure TLS channel, this isn t really an error, doesn t affect delivery, and can be safely ignored. Newer postfix versions
                  Message 8 of 11 , Sep 4, 2013
                  • 0 Attachment
                    On 9/4/2013 3:27 AM, FliedRice wrote:
                    > It looks like gmail knows plenty to me....
                    > Sep 4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed
                    > for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
                    > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

                    Unless you're configuring a "secure" TLS channel, this isn't really
                    an error, doesn't affect delivery, and can be safely ignored. Newer
                    postfix versions automatically suppress this entry on opportunistic
                    TLS connections.

                    Are you having other issues still?


                    -- Noel Jones
                  • LuKreme
                    ... You are misinterpreting that message. It says Hey, I tried to verify the cert that google presented and I can t because I don t trust the CA and it is
                    Message 9 of 11 , Sep 4, 2013
                    • 0 Attachment
                      On 04 Sep 2013, at 02:27 , FliedRice <thepureflow@...> wrote:

                      > It looks like gmail knows plenty to me....
                      > Sep 4 01:23:59 boaz postfix/smtp[16024]: certificate verification failed
                      > for gmail-smtp-in.l.google.com[74.125.142.26]:25: untrusted issuer
                      > /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

                      You are misinterpreting that message. It says

                      "Hey, I tried to verify the cert that google presented and I can't because I don't trust the CA" and it is NOT saying "Hey, google doesn't trust me."

                      That is, the 'failure' is on your side. As has been pointed out upthread, this is not really an error or a failure, but more an informational message (which is why it is suppressed in later versions of postfix).

                      --
                      Love is like oxygen / You get too much / you get too high / Not enough
                      and you're gonna die
                    • FliedRice
                      Thanks for the clarification Noel & LuKreme because there is an AOL one as well... Sep 3 12:44:24 boaz postfix/smtp[22753]: certificate verification failed
                      Message 10 of 11 , Sep 4, 2013
                      • 0 Attachment
                        Thanks for the clarification Noel & LuKreme because there is an AOL one as
                        well...
                        Sep 3 12:44:24 boaz postfix/smtp[22753]: certificate verification failed
                        for mailin-01.mx.aol.com[205.188.159.42]:25: untrusted issuer
                        /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1

                        Other than those "messages" postfix seems to be working fine. The thing that
                        gets
                        me is that this is a newer version of Plesk, the server is only like 3
                        months old, so
                        when you say it's suppressed in later versions of postfix, it really makes
                        me wonder
                        why Plesk does not offer a more updated version initially.

                        Does anyone know how I can go about suppressing these messages?
                        I know the one for Google is Equifax & the one for AOL is Thawte.



                        -----
                        Free English
                        & Spanish
                        Ecards for Birthdays, Christmas, holidays, love, & just because!
                        --
                        View this message in context: http://postfix.1071664.n5.nabble.com/Log-Error-File-Nonexistent-etc-ssl-certs-ca-certificates-crt-tp61073p61160.html
                        Sent from the Postfix Users mailing list archive at Nabble.com.
                      • Noel Jones
                        ... Open a support ticket with Plesk. ... Most folks just ignore those messages, since they have no importance. Theoretically you can track down the public
                        Message 11 of 11 , Sep 4, 2013
                        • 0 Attachment
                          On 9/4/2013 12:53 PM, FliedRice wrote:
                          > Thanks for the clarification Noel & LuKreme because there is an AOL one as
                          > well...
                          > Sep 3 12:44:24 boaz postfix/smtp[22753]: certificate verification failed
                          > for mailin-01.mx.aol.com[205.188.159.42]:25: untrusted issuer
                          > /C=US/O=America Online Inc./CN=America Online Root Certification Authority 1
                          >
                          > Other than those "messages" postfix seems to be working fine. The thing that
                          > gets
                          > me is that this is a newer version of Plesk, the server is only like 3
                          > months old, so
                          > when you say it's suppressed in later versions of postfix, it really makes
                          > me wonder
                          > why Plesk does not offer a more updated version initially.

                          Open a support ticket with Plesk.

                          >
                          > Does anyone know how I can go about suppressing these messages?
                          > I know the one for Google is Equifax & the one for AOL is Thawte.

                          Most folks just ignore those messages, since they have no importance.

                          Theoretically you can track down the public root certs and add them
                          to a file, then point smtp_tls_CAfile to it.

                          Some distributions offer a root certificate bundle, intended to be
                          used with web browsers, that can be used as smtp_tls_CAfile. That
                          bundle may or may not contain the roots for these particular certs.
                          And many folks intentionally do NOT use the bundle with SMTP, since
                          it's hard to know exactly what roots are trusted by the system bundle.


                          -- Noel Jones
                        Your message has been successfully submitted and would be delivered to recipients shortly.