[BlueOnyx:15217] Re: Missing Certificate in /usr/share/ssl/certs/ca-bundle.crt

[Michael Stauber]

Hi Tobias,

> on some of our servers we use certificates from Startcom. But we have
> the problem on every update of base-email-glue (which was quite often
> in the last weeks) that our manually added intermediate certificate
> is lost. Or we have to set the file immutable. But I don't like to
> maintain more exceptions from standard than necessary.
> 
> Is it possible to just put it into the file carried by BO per default?
> 
> Their certificates can be downloaded here: https://www.startssl.com/certs/.

I looked into it. base-email.mod contains this constructor:

/usr/sausalito/constructor/base/email/syncEmailService.pl

It is run on cced.init restart and also on updates/installs of
base-email-* RPMs. So even on cced.init restarts or reboots you'll have
this issue.

That constructor has this command in it:

/bin/cp /etc/pki/tls/certs/ca-bundle.crt /usr/share/ssl/certs/

So it copies the ca-bundle.crt over to usr/share/ssl/certs/.

That ca-bundle.crt is provides by this RPM:

[root at 5108r ~]# rpm -q --whatprovides /etc/pki/tls/certs/ca-bundle.crt
ca-certificates-2013.1.95-65.1.el6_5.noarch

Generally this should be no problem at all. If you use the GUI to
install the intermediate. In that case it'll not be overwritten.

Or you could add your Starcom intermediate to
/etc/pki/tls/certs/ca-bundle.crt, in which case updates of base-email*
won't drop it either.

But then updates of ca-certificates (which is provided by the OS) might
drop it. But that shouldn't happen that often.

Best way is to add the intermediate in the GUI under "SSL" / "Manage
Certificate Authorities". Do it either for the Vsite where that Starcom
cert is used, or under "Server Management" / "Security" / "SSL" if it's
for the whole server. Sendmail and Dovecot use the AdmServ SSL
certificate as far as SSL is concerned.

-- 
With best regards

Michael Stauber