plaes.org

Recently a friend who is using our mail server reported that he is having trouble sending an email - first time sending always fails, but it succeeds on second time. After a quick look to the logs I immediately spotted a suspect:

postfix/smtpd[31741]: warning: TLS library problem: 31741:error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table:x509_lu.c:348:

A quick check in Gentoo bugzilla turned up bug 254328 which itself was caused by Debian bug 502361. I was already spelling out "success" in my braing, but unfortunately it was shortlived - although this bug was about similar issue, it was not the same because I was having troubles with app-misc/ca-certificates version 20090709 not 20080809 as the bug reports were about. So to figure it out, I tried cleaning up the system certificate store, then succesfully regenerated (no duplicates) list of hashed certs. But postfix was still failing... In fact - this was the only thing using SSL certificates that was failing.

So I started to investigate postfix itself. As the problem was about certs, I looked into its certificate directory and found an extra file there: cacert.org-class3.pem. DOH! Mystery solved? I quickly fired up the text editor, loaded postfix's main configuration file and commented out

#smtpd_tls_CAfile = /etc/ssl/domains/{...}/cacert.org-class3.pem

Reloaded postfix, did the TLS check, checked the logs... Everything worked - problem solved!

Postmortem about this issue - turns out that app-misc/ca-certificates-20090709 is now including CAcert's root certificate to their list. Of course - this is good news because I have been using CAcert as my certificate provider for a long time. But previously, in order to avoid warnings about unknown issuer, I was manually supplying their root certificate to postfix. Which meant that after update postfix suddenly saw two identical certs. Unfortunately Gentoo currently lacks a mechanisom for storing local certificates. But there's an open bug report about it.. Stay tuned. ;)