After upgrading from Fedora 43 to 44, dnf update started failing on the CrowdSec repo:
Curl error (77): Problem with the SSL CA cert (path? access rights?)
for https://packagecloud.io/crowdsec/crowdsec/...
[error adding trust anchors from file: /etc/pki/tls/certs/ca-bundle.crt]What happened
Fedora 44 dropped the legacy certificate bundle files as part of the droppingOfCertPemFile change. /etc/pki/tls/certs/ca-bundle.crt no longer exists. OpenSSL now uses a directory-hash format instead. The CrowdSec repo file installed via packagecloud.io hardcodes that path.
Fix
Edit /etc/yum.repos.d/crowdsec_crowdsec.repo and update sslcacert in both [crowdsec_crowdsec] and [crowdsec_crowdsec-source] sections:
# before
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
# after
sslcacert=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemThat’s it. dnf update works again.
Worth knowing
Fedora does provide a temporary workaround (update-ca-trust extract --rhbz2387674) that restores the old files, but it gets wiped on every ca-certificates update so it’s not worth relying on.
Other packages hardcoding ca-bundle.crt will hit the same issue. Prosody and Postfix are two known ones.