diff --git a/prosody-0.9.8-config.patch b/prosody-0.9.8-config.patch
index fd8cc06..9cf318c 100644
--- a/prosody-0.9.8-config.patch
+++ b/prosody-0.9.8-config.patch
@@ -106,3 +106,24 @@ comments about optional dependencies and finally includes some upstream recommen
 +-- all config files in /etc/prosody/conf.d/
 +
 +Include "conf.d/*.cfg.lua"
+--- prosody-0.9.8/core/certmanager.lua			2015-03-24 20:18:04.000000000 +0100
++++ prosody-0.9.8/core/certmanager.lua.config		2015-07-13 20:31:28.000000000 +0200
+@@ -31,7 +31,8 @@
+ 
+ -- Global SSL options if not overridden per-host
+ local default_ssl_config = configmanager.get("*", "ssl");
+-local default_capath = "/etc/ssl/certs";
++local default_capath = "/etc/pki/tls/certs";
++local default_cafile = "/etc/pki/tls/certs/ca-bundle.crt";
+ local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
+ local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
+ local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
+@@ -64,7 +65,7 @@
+ 		password = user_ssl_config.password or function() log("error", "Encrypted certificate for %s requires 'ssl' 'password' to be set in config", host); end;
+ 		certificate = resolve_path(config_path, user_ssl_config.certificate);
+ 		capath = resolve_path(config_path, user_ssl_config.capath or default_capath);
+-		cafile = resolve_path(config_path, user_ssl_config.cafile);
++		cafile = resolve_path(config_path, user_ssl_config.cafile or default_cafile);
+ 		verify = user_ssl_config.verify or default_verify;
+ 		verifyext = user_ssl_config.verifyext or default_verifyext;
+ 		options = user_ssl_config.options or default_options;
diff --git a/prosody-0.9.8-rhel5.patch b/prosody-0.9.8-rhel5.patch
index 6a4a1a8..fbe1ed6 100644
--- a/prosody-0.9.8-rhel5.patch
+++ b/prosody-0.9.8-rhel5.patch
@@ -7,17 +7,17 @@ Prosody upstream tries to determine them by the LuaSec version - risky, because 
 shipping LuaSec 0.4.1 since ever, but still had no support for the "no_ticket" option.
 
 --- prosody-0.9.8/core/certmanager.lua			2015-03-24 20:18:04.000000000 +0100
-+++ prosody-0.9.8/core/certmanager.lua.rhel5		2015-05-05 00:47:21.000000000 +0200
-@@ -33,7 +33,7 @@
- local default_ssl_config = configmanager.get("*", "ssl");
- local default_capath = "/etc/ssl/certs";
++++ prosody-0.9.8/core/certmanager.lua.rhel5		2015-07-13 20:35:33.000000000 +0200
+@@ -34,7 +34,7 @@
+ local default_capath = "/etc/pki/tls/certs";
+ local default_cafile = "/etc/pki/tls/certs/ca-bundle.crt";
  local default_verify = (ssl and ssl.x509 and { "peer", "client_once", }) or "none";
 -local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference", luasec_has_noticket and "no_ticket" or nil };
 +local default_options = { "no_sslv2", "no_sslv3", "cipher_server_preference" };
  local default_verifyext = { "lsec_continue", "lsec_ignore_purpose" };
  
  if ssl and not luasec_has_verifyext and ssl.x509 then
-@@ -56,6 +56,7 @@
+@@ -57,6 +57,7 @@
  
  	if not ssl then return nil, "LuaSec (required for encryption) was not found"; end
  	if not user_ssl_config then return nil, "No SSL/TLS configuration present for "..host; end
@@ -25,7 +25,7 @@ shipping LuaSec 0.4.1 since ever, but still had no support for the "no_ticket" o
  	
  	local ssl_config = {
  		mode = mode;
-@@ -69,7 +70,6 @@
+@@ -70,7 +71,6 @@
  		verifyext = user_ssl_config.verifyext or default_verifyext;
  		options = user_ssl_config.options or default_options;
  		depth = user_ssl_config.depth;
diff --git a/prosody.spec b/prosody.spec
index 9e0a096..663fe48 100644
--- a/prosody.spec
+++ b/prosody.spec
@@ -5,7 +5,7 @@
 Summary:           Flexible communications server for Jabber/XMPP
 Name:              prosody
 Version:           0.9.8
-Release:           3%{?dist}
+Release:           4%{?dist}
 License:           MIT
 Group:             System Environment/Daemons
 URL:               https://prosody.im/
@@ -60,6 +60,7 @@ added functionality, or prototype new protocols.
 %if 0%{?rhel} == 5
 %patch1 -p1
 %endif
+rm -f core/certmanager.lua.config
 
 %build
 # CFLAG -D_GNU_SOURCE requires fallocate() which requires GLIBC >= 2.10
@@ -217,6 +218,9 @@ fi
 %{_mandir}/man1/%{name}*.1*
 
 %changelog
+* Wed Jul 15 2015 Robert Scheck <robert@fedoraproject.org> 0.9.8-4
+- Change default CA paths to /etc/pki/tls/certs(/ca-bundle.crt)
+
 * Wed Jul 01 2015 Robert Scheck <robert@fedoraproject.org> 0.9.8-3
 - Fixed the wrong logrotate configuration to not use a wildcard