HummingbirdUK main logo

Coding solutions to business problems

About us

We use code to create solutions to business challenges, bottle-necks and headaches.

If you think your business has a problem that can be solved through code, we are happy to chat things through without any obligation.

Get in touch

SSL CA cert problem (path? access rights?)

Home / Blog / SSL CA cert problem (path? access rights?)

Written by Giles Bennett

UPDATED 17/01/2015

When this article was originally written in September 2014, it held true for the issue seen. On 16th January 2015, however, a broken update caused the same issue, but with wider implications, and a simple restart of Apache / Nginx / PHP-FPM or a reboot of the server wouldn't fix it.

To test if your server is affected by the broken update, run

sudo yum update

If, in the resultant output, you see the 'Problem with the SSL CA cert (path? access rights?)' warning, then the issue is a failed update of the NSS package, which will need to be installed manually.

The procedure is as follows. First download the relevant package for your server. For 64bit / x86_64 servers it's :

wget ftp://195.220.108.108/linux/centos/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm

For 32bit / i686 servers it's

wget ftp://195.220.108.108/linux/centos/6.6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm

Unpack it. For 64bit / x86_64 :

sudo rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv

For 32bit / i686 :

 rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv

Move the package to the correct location. For 64bit / x86_64 :

sudo cp ./lib64/libfreeblpriv3.* /lib64

For 32bit / i686 :

cp ./lib/libfreeblpriv3.* /lib

Finally, run the yum udpate process again :

sudo yum update

All being well, yum will update without errors. That being the case, run a precautionary reboot of your web server, but otherwise you should be good to go.

ORIGINAL ARTICLE

Two separate Magento clients reported issues with payment this afternoon - on one, attempts to pay via Paypal were being rejected, and on the other, attempts to pay via Sagepay were failing. Nothing had been changed on either site for some time.

The Paypal error

On the first with the customers being returned to the cart page with the error 'Unable to communicate with the PayPal gateway'. Magento's exception logged showed :

exception 'Exception' with message 'PayPal NVP CURL connection error #77: Problem with the SSL CA cert (path? access rights?)' in /obscured/app/code/core/Mage/Paypal/Model/Api/Nvp.php:972

The Sagepay error

On the second site, payments via Sagepay were being rejected with orphan transactions being left behind with the error 'Problem with the SSL CA cert (path? access rights?). A connection error prevented your order from being saved'.

In the Connection_errors log, an entry stated :

2014-09-28 18:34:04.000000 (1411925644.5796) ALERT: Problem with the SSL CA cert (path? access rights?)

The answer

Both instances were on separate servers, but the issues started at around the same time, which was a little too coincidental for our liking. Further digging revealed that both sites' hosts had updated Bash in response to the Shellshock vulnerability, but neither had restarted their web and / or PHP implementations since doing so. Simply restarting the web server (Apache for one, Nginx for the other) and their PHP implementation (PHP-FPM in both instances) resolved the issue.

Author : Giles Bennett

About the author

Giles Bennett built his first website in 1996, and is old enough to miss Netscape Navigator. Initially a lawyer, he jumped ship to IT in 2008, and after 5 years as a freelancer, he founded HummingbirdUK in 2013. He can be reached by email at giles@hummingbirduk.com.