Problem with the SSL CA cert (path? access rights?)

UPDATED 17/01/2015

When this article was originally written in September 2014, it held true for the issue seen. On 16th January 2015, however, a broken update caused the same issue, but with wider implications, and a simple restart of Apache / Nginx / PHP-FPM or a reboot of the server wouldn’t fix it.

To test if your server is affected by the broken update, run

sudo yum update

If, in the resultant output, you see the “Problem with the SSL CA cert (path? access rights?)” warning, then the issue is a failed update of the NSS package, which will need to be installed manually.

The procedure is as follows. First download the relevant package for your server. For 64bit / x86_64 servers it’s :

wget ftp://195.220.108.108/linux/centos/6.6/updates/x86_64/Packages/nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm

For 32bit / i686 servers it’s

wget ftp://195.220.108.108/linux/centos/6.6/updates/i386/Packages/nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm

Unpack it. For 64bit / x86_64 :

sudo rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.x86_64.rpm | cpio -idmv

For 32bit / i686 :

 rpm2cpio nss-softokn-freebl-3.14.3-19.el6_6.i686.rpm | cpio -idmv

Move the package to the correct location. For 64bit / x86_64 :

sudo cp ./lib64/libfreeblpriv3.* /lib64

For 32bit / i686 :

cp ./lib/libfreeblpriv3.* /lib

Finally, run the yum udpate process again :

sudo yum update

All being well, yum will update without errors. That being the case, run a precautionary reboot of your web server, but otherwise you should be good to go.

ORIGINAL ARTICLE

Two separate Magento clients reported issues with payment this afternoon – on one, attempts to pay via Paypal were being rejected, and on the other, attempts to pay via Sagepay were failing. Nothing had been changed on either site for some time.

The Paypal error

On the first with the customers being returned to the cart page with the error “Unable to communicate with the PayPal gateway”. Magento’s exception logged showed :

exception 'Exception' with message 'PayPal NVP CURL connection error #77: Problem with the SSL CA cert (path? access rights?)' in /obscured/app/code/core/Mage/Paypal/Model/Api/Nvp.php:972

The Sagepay error

On the second site, payments via Sagepay were being rejected with orphan transactions being left behind with the error “Problem with the SSL CA cert (path? access rights?). A connection error prevented your order from being saved”.

In the Connection_errors log, an entry stated :

2014-09-28 18:34:04.000000 (1411925644.5796) ALERT: Problem with the SSL CA cert (path? access rights?)

The answer

Both instances were on separate servers, but the issues started at around the same time, which was a little too coincidental for our liking. Further digging revealed that both sites’ hosts had updated Bash in response to the Shellshock vulnerability, but neither had restarted their web and / or PHP implementations since doing so. Simply restarting the web server (Apache for one, Nginx for the other) and their PHP implementation (PHP-FPM in both instances) resolved the issue.

20 comments

  • Tony

    after much hair pulling – a simple restart nginx/php-fpm resolved… many thanks

    • Giles (author)

      Tony,

      No problem.

      Kind regards,

      Giles

  • Twan van Beers

    Brilliant, just had this issue on CentOS running Magento 1.7.0.2 and connecting to PayPal. Kept getting the error Unable to Communicate with PayPal Gateway. Downloading a fresh CA cert bundle coupled with the above sorted me out. Thanks a bunch, you have saved me many hours of frustration!

    • Giles (author)

      Twan,

      No problem.

      Kind regards,

      Giles

  • Paul kelly

    Thanks for this – it solved an issue I had with the Joomla Joocial(AutoTweetNG)) plugin, affecting social media posting.

  • Pierre

    Thank you so much
    I’ve struggling with that issue for 3 days !

    • Giles (author)

      Pierre,

      You’re welcome.

      Kind regards,

      Giles

  • Dylan Garton

    Thanks for clear solution, all sorted.

  • Will Preston

    You may find it to be an update to NSS causing failure on CentOS. Test by running yum update and see if you get errors, curl also creates this error. Solution is simple enough just install NSS manually.

    • Giles (author)

      Will,

      The article was correct as written, but you’re right, a wider issue arose yesterday because of a broken update which caused the same symptoms, but with wider implications. We will update the article accordingly.

      Kind regards,

      Giles

      • Andrew Taylor

        Thank you very much for posting the fix. It’s disappointing that CentOS didn’t distribute this information themselves as its caused chaos here.

        • Giles (author)

          Andrew,

          Indeed – there and many many other places. Glad you found it helpful.

          Kind regards,

          Giles

  • Janos

    You are the saviour! I’ve been tearing my code apart for the fifth time… Thank God you came to the rescue, I was about to give up.

  • Terry

    The issue appears related to the latest update for NSS not playing nicely with libcurl. It is not related to the bash update.

    • Giles (author)

      Are you positive on that, Terry, as the only update performed on either server in the week preceding the issue arising was to bash, not any NSS-related packages.

  • Mark Leighton

    Thank a million… you helped us out of a HUGE hole.

    THANK YOU!!!

  • Nico

    Very helpful tips! No using PayPal or your hosting, but sane problem using CURL, although control options are set to false.
    curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,0);
    curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,0);

    A reboot resolved it. Thx a lot!

  • Dominic Knight

    Thanks, ive been banging my head for the last 12 hrs trying to figure out what the issue was, apprciated

  • ananth

    Phew… what a coincidence… hit a nail on the head.. thanks for this.

  • Josh Carcione

    Thanks! Saved me a lot of time.

Leave a Reply

Your email address will not be published. Required fields are marked *

Want to talk to us about your project?