Forum How do I...?

prince 6 CA cert file location

thecowster
Hi there

We have a host on which we run prince 6 and prince 9. Some of our older apps are using prince 6, whereas newer apps that needed newer features were upgraded to use prince 9. Recently one of our older apps had its SSL cert changed to a SHA256 cert. We added the new CA cert to /etc/pki/tls/certs/ca-bundle.crt, but prince 6 fails to generate the PDF, reporting:
SSL certificate problem, verify that the CA cert is OK

With prince 9 on the same host we PDF is generated without any problem. We can successfully fetch the page using curl (and no params except the url) on the same host. So curl and prince 9 have no problems with SSL algorithms or certs here.

Does prince 6 look for CA certs in a different file to /etc/pki/tls/certs/ca-bundle.crt?

Unfortunately modifying how we invoke prince 6 is not an option at this time. (If we could do that we would just switch the app over to prince 9)

Thanks
Andy
thecowster
I just realised I could use the --ssl-ca-cert option to test prince 6 behaviour with the above ca-bundle.crt file, but I still get the same error:
error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I suspect I am now missing something obvious ... If curl works and we know we can point prince at a file containing the right CA cert, this should surely work.
mikeday
Depending on which build of Prince you are using, it is possible that is statically linked with an older version of libcurl / OpenSSL.
thecowster
Thanks for the quick response. Our prince-6 was installed with a dynamically linked build:

/usr/local/lib/prince/bin/prince: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped

Should a dynamically-linked prince 6 be able to support SHA256 SSL certificates, when the local openssl supports them?
mikeday
I would have thought so. Can you run ldd on the binary and check what it is linked to?
thecowster
Thanks for the hint. Using ldd I find the following list of libraries being used (dynamically):

[fts@princexml1.test pdfgen]$ ldd /usr/local/lib/prince/bin/prince
linux-gate.so.1 => (0x00b6d000)
libpthread.so.0 => /lib/libpthread.so.0 (0x0096f000)
libz.so.1 => /lib/libz.so.1 (0x0068d000)
libpng12.so.0 => /usr/lib/libpng12.so.0 (0x001a0000)
libtiff.so.4 => /usr/lib/libtiff.so.4 (0x00bb9000)
libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x00771000)
libdl.so.2 => /lib/libdl.so.2 (0x001c8000)
libfontconfig.so.1 => /usr/lib/libfontconfig.so.1 (0x00464000)
libexpat.so.1 => /lib/libexpat.so.1 (0x003c7000)
libfreetype.so.6 => /usr/lib/libfreetype.so.6 (0x00e14000)
libm.so.6 => /lib/libm.so.6 (0x00d10000)
libc.so.6 => /lib/libc.so.6 (0x001cd000)
/lib/ld-linux.so.2 (0x00fc0000)


I don't see curl mentioned in that lib list. (Maybe its packaged in one of those libs though ...)
mikeday
I think we must have linked statically with curl, perhaps because the system version was too old at the time, I don't recall. Which Prince package did you install, and which distribution are you running?
thecowster
Prince package: When we installed this (years ago) we did not use an rpm (do not recall why). There is now no link between the binary and an rpm file.

Distribution: Centos 6

I wonder, could it be possible to make a dynamically-linked version of prince-6 available for Centos 6?

Thanks
Andy
mikeday
Perhaps; we will need to wake up the code from cold storage first, as we have not touched it since 2009. :)
thecowster
No need to do that just yet - we found another way to solve this in the end.
mikeday
yay! :D