I am generating a pdf file using Prince via a html document which is populated dynamically with url's of images on S3. Occasionally some of the images do not appear (usually only 1 or 2 out of 8 images in total). When I check the log file, I notice these images are giving the error message "warning: Problem with the SSL CA cert (path? access rights?)"

This prompted me to search these forums for similar messages and I came across the options to specify the path of the CA cert, when I done this, all of the images were not displayed and there was an error message in the proince log for each one of these.

When I set the --insecure flag, all of the images appear, but I would rather have the images being retrieved securely.

Some people seem to have experienced this problem after upgrading other software packages and fixed it by restarting their webserver:

http://stackoverflow.com/questions/7179216/php-problem-with-the-ssl-ca-cert-path-access-rights
http://stackoverflow.com/questions/26099849/amazon-marketplacewebserviceorders-requests-suddenly-failing-php-curl-giving-ss

Yes I came across those questions and tried restarting apache, but to no avail.

Which Prince package have you installed, and do you get similar error messages when running the "curl" utility on the same URLs?

I have Prince 10 rev 4 installed. I don't get any messages like this when I make a curl request, here is the verbose output of a curl request:

* Trying 54.231.142.43...
* Connected to s3-eu-west-1.amazonaws.com (54.231.142.43) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=*.s3-eu-west-1.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
* start date: Sep 10 00:00:00 2015 GMT
* expire date: Sep 14 12:00:00 2016 GMT
* common name: *.s3-eu-west-1.amazonaws.com
* issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET /[bucket-name]/617-FBBD07BE-9041-B443-2D0D-069AF181D3D4.jpg-800.jpg HTTP/1.1
> User-Agent: curl/7.29.0
> Host: s3-eu-west-1.amazonaws.com
> Accept: */*
>
< HTTP/1.1 200 OK
< x-amz-id-2: oNNiZ+/QACNoALN7XmaYz7NmPPC+xWqVFtlj/NnKG8XXfxwDBzyPy8iksEslMCBCoq7hFD2iDP8=
< x-amz-request-id: 80BDF217BD7AD6DD
< Date: Wed, 10 Feb 2016 08:24:06 GMT
< Last-Modified: Mon, 08 Feb 2016 11:08:24 GMT
< ETag: "ac27cc99d13ba5e761ec0a5b8d625a65"
< Accept-Ranges: bytes
< Content-Type: image/jpeg
< Content-Length: 165715
< Server: AmazonS3
<
{ [data not shown]
100 161k 100 161k 0 0 370k 0 --:--:-- --:--:-- --:--:-- 371k
* Connection #0 to host s3-eu-west-1.amazonaws.com left intact

I spotted the CAfile is specified in this output, so I edited the getCommandLine method of the prince.php file and added the following to the command: --ssl-cacert=/etc/pki/tls/certs/ca-bundle.crt

This change made no difference, the images are intermittently failing to appear in the outputted pdf.

Edited 10 Feb 2016 by mattm

Since the failure is only intermittent, does the curl command ever fail if run repeatedly?

Can you check which version of libcurl Prince is linking to by running ldd on the Prince binary (eg. /usr/lib/prince/bin/prince)?

I have tried running the same command 15-20 times and the result is the same each time.

ldd out put is:
libcurl.so.4 => /lib64/libcurl.so.4

Is the curl binary linked to the same version of libcurl?

Oh, also it might be helpful to try running Prince with the --no-parallel-downloads option, to confirm that it is not a multi-threading issue.

I had the same issue with "Prince 20160602" and "Prince 10r7" on Centos 7 and Mac OS X.

After disabling parallel downloads (--no-parallel-downloads) everything worked fine.

We are experiencing the same problem with Prince 10r7-1 (prince-10r7-1.centos6.x86_64.rpm) on Amazon Linux. For the moment we have edited the PHP wrapper to append the "-no-parallel-downloads" flag but we're not happy with it as a long term solution. Is it on your agenda to fix the issue?

Do you get the same problem when not running on Amazon Linux?

All our servers are running Amazon Linux, so we haven't encountered this on a different OS.

ldd reports that prince is not a dynamic executable, and ldd on curl reports that it is linked to libcurl.so.4

Note that /usr/bin/prince is a shell script, the actual binary is located at /usr/lib/prince/bin/prince and should be dynamically linked.

Oops, silly me. OK, prince is linked to libcurl.so.4, which is the same file as the one linked to by curl.

We will investigate this issue.

Thankyou

We are trying to investigate this intermittent SSL issue on Amazon S3 and so far we are struggling to reproduce the problem. Does anyone have a URL we could test against?

I can provide some URLs for you. Could I send them to you directly rather than posting on here please?

Sure, my email is mikeday@yeslogic.com. It would also help to just confirm exactly which Prince version and operating system / distribution you are using.

I've just sent you the URLS and details by email.

It turns out there was a bug in NSS, the latest builds of Prince include a workaround which should fix the problem; it has also been patched upstream and will be available in future updates to NSS and curl.

Thanks for the update. We'll give it a try.

Just wanted to let you know that we've now been running the fix in production for a few weeks, and everything is working nicely. Thank you for your work in fixing this.