Please update ca-certificates on Trusty

ca-certificates is now updated in all stable releases:

http://www.ubuntu.com/usn/usn-2913-1/

This update seems to have broken our web app that uses some popular libraries that depend on curl() and use their cacert.pem files (provided with the given library) to verify the connection.

Please note that it can be that effectively running an "apt-get update; apt-get upgrade" (or having autoupdates enabled) breaks web apps that use these popular libraries (and maybe other libraries with similar age / setup).

Exact reason unknown. Surprising problem, seeing that the libraries try to use their own cacerts. Restoring the last known good ca-certificates package and holding it fixes the problem (I guess disabling the check in PHP would also do) but I reckon these are just temporary solutions.

$ uname -a
Linux [REDACTED] 3.2.0-88-generic #126-Ubuntu SMP Mon Jul 6 21:33:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

$ php -v
PHP 5.3.10-1ubuntu3.21 with Suhosin-Patch (cli) (built: Oct 28 2015 01:43:56)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

$ curl -V
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

(excerpt from /var/log/apt/history.log)
Start-Date: 2016-02-26 06:36:41
Upgrade: libgnutls26:amd64 (2.12.14-5ubuntu3.11, 2.12.14-5ubuntu3.12), libssl-dev:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), libssl-doc:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), openssl:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34), ca-certificates:amd64 (20141019ubuntu0.12.04.1, 20160104ubuntu0.12.04.1), libssl1.0.0:amd64 (1.0.1-4ubuntu5.33, 1.0.1-4ubuntu5.34)
End-Date: 2016-02-26 06:36:52

Error message: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Libraries known to be affected:
- Mailchimp API library for PHP. Exact version unknown; Mailchimp.php probably as of March 2014, filesize 13593 bytes.
- Rackspace Cloud Files API library for PHP. Exact version unknown; cloudfiles.php probably as of May 2010, filesize 77154 bytes.

FTR, our hotfix was:
- Going on a machine that has the same OS version and does not have the patch installed yet
- sudo apt-get install dpkg-repack; sudo dpkg-repack ca-certificates
- Copying the generated .deb file to the affected server and installing it
- apt-mark hold ca-certificates

It'd be great if someone could identify the root cause of this and either provide a fix or communicate the effects of applying this patch to the community.

Did you restart your server after the update in order to use the new version of libssl?

Ummm... no :) We'll test this, thanks!

Is a full OS reboot necessary or restarting the web server is enough?

You need to restart everything that uses libssl, perhaps only the web server, you'll see when you try it.

Thanks for your quick response. We'll try it and report back.

We've tested it and you were right, an Apache restart was needed after the patch is installed, and it fixed the problem.

Our service provider pointed out a couple of other services depending on libssl, restarting more services, and said a reboot is probably necessary to make sure syslog-ng is working well.